Detailed Incident Investigation Questions with Response Boxes and PDF Export

Third-Party Supplier Breach

Initial Compromise Details:
- When and how was the third-party supplier's system initially compromised?
  Determine the exact timeline (date and time) of the breach to establish a chronology. Identify the attack vector, such as a phishing email, exploited software vulnerability (e.g., unpatched systems), or social engineering. Request logs or incident reports from the supplier to pinpoint the entry point.
- What specific vulnerabilities or methods (e.g., phishing, malware, stolen credentials) were exploited to gain access?
  Investigate whether the compromise involved known vulnerabilities (e.g., CVE identifiers), outdated software, or weak authentication practices. Confirm if the supplier has conducted a vulnerability assessment or penetration test recently.
Scope of the Breach:
- What systems, data, or accounts were accessed or compromised at the supplier?
  Identify which systems (e.g., email servers, CRM, databases) or accounts (e.g., admin, user) were affected. Determine if the breach was limited to the email system or extended to other infrastructure. Request a detailed inventory of compromised assets.
- Was any sensitive data (e.g., customer data, credentials, or proprietary information) exfiltrated?
  Check for evidence of data exfiltration, such as unusual outbound traffic or logs indicating file downloads. Determine the type and volume of data potentially exposed, including personal data, financial records, or intellectual property.
Phishing Email Details:
- What was the content and structure of the phishing email sent from the supplier’s compromised account?
  Analyze the email’s subject, body, sender details, and any embedded links or attachments. Check for spoofing indicators, such as mismatched domain names or unusual headers. Preserve a copy of the email for forensic analysis.
- How was the email distributed (e.g., targeted individuals, mass distribution)?
  Determine if the phishing email was sent to specific individuals (e.g., spear-phishing targeting executives) or broadly distributed. Identify the recipient list to assess the potential impact and notify affected parties.
- Did the email contain malicious links, attachments, or other payloads?
  Analyze any links (e.g., to credential harvesting sites) or attachments (e.g., malicious PDFs, executables) using sandboxing tools or threat intelligence platforms. Confirm the payload’s behavior and potential impact.
Supplier’s Security Posture:
- What security controls (e.g., email filtering, multi-factor authentication) were in place at the supplier at the time of the breach?
  Review the supplier’s security stack, including email gateways, firewalls, and endpoint protection. Confirm whether MFA was enforced for email accounts and if DMARC, DKIM, or SPF were properly configured.
- Have they conducted a forensic analysis to identify the root cause of their compromise?
  Request a forensic report or summary from the supplier detailing the root cause analysis. Verify if a third-party incident response team was involved and if the analysis aligns with industry standards (e.g., NIST 800-61).
Response and Containment:
- What actions has the supplier taken to contain the breach (e.g., account suspension, system patching)?
  Confirm specific containment measures, such as isolating affected systems, resetting credentials, or applying security patches. Request a timeline of these actions to evaluate their timeliness and effectiveness.
- Have they notified all affected parties, including other clients, and complied with relevant regulations?
  Verify if the supplier has adhered to notification requirements under regulations like GDPR, CCPA, or industry-specific standards. Request copies of their notification communications and compliance documentation.
Communication and Coordination:
- When did the supplier notify your organization of the breach?
  Establish the exact date and time of notification to assess delays. Determine the method of communication (e.g., email, phone) and whether it met contractual or regulatory timelines.
- What is the supplier’s plan for ongoing communication and updates regarding the incident?
  Request a schedule for regular updates and a designated point of contact for incident-related communications. Ensure the supplier provides actionable information, such as new findings or mitigation progress.
Supply Chain Risk:
- What is second-party vendor’s process for vetting their own third-party vendors to prevent further supply chain attacks?
  Review the second-party vendor’s vendor management policies, including security assessments and audits. Confirm whether they follow frameworks like ISO 27001 or NIST 800-53 for supply chain security.
- Are there contractual obligations or security standards they are required to meet, and were these adhered to?
  Examine the contract or service-level agreement (SLA) with the second-party vendor to identify security requirements, such as encryption standards or incident response protocols. Assess whether non-compliance contributed to the breach.
Future Prevention:
- What measures is the second-party vendor implementing to prevent similar incidents (e.g., enhanced monitoring, employee training)?
  Request a detailed remediation plan, including timelines for implementing new controls like intrusion detection systems, regular security training, or zero-trust architecture.
- How will they verify the integrity of their systems moving forward?
  Confirm if the second-party vendor will conduct regular audits, penetration tests, or continuous monitoring to ensure system integrity. Request evidence of compliance with these measures, such as audit reports.

