The first time I responded to a breach solo was just a few months after starting my career as a DFIR consultant. I flew out early morning from Arizona across the country to New Jersey not really knowing what was in store. I picked up my rental car that afternoon and promptly got lost 3x trying to find the hotel. (Thanks for nothing Google maps). Then I got the hotels mixed up. Who knew there would be two Hiltons in the exact same property?
Finally, after getting checked in and discovering that the hotel had no onsite dining, I ordered a pizza from a local chain and called it a night.
The next day I was slated to arrive at the customers site at 9am and I wanted to make a good first impression so I planned on arriving slightly early. I got lost again on the way there, but I had given myself plenty of time to find the building. After parking in a somewhat sketchy neighborhood, I passed through the metal detectors (Yes Really) to get into the customers building.
They were very happy to see me and had already set me up with an office that I could close the door and work on the systems from. After a few days of collecting evidence and imaging systems I headed back to Phoenix. The case turned out to be rather routine, but I learned a ton as to what its like to respond to a breach by yourself. Here are some of my notes that might help you have an easier time or get you better prepared.
- Jet lag is no fun. I make it a point to go to bed by 10pm and wake up at 6am no matter where I travel. The first day is rough but forcing your body onto the schedule helps. So does Unisom
- Always ask the customer to show you around. More often than not, the customer has neglected a critical system or piece of evidence during the initial scoping call and you will discover it on your tour.
- If you are imaging systems, bring brightly colored USB drives. Nothing’s worse than going into a hardware closet and seeing a half dozen other black USB drives plugged into machines. It can get confusing as to what gear you brought and what belongs to the customer. I usually bring bright yellow 1tb USB drives when I respond to a breach. They make it easy to spot so there’s no mixup.
- Make sure you take good notes when onsite. It’s easy to get busy with the hunt and forget to document what you have found, what you examined and what you have done. Note taking is a skill and takes practice.
- Bring those Chain of Custody forms. If you are removing hardware or evidence from a customers site, they need to sign and fill out a Chain of Custody form. This keeps everything orderly for lawyers in the event the case goes to court.
- If the customer hasn’t provided you with one, ask for a quiet office space where you can work and preferably shut the door
- Maintain OPSEC! Sometimes a breach involves sensitive data or even insiders. Keep quiet about the case and do not disclose details to anyone that you did not meet during the scoping call unless advised to do so.
- Don’t speculate. The customer will want answers right away. Especially with regards to who did it. Avoid speculating on details if you do not have facts to back it up.
- Finally, be polite and patient. Remember, this is most likely the customers worst experience of their career. Having a breach can be devastating, be calm, polite and professional. Remember, sometimes a little empathy goes a long way in reassuring the customer that you are taking care of their problem.