COI Report –
Part VIIPage
321 of
425 41.3 Correct balance must be struck between containment, remediation and eradication, and the need to monitor an attacker and preserve critical evidence 936. In responding to an incident,
it is crucial that responders, in this case, IHiS’
CERT/SIRT, strike the correct balance between attempting to stop
the observable signs of attack, and preserving evidence such that it is possible to track the movements of the attacker and monitor its activities. In this case, the responders erred too much on the side
of containment and eradication, resulting not only in the loss of opportunities to detect the full extent of the attacker’s presence in the network but also in the loss of important pieces of evidence.
937. Vivek has correctly highlighted a number of missteps by the CERT a) CERT resorted to reformatting several systems infected with malware (
e.g. PHI 1 Workstion in January 2018). While at some point these systems needed to be reformatted, doing so in a hurry can seriously hamper the investigation as it leads to loss of potentially valuable forensic evidence. Abetter practice would have been to quarantine (
i.e. isolate) the system on the network
without turning off the power, so that the infected systems could be studied further (
e.g. to identify C servers with which the workstation was communicating. b) CERT also resorted to shutting down systems that were exhibiting suspicious behaviour (
e.g. Citrix Server 1, Workstation B, PHI 1 Workstation. While this may seem
to be a natural thing to do, doing so could seriously hamper the investigation as it leads to loss of potentially valuable forensic evidence. Again, abetter practice would have been to quarantine the system on the network without turning off the power, for further study. c) CERT resorted to blocking IP addresses that were identified as malicious (
e.g. IP address range associated
with workstation VM 
