Incident Response Scenarios (A user calls in and says they opened an…
Incident Response Scenarios
A user calls in and says they can't log into anything. The support technician sees that their account is locked and assists them by unlocking it. Unfortunately, the user calls back less than an hour later with the same problem. Roll a d20 to find out whether this pattern is noticed.
You rolled more than 10 - the second technician notices that this is the second issue of its kind today.
The technician sends the issue to the security team. The security team sees that the user changed their password that morning. Roll a d20 to find out whether they bother investigating further.
You rolled more than 10 - the security team notices that the authentication failures are coming from a web application, not the user's computer. They notice that before this morning, there were still a lot of authentication events but they were successful.
You rolled less than 10 - go back to the beginning of this scenario but keep track of time lost.
You rolled less than 10 - the same thing happens again. You lose an hour.
A database administrator notices that CPU utilization is high on a particular cluster. Upon investigation, they discover that there is a long-running query bogging things down. What should the admin do?
The admin investigates the query and finds that it's some kind of function that decodes a huge string of character codes. Roll a d20+5 for SQL Prowess.
You rolled more than 10 - you decode the query instantly
The query is a union select that replaces fields from the default database with various highly sensitive fields from other databases and tables. You recognize the beginning and end of the query as having been generated by the application that depends on this cluster, but the middle part looks totally out of place.
You rolled less than 10 - you aren't sure how to interpret this query. You lose an hour on Stack Overflow.
The admin purges the query and goes to lunch. Three hours later they receive an alert about performance degradation on the same cluster. What should the admin do?
A security analyst notices blocked traffic from a server to websites that would be inappropriate to browse at work. What should the analyst do?
A user calls in and says they opened an attachment on an invoice email and it didn't work. What should the support technician do?
Panic! Unplug the user's computer!
Ask the user to send the email to security for analysis
The security team looks at the email and quickly find that the attachment contains a macro that downloads and installs malware.
Connect to the user's computer and troubleshoot
The technician connects to the user's computer and opens the task manager. Roll a d20 for Live Forensics.
You rolled more than 10 - the technician notices a process name they don't recognize, "dridex.exe" and a quick Google search reveals that it's probably a banking trojan.
You rolled less than 10 - the technician sees nothing amiss in the process list. The technician installs adobe reader and tells the user to request that the email be resent.
The user calls back a few days later in a terrible mood. They still can't access the document or get in touch with the sender. They apologize for their foul mood and explain that they've just spent hours on the phone with their bank over a case of apparent identity fraud. What should the technician do?
The support technician escalates the issue to a supervisor. The supervisor notices a process running on the user's machine they don't recognize, "dridex.exe" and a quick Google search reveals that it's probably a banking trojan.
Ask for a copy of the email so they can try opening the invoice
The support technician opens the invoice and waits for the hourglass to turn back into a triangle. Eventually it does, but the document is blank. The computer is now acting sluggish. What should the support technician do?
It's an incident!