Resource Downloads
Google Slides | Microsoft PowerPoint | PDF Presentation
Injection
Your organization receives a call from an individual claiming to be an FBI Special Agent. They have information about potential ongoing cyber threat activity inside your network. They share a user ID, machine name, and external IP address of the potential threat actor.
Discussion Prompts
- How do you determine if this is a confirmed security incident or some kind of anomaly?
- How do you identify what systems, data, people, and operational processes are potentially involved?
- What real or potential risk(s) might your organization face?
- What short term containment options do you have?
- Can you contain it without destroying evidence?
- What is the operational impact of the incident and your containment strategy?
Check Your Work
- Validate identity and authenticity of caller by calling local FBI office or Michigan State Police Cyber Command Center (MC3).
- Review access, VPN and firewall logs.
- Review user activity logs.
- Initiate containment protocols for impacted users and systems including desktops, servers, user access, firewall, and other.
- Contact the user.
- Consider implementing full incident response mode if malicious activity is confirmed or unknown