Internal Mailbox Breach

Breach Detection:
- When and how was the unauthorized login to the mailbox detected?
  Review security information and event management (SIEM) logs, email audit trails, or user reports to pinpoint the detection timeline. Identify whether automated alerts or manual reviews triggered the discovery.
- What indicators of compromise (e.g., unusual login locations, IP addresses, or activity patterns) were observed?
  Analyze login metadata, such as geolocation, device type, and IP addresses. Cross-reference with known threat intelligence to identify if the IP is associated with malicious activity.
Access Details:
- Which mailbox was compromised, and what level of access did the threat actor gain (e.g., read-only, full control)?
  Identify the specific mailbox (e.g., user role, department) and its permissions. Check if the threat actor had access to delegate accounts, shared mailboxes, or administrative functions.
- Were any other accounts or systems accessed using credentials from the compromised mailbox?
  Investigate whether the compromised credentials were used for lateral movement, such as accessing other cloud services (e.g., Microsoft 365, Google Workspace) or internal systems. Review access logs for suspicious activity.
Phishing Interaction:
- Did the user interact with the phishing email (e.g., clicked a link, entered credentials, or downloaded an attachment)?
  Interview the affected user and review email client logs to confirm their actions. Determine if credentials were entered on a fake login page or if malware was executed from an attachment.
- Was the phishing email identified and flagged by your email security tools before or after the interaction?
  Check email gateway logs (e.g., Microsoft Defender, Proofpoint) to see if the phishing email bypassed filters or was flagged post-delivery. Identify any gaps in detection rules or configurations.
Impact Assessment:
- What data or communications in the mailbox could have been accessed or exfiltrated?
  Review the mailbox contents for sensitive data, such as customer PII, financial details, or internal communications. Estimate the volume and criticality of potentially exposed information.
- Were any sensitive actions (e.g., email forwarding rules, data sharing) performed by the threat actor?
  Check for unauthorized email rules, forwarded messages, or data sharing (e.g., via cloud storage links). Investigate whether the threat actor sent additional phishing emails from the compromised account.
Security Controls:
- Was multi-factor authentication (MFA) enabled on the compromised mailbox, and if not, why?
  Verify MFA status in the email platform’s admin console. If MFA was not enabled, identify policy gaps or user exemptions that allowed this vulnerability.
- What email security measures (e.g., spam filters, DMARC policies) were in place, and did they fail to detect the phishing email?
  Review email security configurations, including DMARC, DKIM, and SPF settings, to identify failures. Analyze why the phishing email was not quarantined or flagged by existing tools.
Containment and Response:
- What immediate actions were taken to secure the compromised mailbox (e.g., password reset, account suspension)?
  Document the containment steps, such as locking the account, revoking active sessions, or resetting passwords. Confirm whether these actions were performed promptly to limit damage.
- Has a forensic investigation been initiated to determine the extent of the breach and any lateral movement?
  Confirm if a forensic team (internal or external) is analyzing logs, network traffic, and endpoints. Ensure the investigation covers potential persistence mechanisms, such as backdoors or malware.
User Awareness:
- Has the affected user received phishing awareness training, and when was the last training session?
  Review training records to confirm the user’s participation in security awareness programs. Assess whether the training covered recognizing advanced phishing techniques, such as spear-phishing.
- Are there patterns of similar incidents involving other users in the organization?
  Analyze incident logs to identify recurring phishing incidents or vulnerabilities. Determine if specific departments or roles are being targeted repeatedly.
Mitigation and Prevention:
- What steps are being taken to strengthen mailbox security (e.g., enabling MFA, enhancing email filters)?
  Outline specific technical controls, such as mandatory MFA, advanced threat protection, or zero-trust policies. Ensure these measures are applied across all accounts, not just the compromised one.
- How will the organization improve employee training and awareness to prevent future phishing incidents?
  Plan for regular, updated phishing simulations and training sessions. Consider gamified or role-specific training to improve engagement and effectiveness.
- If this occurred tomorrow, would you be able to protect, detect, and respond differently to reduce the likelihood and impact of a re-occurrence?
  Evaluate whether current and planned security measures (e.g., improved email filters, MFA enforcement, real-time monitoring) would prevent or mitigate a similar incident. Identify gaps in the existing incident response plan and propose specific improvements, such as faster detection through enhanced SIEM rules or automated account lockdown procedures.
Regulatory and Reporting:
- Does this breach trigger any regulatory reporting requirements (e.g., GDPR, CCPA)?
  Consult with legal or compliance teams to determine if the breach involves personal data or meets reporting thresholds. Identify applicable regulations based on the data type and geographic scope.
- Have relevant stakeholders (e.g., legal, compliance, or customers) been notified as needed?
  Document all notifications sent to internal and external stakeholders. Ensure communications are clear, compliant, and include guidance on next steps for affected parties.