During an incident response operation, the need for various different types of communication is vital. This can range from interpersonal communication via cell phones all the way to communications among the different computer systems involved in the operation. We’re going to focus on the latter for this discussion.
One of the most important requirements during an operation is robust 24/365 data and personal communications. They should also include notification of critical events as they occur.
An easy trap to fall into is to use the network under investigation to send data, page alerts, etc. However, this can be a critical error, as it violates one of our primary rules of incident response: never put any data on a network that is under investigation -- conduct all operations in stealth. A capable adversary will quickly see that you are using the network for data communications, and then the entire operation is compromised. Even if you encrypt the data, the intruder may be able to make useful deductions about how and if he is being monitored if he starts seeing large amounts of traffic while on your network.
During incident response operations, we frequently need to leave a network monitor or IDS running without a human overseeing it, lying in wait for a specific network or host event. Not to mention that humans need to eat, sleep, recharge, and take breaks. However, when the particular event that you’re looking for occurs and you’re not present at ...