COI Report –
Part VIIPage
414 of
425 50.2 The Computer Emergency Response Team must be better equipped with the necessary hardware and software 1197. A CERT requires the necessary tools in order to effectively perform its role and functions without such tools, it would be inherently difficult to get anything done. It is highly recommended for the CERT to have software and hardware that can be readily utilised during an incident this can range from anti- malware to
laptops with packet sniffers, as well as incident response checklists
etc. 1198. The CERT was not provided with equipment necessary for proper forensic investigations. As at June 2018, the
total capacity of the CERT’s office laptops was 500 GB. Benjamin therefore had to install forensic tools on his personal laptop to carryout forensic investigations of the PHI 1 Workstation and Workstation C. This proved to be a significant bottleneck.
1199. Deficiencies in CERT equipping. Vivek observed that the CERT was not well equipped to respond to security incidents a) One program used by the CERT only allows individual systems to be imaged and does not scale well for an enterprise scale incident where multiple systems maybe infected and may need investigation. Another program is quite complex and requires a lot of training and expertise to be used effectively. Therefore, such tools do not lend themselves well to a security incident wherein attackers are advanced and able to spread across a wide cross- section of the network. b) The team only had one computer to carryout forensic investigations. Therefore, even to process evidence using the traditional dead-disk forensics approach required a painfully long amount of time.
COI Report – Part VII
Page
415 of
425 (c) The team did not have access to EDR software that would have allowed rapid isolation and containment of the infected systems and enabled rapid collection of forensic evidence from multiple systems at the same time. Vivek emphasised that use of an EDR could have cut response time down from almost one month to a single day. d) The team also did not have the tools and software needed to analyse malware and reverse engineer it to identify the malware’s capabilities. e) The team did not have any case management software to log all the investigative updates and track the progress.
1200. Recommendations for improvement of CERT equipping. It goes without saying that the CERT must be provided with
both the hardware and software, as mentioned above, to do its job properly. Furthermore, the tools provided to the CERT
must be organised properly, to ensure that they are available for use at a moment’s notice. Organisations may see their incident investigation and remediation processes experience unexpected delays,
or even grind to a halt, if the tools teams rely onto unearth information about affected systems and people are inadequate, mismanaged or misused.
1201. IHiS should maintain an inventory of tools in a centralised location team members should be trained across the entire tool set on an ongoing basis. Finally, tools should be regularly assessed to determine if they can address the most current threats.
Share with your friends: 
