Investigation of information security incidents
The results of the information security incident investigation establish the circumstances, causes and conditions of the information security incident. The investigation determines the extent of the impact of specific computer information systems, as well as the actions or omissions of personnel involved in the incident. This makes it possible to restore the most accurate chronology of events and to recreate the sequence and system design of the intruders actions.
Purpose of the investigation
- Confirmation or denial of the incident.
- Localization and liquidation of the consequences of the incident.
- Identification of the perpetrators, their motivation, ensuring the possibility of bringing to justice;
- Analysis of the incident and taking measures to prevent similar incidents in the future;
- Minimizing the consequences and reducing the risks arising from the incident;
- Implementation and improvement of processes for an effective response to incidents.
When conducting an investigation, the company’s specialists carry out at least the following types of work:
- Computer and technical analysis of source materials and electronic evidence: images of hard drives, log files, logs of actions and events, memory and network dumps at the time of the incident recording, written explanations of staff on the actions taken related to the incident.
- Identification of all compromised objects and likely subjects related to the incident.
- Collecting data on the relationship of the identified objects of investigation with other elements of the IT infrastructure.
- Reverse engineering of the detected malware and identification of methods and mechanisms of penetration. Recreation of a system-wide malware project, algorithms of work at the network distribution level and impact on the OS.
- Fixing the stages of the attack, determining the sources of the attack, the sequence of actions of potential intruders, the degree of involvement of information systems, the information environment and the Customer’s personnel.