Chris Sanders 🔎 🧠Investigation Scenario 🔎
An HR employee reports that their work phone hasn't been able to connect to the cellular network since they woke up this morning. They have also reported that they can no longer authenticate to the HR web portal they use.
What do you look for to investigate whether an incident occurred and the extent of the compromise?
Assume you have access to whatever digital evidence source you need.
As you look through the replies to the scenario, take note in the assumptions each person makes. What some call an assumption, others would call a hypothesis; the former is accepted while the latter is questioned. That distinction is critical. It’s okay to pick a likely outcome and pursue evidence that proves or disproves it, you just can’t make the assumption that has happened without evidence in hand. Particularly before you go isolating and quarantining things.
Of course, this does sound like it could be a SIM swapping attack… many of us thought that last week when AT&T went down 😅 But the confluence of a phone issue/outage and a user having a login issue isn’t that unreasonable. I’ve seen it more than once!
Speaking of SIM swapping attacks, what’s your investigative plan if you suspect someone with access to sensitive information in your org is affected by one? Don’t just think about response, but also clear identification…
That’s something to think about… 🚀 #InvPath #DFIR #SOC
My response of the week goes to @CyberSpooon. I appreciate their mention of examining recent login behavior AND changes in multi-factor authentication methods or apps. They win a free month of my Analyst Skills Vault.
CyberSpooon (@CyberSpooon) on X
@chrissanders88 I would heavily scrutinize recent logins from that user and look for changes to MFA methods or apps to establish an investigation timeline. Next, I would look at any Office activity from that user we can attribute to the bad actor as well as changes/access to the HR portal. 2/2