Blog: DFIR

Too Interested?

Andrew Bassi 08 Oct 2019

I was asked to investigate an incident a while back where my client was being subjected to a sizeable DDoS attack. It was causing them significant pain and, owing to the nature of their business, implementing something like CloudFlare quickly wasn’t an option.

It had the hallmarks of a botnet-for-hire attack, yet there was some oddness about it. Something I couldn’t put my finger on.

I went on site to meet with their IT team who were attempting to handle the incident. They were a competent crew, but were struggling to mitigate the attack. They were switching public IP address ranges, yet the attack was following them.

The team briefed me; we agreed an action plan. I needed to make progress, so got on to it. The team dispersed to carry out their tasks, some helping address the incident, others investigating workarounds to keep service available.

Every day is a school day

Yet, the youngest member of their team stayed with me. He was super keen to learn from me, asking questions about everything I was doing. He didn’t leave my side, which I didn’t particularly mind as I wasn’t investigating a breach, but I had my guard up.

I’m always keen to share techniques – I train incident first responders every month or so.

He stayed with me, lots of questions, wanting to learn everything ‘cyber’ as he wanted to work in the sector.

One of the agreed actions was that the client would report the incident to the police. Law enforcement response in the UK varies, but it’s always worth reporting. I’m glad they did.

The difference a day makes

I came back on site the next morning; the client had a surprising update for me. The police had already been on site that morning and arrested the young chap.

Turns out he had a history of cautions for hacking offences and had been passing information out to a friend who was renting a botnet.

We don’t know why he was doing it as no ransom note had been received, but that was likely to be the next step.

What did I learn?

All too often the most inquisitive individual is the perpetrator. The arsonist is often the one who hangs around asking the fire crew questions.

Why do a small number of wealthy and famous people shoplift? For the rush perhaps? There have even been cases of murderers taking part in appeals for help to solve cases.

What next?

If you’re thinking about your incident response capabilities, have a read of this.