Investigation Phase Question Bank

Universal Investigation Questions

Impact Assessment Starters

These work after Malmon identification to understand scope:

  • “Now that we know what we’re dealing with, what’s the potential impact?”
  • “How extensive might this compromise be?”
  • “What would be the worst-case scenario if this continues?”
  • “What systems or data would be most valuable to this type of threat?”
  • “How long might this have been active before we detected it?”
  • “What damage could already have been done?”

Attack Progression Analysis

  • “How would this threat typically progress through our environment?”
  • “What would be the logical next steps for this attacker?”
  • “What capabilities does this threat have that we haven’t seen yet?”
  • “How would this establish persistence in our environment?”
  • “What would lateral movement look like with this threat?”

Role-Specific Investigation Questions

Detective Deep-Dive Questions

Forensic Timeline Development

  • “What’s the complete timeline of this attack?”
  • “What evidence shows when each phase occurred?”
  • “How do you reconstruct the attack progression?”
  • “What artifacts would confirm the scope of compromise?”
  • “How do you validate the timeline with multiple evidence sources?”

Evidence Correlation

  • “How do the different pieces of evidence connect?”
  • “What patterns emerge when you correlate all the findings?”
  • “What evidence contradicts your initial theories?”
  • “How do you distinguish between primary and secondary indicators?”
  • “What evidence gaps need to be filled?”

Attribution and Techniques

  • “What does the sophistication level tell us about the attacker?”
  • “How do the techniques used compare to known threat groups?”
  • “What does the choice of tools and methods suggest?”
  • “How would you characterize the skill level required for this attack?”
  • “What operational security mistakes did the attacker make?”

Protector System Assessment Questions

Compromise Scope Analysis

  • “How many systems are confirmed compromised?”
  • “What’s the blast radius of this incident?”
  • “How do you assess which systems are still clean?”
  • “What defensive measures failed, and which ones held?”
  • “How would you prioritize system remediation?”

Vulnerability Assessment

  • “What vulnerabilities enabled this attack to succeed?”
  • “How would you assess the security posture of affected systems?”
  • “What misconfigurations contributed to the compromise?”
  • “How do you identify similar vulnerabilities across the environment?”
  • “What would prevent this type of attack in the future?”

Recovery Planning

  • “What systems can be safely restored versus rebuilt?”
  • “How do you verify system integrity before bringing them back online?”
  • “What’s the recovery priority order for business operations?”
  • “How do you prevent reinfection during recovery?”
  • “What hardening measures should be implemented during rebuild?”

Tracker Data Flow Analysis Questions

Exfiltration Assessment

  • “What data has been accessed or stolen?”
  • “How much data was exfiltrated and over what timeframe?”
  • “What’s the sensitivity level of the compromised data?”
  • “How do you track data movement through the network?”
  • “What encryption or obfuscation was used for data theft?”

Network Compromise Analysis

  • “How did the threat move laterally through the network?”
  • “What network segmentation failures enabled the spread?”
  • “How do you identify all compromised network segments?”
  • “What command and control infrastructure is being used?”
  • “How would you disrupt the attacker’s network access?”

Infrastructure Mapping

  • “What external infrastructure is this threat using?”
  • “How do you map the attacker’s command and control network?”
  • “What hosting providers or services are involved?”
  • “How do you track the threat’s operational infrastructure?”
  • “What geographic indicators help with attribution?”

Communicator Impact Analysis Questions

Business Impact Assessment

  • “What are the operational impacts of this compromise?”
  • “How does this affect customer trust and reputation?”
  • “What are the financial implications of this incident?”
  • “How do you quantify the business disruption?”
  • “What competitive advantages might be lost?”

Stakeholder Communication Planning

  • “Who needs to be informed about this incident and when?”
  • “How do you balance transparency with operational security?”
  • “What information can be shared with which stakeholders?”
  • “How do you manage public relations during the incident?”
  • “What communication templates are needed for different audiences?”

Crisis Manager Coordination Questions

Resource Management

  • “What additional resources are needed for this investigation?”
  • “How do you prioritize competing investigation activities?”
  • “What external expertise should be brought in?”
  • “How do you manage team fatigue during extended incidents?”
  • “What budget implications exist for the response?”

Strategic Decision Making

  • “What are the strategic options for responding to this threat?”
  • “How do you balance speed versus thoroughness in the response?”
  • “What decisions require executive approval?”
  • “How do you manage competing priorities during the incident?”
  • “What escalation criteria should trigger additional resources?”

Incident Coordination

  • “How do you coordinate multiple investigation streams?”
  • “What information sharing protocols are needed?”
  • “How do you maintain situational awareness across all activities?”
  • “What documentation standards apply to this incident?”
  • “How do you ensure accountability for response actions?”

Threat Hunter Advanced Analysis Questions

Hidden Threat Discovery

  • “What other threats might be hiding in the environment?”
  • “How do you hunt for dormant or sleeper threats?”
  • “What persistence mechanisms haven’t been discovered yet?”
  • “How do you search for signs of previous compromises?”
  • “What threat hunting hypotheses should be tested?”

Campaign Analysis

  • “Is this incident part of a larger campaign?”
  • “What indicators suggest coordinated multi-target operations?”
  • “How do you correlate this incident with external threat intelligence?”
  • “What other organizations might be targeted similarly?”
  • “How do you assess the threat actor’s broader objectives?”

Advanced Techniques Investigation

  • “What sophisticated techniques might we be missing?”
  • “How do you hunt for supply chain compromises?”
  • “What zero-day exploits might be involved?”
  • “How do you investigate potential insider threats?”
  • “What nation-state level capabilities are evident?”

