Unauthorized Access to Payroll Records

Study the following scenario. Discuss and determine the incident response handling questions that
should be asked at each stage of the incident response process. Consider the details of the organization
and the CSIRC when formulating your questions.

This scenario is about a mid-sized hospital with multiple satellite offices and medical services. The orga-
nization has dozens of locations employing more than 5000 employees. Because of the size of the orga-
nization, they have adopted a CSIRC model with distributed incident response teams. They also have a

coordinating team that watches over the CSIRTs and helps them to communicate with each other.
On a Wednesday evening, the organization’s physical security team receives a call from a payroll

administrator who saw an unknown person leave her office, run down the hallway, and exit the build-
ing. The administrator had left her workstation unlocked and unattended for only a few minutes. The

payroll program is still logged in and on the main menu, as it was when she left it, but the administra-
tor notices that the mouse appears to have been moved. The incident response team has been asked to

acquire evidence related to the incident and to determine what actions were performed.
The security teams practice the kill chain model and they understand how to use the VERIS database. For
an extra layer of protection, they have partially outsourced staffing to an MSSP for 24/7 monitoring.

---

Preparation:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary based upon the CSIRC details. Examples:

Would the organization consider this activity to be an incident? If so, which of the organization’s poli-
cies does this activity violate?

What measures are in place to attempt to prevent this type of incident from occurring or to limit its
impact?
Detection and Analysis:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary based upon the CSIRC details. Examples:
What precursors of the incident, if any, might the organization detect? Would any precursors cause the
organization to take action before the incident occurred?
What indicators of the incident might the organization detect? Which indicators would cause someone
to think that an incident might have occurred?
What additional tools might be needed to detect this particular incident?
How would the team prioritize the handling of this incident?
Containment, Eradication, and Recovery:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary based upon the CSIRC details. Examples:
What strategy should the organization take to contain the incident? Why is this strategy preferable to
others?
What additional tools might be needed to respond to this particular incident?
Which personnel would be involved in the containment, eradication, and/or recovery processes?
What sources of evidence, if any, should the organization acquire? How would the evidence be
acquired? Where would it be stored? How long should it be retained?
Detection and Analysis:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary based upon the CSIRC details. Examples:
What precursors of the incident, if any, might the organization detect? Would any precursors cause the
organization to take action before the incident occurred?
What indicators of the incident might the organization detect? Which indicators would cause someone
to think that an incident might have occurred?
What additional tools might be needed to detect this particular incident?
How would the team prioritize the handling of this incident?
Containment, Eradication, and Recovery:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary based upon the CSIRC details. Examples:
What strategy should the organization take to contain the incident? Why is this strategy preferable to
others?
What additional tools might be needed to respond to this particular incident?
Which personnel would be involved in the containment, eradication, and/or recovery processes?
What sources of evidence, if any, should the organization acquire? How would the evidence be
acquired? Where would it be stored? How long should it be retained?Post-Incident Activity:
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Answers will vary based upon the CSIRC details. Examples:
What could be done to prevent similar incidents from occurring in the future?
What could be done to improve detection of similar incidents?