Thursday, September 6, 2007


I recently started watching the show 24 A family member let me borrow the first few seasons on dvd. While I've enjoyed the show I've noticed a huge number of interesting topics that just seem out of place. One such topic is interrogation.

If you've ever seen the show, you might find it amusing - I know I did - when the interrogator claims to be "pushing" the suspect pretty hard when the suspect is asked about 3 questions and the interrogator says "ok I believe you".

If you've ever been assigned to handle an incident of any reasonable size and scope you've questioned people, their actions, the reasons behind those actions and had to dig for more information. Some might call this the "interview", I tend to view it as a passive interrogation for a few reasons.

- SA's and NA's commonly feel they have something to hide.

If you've ever worked as a network or sysadmin you probably have some sense of what I'm getting at. NA's and SA's tend to get territorial about their systems and networks and as a responder you are invading their territory. It's kind of like inter-agency "cooperation". Not only is territory an issue, but more importantly people try to hide their mistakes in an effort to cover themselves and most likely protect their jobs.

During an incident, me and my partner had to spend about 5 hours interviewing an admin. Initially we started out actually conducting a standard information gathering interview. We asked common questions related to network topology, system type, system configuration etc. As we began to delve deeper, the admin became more and more closed off and shut down, leading us to take some relatively extreme response methods such as locking down the entire network and relegating the admin to desktop support while we conducted a room to room search.

- You are the outsider

Even if you work for the same company, you are the outsider. We are members of what is viewed as the "hit squad". An alert of some form was sent, we respond and arrive on scene with our jump bags or pelican cases containing lots of gadgets (I typically arrive with 2 1650's and a backpack full of paperwork), we ask questions, we seize systems, conduct investigations and file a report when we're done. We are the outsider, regardless of who we work for. There are some ways to change this perception and it typically involves - atleast for me - winning over the administrative assistants. Admin assistants more often than not have the pulse of a department or company, and can get you just about anything you need if you win them over, especially if you're going to be there a while.

- Management fears the outcome

When approaching management with the potential to make them look bad to their bosses you must tread carefully because they can make the investigation a difficult one. If you interview management about policy and policy violations or poor decisions made based on purely financial reasons rather than accurate risk assessments, remember to be politic rather than accusatory. Do not try to intimidate them or second guess their decisions. Their decisions were already made, and it serves no purpose to tell them they were wrong. When it comes time to write your report, make your points in the recommendations section. This is the "bottom line" of an incident report for management because this is where costs commonly get associated.

To that end I want to make a few suggestions to those of you conducting interviews.

- Remind the interviewee that you're not there to get them in trouble. You're just trying to resolve the issue
- Be as thorough as possible
- Ask leading questions, and let them do the talking
- Don't let your frustration show
- Know when to press the issue and when to let it go
- Get what you need to get you started and move to secure the systems. You can always ask new questions later and the more you know, the better formed your questions will be
- Trust no one. The facts will do the talking.