Do I know it, factually? Of course not. But I know it enough to bet the client a case of Dublin Dr. Pepper that I'll find it out right quick.
Many incident responders and penetration testers have similar big-picture disqualification questions they ask. Dave Kennedy, CEO of TrustedSec, goes one level deeper into the logs on his first question: "Have you got logs of DNS requests from the past week or two?"
That's a question I usually ask too, once we've got other evidence that something is up. Once we know that there's something on the network, the DNS logs are a great first place to look for where it's calling to (and, inferentially or specifically, then, what it is and who put it there).
There are a whole bunch of other questions you can ask once you start digging, and most of them are designed to disqualify a line of questioning to avoid getting into it. Eric Olson, VP at Cyveillance, tells the story of how his firm asks a single question to determine whether an email was a possible banking phish: "Does the email contain the FDIC symbol?"
Now, not all email with the FDIC symbol is a banking phish, but pretty much no banking phish doesn't have an FDIC symbol. With one question, then, Cyveillance is able to disqualify 97% of the email it sifts through on a daily basis, allowing them to concentrate on the three per cent that may be bank phishing.
Here's another example: on a recent incident we asked about a certain flow analysis product. The first question was highly disqualifying: "You're not using [product] now, are you?"
"Oh, yes I am," came the response, which was in itself highly interesting.
"Oh," we said. "So how often are you using it? Weekly? Monthly?"
"Oh, every day," came the reply. "We love it."
"Oh, I see, that's great," we said. "So when you used it today, did everything look okay?"
"Yeah, you know, things looked pretty normal."
I bet they did. Earlier that morning, I had personally seen the box in question sitting, unplugged, on a cardboard box in the data center.
An engineer told me it had been unplugged for more than a month.
In this case, it was clear I didn't need to do any further digging to understand that no analysis had been done. It was also clear that, if the person would cheerfully lie about that, he would cheerfully lie about other things.
It was therefore no big intuitive leap for me to conclude that previous things the guy had signed off on had likely also not been done. Did I know this factually to be true? Not yet.
Sign up for CIO Asia eNewsletters.