Malmon-Specific Investigation Questions

For Trojan-Type Malmons

Deception Analysis

  • “How sophisticated was the social engineering component?”
  • “What made the deception effective enough to bypass users?”
  • “How was trust established with the target users?”
  • “What legitimate services or brands were impersonated?”
  • “How would you improve user education based on this attack?”

Masquerading Investigation

  • “How is this malware disguising its true purpose?”
  • “What legitimate processes or services is it mimicking?”
  • “How do you detect when legitimate tools are being abused?”
  • “What digital signatures or certificates were used for legitimacy?”
  • “How would you distinguish legitimate from malicious activity?”

For Worm-Type Malmons

Propagation Analysis

  • “How fast is this threat spreading through the environment?”
  • “What network protocols or services are being exploited for spread?”
  • “How do you map the propagation path through your network?”
  • “What systems are most vulnerable to this type of spread?”
  • “How would you model the potential spread rate?”

Network Impact Assessment

  • “What network infrastructure is being overwhelmed by this threat?”
  • “How is the worm’s traffic affecting normal business operations?”
  • “What network segmentation would have prevented this spread?”
  • “How do you prioritize network recovery versus containment?”
  • “What network monitoring would detect future similar threats?”

For Ransomware-Type Malmons

Encryption Impact Analysis

  • “What data has been encrypted and what’s still accessible?”
  • “How do you prioritize data recovery efforts?”
  • “What backup systems are still intact and accessible?”
  • “How long would recovery take without paying the ransom?”
  • “What data can be recreated versus what’s permanently lost?”

Business Continuity Assessment

  • “What business processes are completely halted by this encryption?”
  • “How do you maintain critical operations during recovery?”
  • “What manual processes can substitute for encrypted systems?”
  • “How do you communicate with customers during system outages?”
  • “What revenue impact results from this operational disruption?”

For APT-Type Malmons

Long-term Campaign Analysis

  • “How long has this advanced threat been in your environment?”
  • “What evidence exists of previous compromise attempts?”
  • “How do you assess the full scope of a sophisticated campaign?”
  • “What nation-state or advanced criminal capabilities are evident?”
  • “How do you investigate without alerting sophisticated adversaries?”

Strategic Targeting Assessment

  • “What strategic assets or information was this threat targeting?”
  • “How does this attack align with geopolitical or economic interests?”
  • “What competitive intelligence might have been stolen?”
  • “How do you assess the intelligence value of compromised data?”
  • “What long-term strategic damage might result from this compromise?”

Expertise-Level Adaptations

For High-Expertise Groups

Leveraging Technical Expertise

  • “What forensic approaches have worked for you in complex investigations?”
  • “How do you typically track sophisticated threats through networks?”
  • “What intelligence sources have provided valuable insights in your experience?”
  • “How have you connected incidents to broader threat patterns before?”
  • “What detection strategies have you found most effective against advanced threats?”

Advanced Investigation Experience

  • “How have you adapted your analysis techniques for evolving threats?”
  • “What automated detection methods have enhanced your investigations?”
  • “How do you develop investigation strategies for new threat types?”
  • “What operational security considerations matter in your investigations?”
  • “How do you build confidence in attribution assessments?”

For Mixed-Expertise Groups

Cross-Functional Analysis

  • “How do the technical findings translate to business risk?”
  • “What would each department need to know about this incident?”
  • “How do you explain technical details to non-technical stakeholders?”
  • “What training would prevent this type of incident?”
  • “How do you build organizational resilience against similar threats?”

Collaborative Investigation

  • “How would different roles in your organization contribute to this investigation?”
  • “What information sharing would improve the investigation?”
  • “How do you coordinate technical and business response activities?”
  • “What cross-training would improve incident response?”
  • “How do you ensure all perspectives are considered in the analysis?”

For Business-Focused Groups

Strategic Impact Analysis

  • “From your business perspective, how would this affect key objectives?”
  • “What competitive risks have you seen from similar incidents?”
  • “How would you approach calculating the business impact?”
  • “What risk transfer mechanisms have you worked with before?”
  • “How do you typically communicate complex incidents to senior leadership?”

Risk Management Assessment

  • “Based on your risk management experience, how would this change organizational risk?”
  • “What mitigation strategies have proven effective in your experience?”
  • “How do you typically justify security investments to leadership?”
  • “What risk tolerance discussions have you had after incidents?”
  • “How have you measured security investment effectiveness before?”

Progressive Investigation Techniques

Building Investigation Depth

Layered Analysis Approach

  1. Surface investigation: What’s obviously compromised?
  2. Pattern analysis: What do the indicators tell us about attacker behavior?
  3. Timeline reconstruction: How did this attack unfold over time?
  4. Impact assessment: What’s the full scope of damage?
  5. Attribution analysis: Who is responsible and what are their capabilities?

Evidence Correlation Methods

  1. Technical correlation: How do different technical indicators connect?
  2. Temporal correlation: What does the timing of events suggest?
  3. Behavioral correlation: What patterns reveal attacker intent and capability?
  4. Strategic correlation: How does this fit into broader threat landscape?

When Investigation Stalls

Perspective Shifting Questions

  • “What would we see if we looked at this from the attacker’s perspective?”
  • “What assumptions might we be making that could be wrong?”
  • “What evidence are we not seeing that should be there?”
  • “How would this investigation change if we assumed a different threat actor?”
  • “What would happen if our initial identification was incorrect?”

Scope Expansion Techniques

  • “What broader context might we be missing?”
  • “How does this incident connect to industry-wide threat trends?”
  • “What historical incidents share similar characteristics?”
  • “What threat intelligence could provide additional context?”
  • “What other organizations might have relevant experience?”

Investigation Success Indicators

Thorough Investigation Achievements

Team Collaboration Success

Remember: Investigation phase questions should deepen understanding while building toward coordinated response. The goal is comprehensive situational awareness that enables effective decision-making in the response phase.