Article

Go-bag or go home: Incident Response

Thinking about a career in Incident Response? You’ll soon discover that your go-bag (kit-bag, tech kit, tool-kit – some even refer to it as just a bag) will become one of the most important things you own. We spoke with Waldo Woch, Associate Incident Response Consultant at MWR, and asked him “What’s in your go-bag?”

 

Although there’s no one-size-fits-all answer, there are a few key items that you might want to consider. After all, time is of the essence when a breach has been detected, so you need to make sure you’ve got the essentials to collect and examine those all-important artefacts.

Speed is essential in Incident Response

Real-time analysis is critical to responding effectively to an incident. It could be that the client has tooling in place that helps identify attacks but, if they don’t or the attacker gets past it, you could be dealing with an attacker that’s been in the system for months, maybe even years.

So the last thing you need is to turn up to an incident unprepared. Speaking to Waldo, we found out what he carries in his bag, what he hopes to add to it in the future, and what advice he has for those just starting out.

No two go-bags are the same

Knowing what’s in your bag, why it’s there, and what you can do with it (something that’s not always as obvious as you’d think) is vital. It can be the difference between spending an entire day imaging a single machine in case of issues, or just a few hours.

“We have a defined baseline by our Standard Operating Policy (SOP) that’s reviewed monthly and then we can extend it as we see useful,” explains Waldo. “So we’ll have that inside our large pelican case (it’s reinforced), along with any equipment we personally consider useful or have found useful in the past.”

IR GoBag

In terms of items you wouldn’t find in every go-bag, it’s probably his SD/MicroSD cards. Waldo says, “They came in handy when I tried to help a friend of mine recover some data in the past – they hadn’t been too kind to their USB ports so connectivity was a bit dodgy. Although this is unlikely to be the case in 99% of professional engagements, I keep them in my bag, just in case. Given how small they are, it’s not too much to add and I’ll be prepared for anything then.”

Your go-bag will change over time

When Waldo first started out in IR, his bag was essentially a few loose cables in addition to the SOP. Then it became a bag with at least one of every type of USB cable and a boatload of USB sticks, simply because they always proved useful – even if it was just because people would forget to bring their phone charging cables.

Now it’s become less of a go-bag and more of a go-case. Partly because of the safety a reinforced case offers but also because Waldo is always adding to his case when something proves its worth. So what’s the last thing he added and why?

“I recently added a new USB-C with 5 USB ports and 3 SD card slots because I tend to run out of USB ports. And when working with a bunch of disks and other things that use USB for power/data transfer, you need a lot of them.”

3 key items and their use cases

All Incident Responders have their own unique go-to tools that they couldn’t live without. For Waldo, these are the USB-C hub and SSDs. To give us an idea as to why they’re so special, he provided us with some use cases.

  • USB Sticks – These have various Operating Systems on them (Linux, Windows Forensic Edition), as well as Operating System images. They’re pretty useful when you can’t use a writeblocker for various reasons, like encrypted drives.
  • USB-C Hub – It’s amazing for connectivity!
  • SSDs – Great for storage, which IR uses a lot of, since entire laptops are captured onto them for evidence. And in some cases, multiple laptops are captured.

Advice for a junior IR consultant

We couldn’t let Waldo go without asking if he had any advice or tips for Comp Sci students looking to pursue a career in IR. Quite simply, he says, “Don’t be afraid to experiment. Make sure you have your trusted equipment to use, but in case of backups it can be a case of anything goes (within reason – we’re still trying to capture forensically sound evidence and anything too drastic could result in the evidence being contaminated).”

We’re always looking for passionate people to join us – click here to find out more about working at MWR.

 

 

Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.