It’s Tuesday and I think I have a computer virus…

…or is it ransomware?

Today is the Tuesday after the Easter Bank Holiday weekend and we should have had our weekly staff meeting – I thought we should have incident response training. Because of work commitments, the CEO being in Spain and two of our team on leave and driving to Liverpool, our Operations Manager, Martin, thought we should postpone the meeting.

A good plan, but he and I still needed a meeting to finalise a proposal paper for one of our clients – well that is what HE thought he was doing. I however have rescheduled the proposal paper to this afternoon and we are going to have an incident response training session.

Incident Response Training

Having an incident response plan on paper is all well and good – but unless you take it for a test run every so often how do you know it is going to work? Enter incident response training.

Why did I choose today?

Diana proofreads these articles before they are published – even when she is on holiday in Spain – and I know she is not going to be happy about this surprise training. But it is because she is out of the country and because two of our people are on the road that I chose to do this on this particular Tuesday. Previous unannounced tests have been during our weekly staff meeting. This I thought would be a bit more difficult.

What are we testing?

Not the full plan. I have a scenario that it is my machine that is infected with an unknown virus – I will switch my immediate work to my iPhone and Linux laptop to test myself on being able to manage an incident without a laptop.

I am a global administrator for our Microsoft 365 account and have admin and user access to other systems – so I want a complete password change across our systems and check run on our email to check for rogue email rules (often a sign of business email compromise).

Here are some of the things I want to test (not all of them, as some are secret).

  • I want to check that both WordPress and our accounting system passwords can be changed. Both of the people responsible for this are either in a car or in Spain. We’ll not change these just check it can be done quickly.
  • I want all the company Microsoft 365 account passwords changed – including all global admins.
    • I want to test our team’s ability to change passwords on all their devices, even when in another country, on the road or under pressure.
  • I want the back-ups checked and a specific OneNote file and this Word document recovered to a machine where they can be virus checked.
  • Plus a couple of other confidential steps in our incident response will be checked to cover the scenario.

Incident Response Training – What should I expect?

What any manager would expect if they tried this. Objections, excuses, complaints. My team are not saints, they are busy, they are on leave, but I know they will rise to the challenge and prove our plan works. I know Martin will not like it, he has a very well organised day. My argument will be, “if a client phoned you with a probable malware infection, you’d reschedule and get someone on it – this is not different”.

I will get grief when Diana gets back from Spain. But what better time to test the systems when a key member is out of the country?

What’s Next?

  • Well if no one quits or divorces me, next week’s staff meeting will be a debrief and edit of our incident response. I expect we will find an issue or two.
  • I am going to get Martin – and anyone else on the team who wants to – to write their thoughts on the exercise on the Octagon blog. I promise not to censor anything!

Timings

I am writing this post on Monday night, I will not send it for proofing until after the exercise, and it is scheduled to be published on Wednesday morning. So by the time you read this it will be over and the results will be in.

Wish me luck!

Clive Catton MSc (Cyber Security) – by-line and other articles

References

Johansen, G. (2020). Digital forensics and incident response: Incident response techniques and procedures to respond to modern cyber threats. Packt Publishing Ltd.

Further Reading

Incident Response Communications – Have You Got It Covered?

Ransomware – A Primer

Don’t Blame your Team – “Just Click Here”

Linux for Business (Part I)

Linux for Business (Part II)

Photo by Atul Choudhary

Incident Response Training