COI Report – Part IV
Page
114 of
425 19.7 Assessment of IHiS’ incident response in January 2018 324. Based on the evidence presented, the Committee finds a number of deficiencies in the incident response by Ernest and Benjamin a) First, no steps were taken whatsoever by Ernest or Benjamin
to investigate Workstation A, despite the evidence of communications between Workstation A and what was understood to be a suspicious IP address. The Committee finds this unsatisfactory, since such investigations would have been the next logical step following the containment of malicious activity on the PHI 1 Workstation, and was clearly not beyond their technical experience or expertise. b) Second, Ernest did not take steps to verify whether the malware found on the PHI 1 Workstation was propagated across the network.
Vivek has highlighted that this was a failure to implement the IR-
SOP which, as mentioned in paragraph 323 above, states that malware infections are not reportable if the malware is
cleared and if there has been no network propagation. In this case, however, the callbacks from Workstation A were indicative of network propagation, and ought to have prompted further investigations.
325. These deficiencies arose from a failure by Ernest and Benjamin to appreciate the significance of the findings. Benjamin has explained that while he had previously
dealt with malware infections, this was his first time dealing with malware which was communicating with C servers. Ernest has also explained that this was the first time he had dealt with a case where there were multiple attempts to communicate with a foreign IP address, from one or more workstations, and where one of those workstations was found with a suspicious file. As Ernest himself stated in his email to Benjamin on 22 January 2018, they did not know the “
overall impact of this malware”.
