Embed Size (px)
Citation preview
EffectiveVictimInterviewTechniquesforIncidentRespondersAlisonNaylorPrincipalInformationSecurityAnalystRedHat,Inc.
Overview
• InterviewBasics• WhyinterviewaspartofIncidentResponse?• Subject(victimorpersonofinterest)interviewingtechniques• QualityQuestions• ActiveListeningandEmotionalIntelligence
• StructureofanIncidentResponseInterview• CaseStudies
WhyInterviewforIncidentResponse?
• Gathermoreinformation(obviously)• Youmayalreadyknowwhathappened,nowfindoutthehowandwhy
• Opportunityforusereducation• Incidentsareamemorableexperience!
• PositivePRforsecurityteam• Showyourusershowyoukeeptheirdatasafe• Securityfolksarepeopletoo!
Whythistalk?
• Manyofusareintroverts• Lessthancomfortabletalkingtostrangers
• Ourquestionsaren’tthatgood• Wetendtofocusonthetech,nottheperson• Oftenmisstheinformationgaps
• Interviewingisaskillwecandevelop• Guidelinestobuildconfidence• Plan,practice,andputintouse!
TypesofSubjects• Victim
• Theincidenthappened“to”them• Wasscammed,orperhapsjustmadeamistake• Usuallycooperative
• Adversarialsubject• Personofinterest• May(ormaynot)betheactorbehindtheincident• Lessthancooperative
“Subject”referstoeithercase–thepersonweareinterviewing
TypesofQuestions
Closed-endedQuestions• Usuallyelicitashort,one-wordanswer(usuallyyesorno)• Usefultoconfirmfacts• Oftenbeginwith“Doyou..”“Canyou..”“Who”“When”“Where”• Mightmakevictimsanxious• Couldmakeadversarialsubjectshostileorclamup• Canimplyjudgment,oranexpectedanswer
TypesofQuestions
Open-endedQuestions• Encourageafull,meaningfulanswerusingboththesubject’sexperiencesandfeelings• Usuallybeginwith“Tellme..”“Whatdoyouthink..”“How”or“Why”• Arereassuringtovictims• Canmakeadversarialsubjectsnervousandchatty• Moreobjective,lessleading
Closed-Endedvs.Open-Ended
“Canyoutellmewhathappened?”“Doyouknowthesenderofthisemail?”“Doyouhaveanyproblemswithyourboss?”
“Okay,tellmewhathappened.”“Howdoyouknowthisperson?”“Tellmeaboutyourrelationshipwithyourboss.”
Whentousethem?
Asageneralrule:• Open-endedquestionstostartaconversation• Closed-endedquestionstoclarify,confirmdetails• Backtoopen-endedtocontinueanarrative
Forparticularlyinvolvedincidents,atraditionalfour-stageinterrogationcanhelp.Weaskthesubjecttodescribe:• Theentireincident,astheyrememberit(mostlyopen-endedquestions)• Theperiodbeforetheincidenttookplace(someopen,someclosed)• Detailsabouttheincident(mostlyclosed)• Theperiodfollowingtheincident(someopen,someclosed)
OrganizingaNarrativeFlow
QualityQuestions
• Objective• SpecificandDirect
• Non-Judgmental• Don’tplayStupidvs.Evil
• Adapttothesubject• Showthatyou’relistening
• Toneofvoice• Matter-of-fact• Supportive
Itlookslikeyouvisitedalinkatsketchy[.]site.Howdidyoucometoreachthatsite?Idon’tseetheURLinyourbrowserhistory,butIhavenetworklogsindicatingthesitewasvisitedatthistimefromyourIPaddress.Whymightthatmightbe?Iheardyousaythatoncetheyhadremotecontrolofyourdesktop,theyransomecommands.Whatcanyourememberaboutthis?
InterviewingTips
Establishrapport• Taketimeforintroductions• Setexpectationsfortheinterview• Offerreassurances• Themagicwords:“You’renotintrouble.”
Bepatient!Don’trush• Repeatandrephraseasneeded• Bookmoretimethanyouthinkyouneed
InterviewingTips
UseActiveListening• Paraphrase–restatethesubject’sinformationwithdifferentwords• Summarize–conciselyreiteratemainpointstoidentifyoverallprogress• Clarify–allowforunclearportionstoberestateduntilintendedmeaningisclear• Reflect–beattunedtoandreflectfeelings
BeMindfulofBodyLanguage• Makeeyecontact• Relaxed,open• Neutralexpression
InterviewingTips
ConsidertheInterviewEnvironment• Howwillthesettingaffectthesubject?• Boardroomvs.ComfyChairsvs.CubicleAmbush
BringaPartner
• Oneofyoucanfocusonthesubject• Theothercanfocusoncapturingdata,fact-checking• Goodtohaveawitness(especiallyifadversarial)
SpecialConsiderationsforVictims
• Victimsmayfeeltraumatized—lookforsignsofdistress• Recognizethevictim’sfears,embarrassment,guilt,orconfusion• Establishasafespace—physicalandotherwise• Offerreassurancespriortoaskinguncomfortablequestions
• Particularlyaroundbrowserhistory,emails,photos,chatlogs,etc.
