Back to all activities

Guiding Questions for High-Risk Organisations

Summary

This additional interview activity is to identify if there are any indicators that the organization may have already been attacked and/or compromised, or if someone they know has faced advanced threats. It should help identify what threats / threat actors they are dealing with, and their intent. This will help the auditor prioritize work with the organisation during the audit and follow up and understand whether the auditor has the expertise to address or understand the threat or if outside expertise is needed.

Considerations

    Operational Security

    • In case you do an interview online, the data needs to be protected (end to end encryption, tor, vpns, etc)
    • Get the consent of the participant to speak with them over that channel, or add details about the VOIP application and privacy information to the agreement
    • Might consider not having the conversation in the office, but somewhere trusted
    • Might want to leave devices outside of the room

    Psychological Considerations

    • Ask the staff to keep the stories generalised, not personalised during the organisation interview
    • Staff might be embarrassed talk an incident about in front of the entire org
    • Staff might exaggerate or overestimate attacks due to lack of understanding of the attack and impact
    • Staff might underestimate attacks due to overexposure to these hacks, other pressing challenges, or lack of understanding
    • Auditors should listen and explain concepts, but don't argue about the "seriousness" of the incident
    • Don't correct the staff member if they describe the incident incorrectly
    • Tread carefully, given the topic can be triggering or difficult and this is an early stage of the audit

Walkthrough

    Individual Interview

    • Have you encountered suspicious messages, emails, etc. in the course of your work or personal life?

      • If "No" or "I don't know", the auditor should give an example of what an suspicious message might look like.
      • If "yes", ask these questions for each suspicious event:
      • Can you tell me about the suspicious message? What made you feel it was suspicious?
      • What did you do when you received it? (i.e. who did you contact? did you click on it or download a file? did you follow the instructions?)
      • Do you feel you are compromised now? How does this impact you?
      • Can you share this message? (Link to guides to share messages with sender, content, timestamp)
      • Have you received any account notifications? Such as SMS or emails notifying you of unauthorized access to your account (email, social media), an account being locked, suspicious activity on your account?
    • Has this happened to colleagues, peer organisations, community members, CSO actors journos, that you know?
    • Have you ever experienced an incident or hack during the course of your work? If the answer is "yes", ask these questions for each attack

      • Can you tell me about that event/incident/hack? (i.e. who was involved, when it happened, what happened, was it personal or work-related? what were the consequences? (financial, physical, emotional, reputational))
      • What did you do after? Who do you ask for help from?
      • Do you have something that you can show us? (i.e. an email, screenshots, social network messages, the actual infected machine, message from the attacker, social network pages made by attackers, leaked information)
      • Do you feel you are compromised now? How does this impact you?
    • Has this happened to colleagues, peer organisations, community members, CSO actors (journos, etc)? (Revisit above questions to the extent the interviewee can provide detail)
    • Why do you think you are targeted?
    • What would you like to get out of this audit?

    Group Interview

    NOTE: Remind the staff that if it's not public within the organisation and/or happened to a personal account, then don't share it during this session.

    • Have you been hacked before (as an organisation)?

      • If the answer is "No" or "I don't know", the auditor should give an example of what an attack might look like. If they still say no, then move on to other questions for the risk assessment:
      • DDoS attack
      • Website defacement
      • Spam and adverstisements
      • Malware

        • Attachment that doesn't work
        • Attachment that AV doesn't like
        • Attachment from unknown person or unexpected email
      • Phishing

        • Gmail Reset Password Notifications
      • Blackmail - Electronic Threats
      • Ransomware If the answer is "yes"
      • Can you tell me about that event/incident/hack?(i.e. who was involved, when it happened, what happened, was it personal or work-related? what were the consequences? (financial, physical, emotional, reputational))
    • What did you do after? Who do you ask for help from?
    • Do you have something that you can show us? (i.e. an email, screenshots, social network messages, the actual infected machine, message from the attacker, social network pages made by attackers, leaked information)
    • Do you feel you feel targeted as an organisation? How does this impact your operations?
    • Why do you think you are targeted?
    • Do you know who was behind the attack?
    • Has this happened to colleagues, peer organisations, community members, CSO actors (journos, etc)? (Add actors based on context research)

    NOTE: Repeat above questions per incident

    • Do you have a sense of your adversaries or those who seek to disrupt your work? Are aware of their capabilities? (i.e. Are they well funded? Do they have advanced technical expertise? Are they government backed?)
    • What is their motivation for attacking you or any other peer org in the community?
    • What is your motivation for having the audit?

    NOTE: Could lead to further conversations about what data they have, what assets are the most important, sensitive and possibly targeted

Recommendation

    Recommendations will depend on the advanced threats raised during the interview. See the Advanced Threat Method for details.