Employing Post-Incident Actions and Procedures
Incident response teams must make recommendations on how to proceed when responding to a breach. The findings from your forensics investigation will be used to determine what activity occurred, when it occurred, and why it may have occurred. The value of your findings is in your documentation. Every tool, technique, and finding you have must be documented and reproducible. This helps ensure the accuracy of your results so that the IRT can respond to the current threat as well as prevent the breach from occurring again.
It is important that, as an investigator, you report the findings and do not make conclusions based on assumptions or beliefs you may have. Professional investigators have a level of detachment from their reports and focus on only reporting the facts. If you need to make a conclusion, make sure the evidence supports the claim, rule out alternate theories, and provide solid reasoning for your conclusion.
The basic rules of disclosing forensics findings should include the following:
If there is clear fault, even if it is on the company’s side, be open and help the company accept responsibility.
Sometimes there is no right answer, and proper evidence cannot be collected or is not available. It is okay to not walk away with the “smoking gun.” If you have the skills and understand the forensic tools, you will have some results to document, even if those results prove or do not prove your case.
Educate your clients, management, and other people who may read your work on how to mitigate the problem and avoid future issues.
Typically, forensic results and reports are developed using specific software that is different from incident response applications. Most logging and management software, when configured correctly, are the primary tools used for incident response. This includes SIEMs, log management, trend analysis, and other tools. Most network engineers have some experience using these types of tools. Auditors use other tools, such as Nessus, when testing web applications. To help you understand which tools are right for different aspects of an incident response program, we cover general tool categories next.