• Avoidgettingboggeddownspeculatingabouttheadversary• Shareapersonalstoryifyou’veexperiencedsomethingsimilar
It’snotourroletocounselvictimsofcybercrime,butwecanlistenwithempathy,anddirectvictimstoadditional
resourcesthatcanhelp.
EffectsofCybercrime
• Traumacanleadtolong-lastingpsychologicaleffects:• Self-blame,guilt,anger• Feelingvulnerable,powerless• Isolation,inabilitytotrust
• Physicaleffectscaninclude:• Difficultyconcentrating• Appetitechanges• Insomnia• Absenteeism
Source:https://www.infosecurity-magazine.com/news/isc2congress-cybercrime-victims/
BeforeYourInterview
• Planoutyourquestions• Determinewhatbackgrounddatayoumustrecordforeveryincident.Askyoursubjectonlyforthefactsyoucan’tdiscoverthroughothermeans.
• Developquestionstailoredtotheparticularincident• Youmayalreadyhavetheanswers(thatcanbeagoodthing)
• Tryoutquestionsonateammate—rewriteclosedquestionsasopen!
• Chooseatimeandplace• Selectalocationappropriateforyoursubject• Bookmoretimethanyouthinkyou’llneed
BackgroundData
• Subjectprofile:name,userid,emailaddress,phonenumber,jobtitle,hiredate,department,location• Deviceprofile:type,manufacturer,revision,operatingsystem,patchlevel,statusofbackups,statusofdiskencryption• Softwareprofile:packagesinstalled,versions,whatAVorendpointprotectionsoftwareispresent,whatMDMprofileispresent,whatclassificationofdatamaybestoredonthesystemorpassthroughthesystem,etc.
IOC/ArtifactCollectionChecklist
Collectthefollowingtocorrelatewithsystemlogs,networktrafficrecords,packetcaptures,IDSlogs,AVreports,forensictools,andthird-partyanalysissites:• Devicevitals:IPaddress,MACaddress,FQDN,localcomputername• Emailmetadata:To,From,Date,Subject,Attachmentname
• Copyoftheemailwithfullheadersandattachmentpayloadpreferred!• Phonecallmetadata:Phonenumbers,CallerID,timestamps,anddurations• Externalentities:IPAddresses,ports,domainnames,URLs,ASNs• Forensicartifacts:Files,hashes,payloads,memorydumps,diskimages,backups
BeginningYourInterview
• Introduceyourself,givethemachancetodothesame• Explainthepurposeoftheinterview• Offerreassurances—thisisaboutinformation,notblame
• “Weneedyourhelptounderstandwhathappened.”
• Ifappropriate,usethemagicwords:• “You’renotintrouble!”
• Setexpectations—whatyou’llbeasking,whetheryouaretakingnotesorrecording,ifyou’llbeexamininganyartifactsintheirpresence• Smile,useeyecontact,andspeakcalmly!
SubjectHistory
• Askyoursubjecttorecountwhathappened.Encouragethemtotaketheirtime,startatthebeginning,includeasmuchdetailastheycan.• Recorddetailednotesonallstatementsprovidedbythevictim.• Correlatewithyourincidenttimelineasmuchaspossible.Includetimestampsfromeventlogs,emails,chatlogs,etc.whenavailable.• Gentlyaskforadditionalinformationandclarificationasneeded.
PanicMode?
• Askthesubjectwhatstepstheytookoncetheysuspectedaproblem.• Didtheytrytodoanycleanupontheirownbeforeengagingthesecurityteam?• Whatspecificactionsweretaken?
• Passwordschanged?Historycleared?Systemunplugged?Softwareuninstalled?• Whoelsemighthavetheyspokentoabouttheincident?• Whatprotectivemeasuresdidtheyalreadyhaveinplace,andwhatwastheireffectiveness?
• Havetheyexperiencedasimilarincidentbefore?
AdditionalData
• Usualphysicallocation(s)ofdevice• Whoownsthedevice?Isitcompany-provided,orpersonal?• Whoelsehasaccesstothedevice/account?
• You’veneverletyourassistant/teammate/partner/child/parentuseit?
• Isanysuspiciousactivityongoing?• Isthedevicecurrentlyconnectedtoanynetwork?• Hasthedevicebeenpoweredofforrebooted?• Haveanychangesbeenmadetothedevice?
