Incident Response Instructions
Let's review a comically bad IR and the review how to do it right.
Here’s a lovely headline for an article you’ll need to read. It’s just a one pager.
CISA confirms Russia-linked hackers tapped into correspondence between federal agencies, Microsoft
OK, so think about what you read, but understand what was NOT in that article.
Microsoft was communicating with federal agencies and they were tapped by Russians. How do you think this went?
Microsoft: “Looks like this federal agency might have a security problem with their email server”
Microsoft: “So I’ll just send them an email about it …”
End User Agency: "Dang, potential email security problem, let me email this to the whole incident response team so we can share our feelings on this matter.”
Security Vendor Previously Unnoticed By Intruder: *makes wrist slitting gestures*
Intruder: *opens folder of Monty Burns excellent gifs …*
If you think that isn’t an every day kinda thing, take a look at how an Actual Incident Response Today progressed last fall.
Attention Conservation Notice:
I may or may not be doing something along these lines with someone who has also received a recommendation to immediately get sterilized, in addition to various security related suggestions. This is the rauhauser dot net way, where pro bono clients always get their money’s worth. If it’s too early for acidic humor, be gone wit ye.
Injuries & Insults:
OK, so here’ the deal. How do you recover from a communications compromise?
The answer varies, but “by freely using the compromised system to communicate about the compromise” should NOT be part of it.
Here’s a typical set of instructions I’d give to someone who believes their systems are compromised:
Go to store, get a burner phone and reload card. Pay cash.
Do NOT use this device on any of your wifi networks.
If it really won’t run w/o update, go to a coffee shop for wifi.
Get a Google Voice number.
Install Signal using the GV number and call me.
This is a litmus test. If the problem isn’t so serious that the victim is going to promptly spend $70 to have a safe conversation, then the problem isn’t technical, either they’re too poor, or it’s behavioral. It is very exciting to have some edgy security field guy assisting you with problems … it’s like catnip for Cluster B personality disorders, as discussed in Psychiatrically Challenged Challenge. The anxious, fearful Cluster C personality disorders may turn up, but they’re seeking comfort and validation.
I really do try to be kind to everyone, but for such disordered individuals the kindest thing is not enabling them exercising their issue(s). If they’re just poor that’s harder. Are they a poor but highly effective activist? Or poor and concealing some of that cluster B/C fairly well? What would life be without a little angoraphobia?
Post Validation:
Once that initial call on a new device is complete, the victim has marching orders.
It’s easier to do an Actual Phone Security Consult BEFORE there’s a problem. After the fact it’ll look like Beach Blanket Bingo, 21st Century Style.
Basic prescriptions will involve many of these, but perhaps not all, it depends on the person’s threat model.
Install Authy on burner.
Make a couple new passwords, write them on back of business cards, one goes in wallet, one goes in desk drawer at home, maybe another in glove compartment, laptop bag, etc.
Go around and lock every single account you have using Authy.
Yes, Authy or similar, SMS is NOT proof against SIM swap attacks.
No, really, even my Bookwyrm account has this; just because YOU can’t envision how an intruder would use some random thing you perceive to be low value doesn’t mean it really IS low value.
You poor groundlings with your consumer operating systems … I can’t even. You’ll need to backup, reinstall, add some workable antivirus, then restore data files. Not perfect but raises the bar significantly.
Phones are just tiny, stupid, poorly secured computers we trust too much due to their physical proximity. I haven’t trusted them in ten years and just straight stopped taking one when I leave the house five years ago. That being said, factory reset & restore is a good idea.
Start compartmentalizing things immediately. There is ZERO reason the email everyone uses to reach you is also the one for your bank login. I don’t care if it’s inconvenient for you or for whatever sites you use, stop treating your cell number like your social security number and your phone like it’s your passport.
Conclusion:
What I know of these things comes from fifteen year of participation in social movements that faced corporate, law enforcement, and foreign intel attention. I also have a lot of experience reading other people’s email, so I can envision hazards that arise from disclosures.
Less helpfully, I’ve had such an extreme environment, and it’s been that way for so long, that I simply don’t do things with one phone/one computer like a normal person would. I try to keep prescriptions in the realm of 1) something people CAN do and 2) something people WILL do over the long haul. Running Qubes and lusting after a Google Pixel 8 so I can switch to GrapheneOS IS normal for me, but it’s one in a thousand professional paranoia.
Given that November’s Civil War Referendum is inescapable, more and more of us are going to need to expose a lot less to the world. If you’re not quite there yet one of the things you can do is to start accumulating some older gear that you’d otherwise give away or toss. The phone that works fine but which you idled because you just had to have the latest is still a very useful bit of kit. If you’ve been dancing on that line between wanting and needing a new laptop, go ahead and make the jump, then you can wipe the old one and put your seldom used high value stuff on it.
You don’t have to be flawless, you just need to be more trouble than you’re worth …