Ok gang,
I've been gone for quite a while (out paying the bills) so here's a little fun for anyone that wishes to participate. This will be a multi-phase incident response and forensics scenario.

PART I




2:30 PM
you receive a frantic voice mail message while in the car from a network engineer that was monitoring a branch office network.

"It looks like there's one system acting up in your area....wait check that, a scan revealed 9 more systems with rogue FTP servers, give me a call"


From 2:30 to 3:00 you attempt to call the network engineer and the entire network engineering team (4 people in all). You are unable to reach a single one of them.


3:00 PM
you arrive back at your office. You decide to call the director of network engineering.

You: "Hey bud, I keep trying to call your engineers but can't get through to any of them, I got a call about a branch office with a lot of rogue ftp servers, know anything about it?"

Director: "Ah yeah, the entire team is in an infrastructure meeting, they won't be out until 4:00. I haven't heard much other than what you just told me. I'll let them know you called."

You: "Ok, thanks"

You hang up the phone.

You are an Incident Handler in a distributed CSIRT. There is one other handler in the immediate area that is on your team but less experienced. You have no in depth knowledge of the branch office network configuration and you've never been on site.


What do you do?