InterviewWrap-Up
Attheconclusionoftheinterview,it’simportantto:• Thankthesubjectfortheirtimeandcooperation• Offeranopportunityforthemtoaskanyquestions
• e.g.nextsteps,whatwillhappenwiththeircase• Askiftheyhaveanyconcernsarisingfromtheincident• Provideyourcontactinformation,incasetheyremembersomethingelse
UserEducation
• Helptheuserunderstandwaystopreventfutureincidents:• Whenindoubt,confirmidentitiesviaanothermethod
• Passwords• Changeanysuspectpasswords• Usegoodpassphrases,2FAwhereverpossible• Don’tre-usepasswords• Useapasswordmanager
• Prepareforpossibilityofre-victimization• Compromiseddatacanbere-sold,usedagain
AdditionalSupport
• Offersuggestionsforadditionalsupport:• EmployeeAssistancePrograms• Creditmonitoringservices• NationalIdentityTheftVictimsAssistanceNetwork• CybercrimeSupportNetwork
• Encouragethesubjecttoreachoutiftheyrecallanyfurtherdetails• Anoverallpositiveinteractionwillincreaselikelihoodofre-contact
CaseStudy:CryptominerChris
• Trackingdownacryptominerinanofficebuilding• Unknownsystem,hadn’tauthenticatedtoanythingofficial• FoundtheMACaddressonaswitch,tracedoutthecable• Approachedtheassociateattheirdesk• “WHAT’SYOURMACADDRESS?!”• Theassociatepromptlyclamsupandbecomesuncooperative• “Let’sstartover”J
CaseStudy:CryptominerChris
Thisinterviewstartedoutreallypoorly,butwewereabletoturnitaround• Reallyhadtocalmdowntheassociate—sittingateyelevel,soothingvoice,etc.• Explainedwhoweare,thatwe’retryingtounderstanddata,andneededhishelp• Askedabouthiscompany-issuedlaptopfirst,butitdidn’tmatchwhatwe’dseen• ThenInoticedanotherPConthedesk—hesaiditwasn’this• Lotsofopen-endedquestionslater,admittedhe’dlifteditfromane-wastebin• Hehadbroughtittohisdesk,pluggeditin,turnediton,andwalkedaway• Hewasusedtore-usingeveryscrapofhardware,thoughtthatwasstandard• Excellentopportunityforusereducationaboutplugginginunknowndevices!
CaseStudy:PhotoPhil
• Threateningtweetswithphotosfrominsideacompanyevent• Triangulatingwhotookthephotofromshotsofthecrowd• Wefoundalow-resolutioncrowdshotpostedonaninternalblogthatcouldpotentiallysolvethemystery• Approachedthephotographer:“Didyoutakethisphoto?We’regoingtoneedyoutohandovertheoriginal!”• Photographerfreakedout!• “Ohmygod,whoevenareyouguys?Idon’thavetogiveyouanything!Nobodygetsmyphotos,they’remine!”
CaseStudy:PhotoPhil
Themagicwords:“You’renotintrouble.Wereallyneedyourhelptofigureoutwhat’sgoingon.Canyouhelpussolvethismystery?”• Timewasoftheessence,unfortunatelyplanningwasnon-existent• Anothercaseofanoverly-intimidatingstarttotheconversation• Alwaysleadwithwhoyouare,whyyou’retalkingtothem,andthatthey’renotintrouble.• Thisassociatewassuperhappytohelponceherealizeditwasn’tabouthim,veryexcitedandproudthathecouldhelpuscrackthecase!
CaseStudy:ScammerFiction,DoubleFeature
1. Associate’sAmazonaccountwascredential-stuffedandcompromised2. Shewantedtotalktotechsupport,soGoogleditandcalledthefirstnumber3. Ofcourseitwasascammer—askedhertojoinaWebExsessionforhelp4. Hetookcontroland“showed”that87evilIPaddresseswereconnected5. SaidshecouldtakethePCtoa“CiscoStore”orpay$350foronlinehelp6. Askedhertocheckherbankdetailswhileconnectedandsherefused7. Thescammergotbelligerentandthreatening,andsheeventuallyhungup8. Theassociatewassounsettled,sheworriedshewasbeingwatched
CaseStudy:ScammerFiction,DoubleFeature
Thisinterviewwentreallywell!Wewereabletodosomethingsright:• Small,comfortableinterviewspace• Oneinterviewer,onescribe• Weabsolutelyneededdoublethetimewe’dbookedwithher• Lettingherspeakaboutherfeelings—she’dbeenterrifiedfordays,wasn’tsleeping• Wewereabletoexplainshe’dbeenscammedtwice,byunrelatedactors• Usereducationhelpedherunderstandwhatactuallyhappened,vs.thefrighteningliesthescammerhadtoldher
• Sheleftfeelingrelievedandempoweredtoresistfuturescams!
Questions?Thanksforattending!
Acknowledgements
• TheQuestionofQuestionTypesinPoliceInterviews:Areviewoftheliteraturefromapsychologicalandlinguisticperspective(2010:TheInternationalJournalofSpeech,Language,andtheLaw:Oxburg,Myklebust,andGrant)• InterviewingTechniquesinDomesticViolenceCases(NewJerseyDivisionofCriminalJustice)• #ISC2Congress:CybercrimeVictimsLeftDepressedandTraumatized
• https://www.infosecurity-magazine.com/news/isc2congress-cybercrime-victims/
• ALastingImpact:TheEmotionalTollofIdentityTheft• https://www.equifax.com/assets/PSOL/15-9814_psol_emotionalToll_wp.pdf
