Field Guide to Incident Response for Civil Society and Media

"Three things are essential when providing incident response for civil society and the media: Trust, knowledge, and experience."

This guide is designed for those providing digital security incident response to learn the tools of the trade and to gain technical skills that could be useful in the analysis and detection of cyber threats such as phishing, malware, and device compromise. With the help of exercises and real-world examples, the chapters guide the reader through the field of incident response, with a specific focus on civil society and the media.

The guide was prepared by Internews' Internet Freedom & Resilience team under a stream of work that seeks to strengthen civil society organisations, journalists, and other human rights defenders' ability to detect, analyse, and build resilience to digital attacks through localised expertise in threat analysis and incident response. This same stream of work produced a report on Global Trends in Digital Security for civil society and media, as well as threat landscape reports for five countries: Armenia, Brazil, Mexico, Serbia, and Ukraine (see Related Summaries below).

The original intended audience of the guide was a group of seven 'Threat Labs,' part of an Internews project from 2021 to 2023. These are civil society organisations with experience in handling security incidents that support their communities by responding to digital threats and that are often a point of contact for the broader digital security and cybersecurity communities. Internews worked with these partners to ensure they had the appropriate analysis skills, tools, and resources.

This edition of the guide is written for organisations or individuals already providing some level of digital security support to civil society and the media but seeking to build their incident response and analysis capacity further. The guide may also help existing Threat Labs onboard new staff members.

The guide covers the following:

• Reading Threat Research - This chapter encourages users to improve their knowledge of cybersecurity and to stay up to date on developments through reading. It also offers a list of resources, including blogs and websites.
• The Linux Command Line - A Linux command line is an interface that accepts lines of text and processes them into instructions for a computer. This chapter offers an introduction, guiding the reader through some exercises and questions so that they understand the basics and feel comfortable enough to use it and gradually learn more commands and tricks.
• Malware - This chapter introduces readers to the concept of malware, which is crucial to understanding incident response. It also looks at the different kinds of malware.
• Virtual Machines and REMnux - This chapter offers instructions on how to install REMnux, a Linux-based toolkit for malware analysis.
• Threat Intelligence and VirusTotal - This chapter focuses on threat intelligence and use of VirusTotal. Threat intelligence (or Cyber Threat Intelligence, often shortened to CTI) helps one understand digital attacks and their context, such as who or what is behind them and what links there are between different attacks.
• Android and Android Malware - This chapter helps users to analyse Android devices for potentially malicious apps.
• Email Forensics -  The chapter focuses on how to analyse an email that has been received and to determine whether it is legitimate.
• Analyzing Email Payloads - While the previous chapter focuses on analysing the email itself, this chapter looks at some basics of analysing malicious attachments and links (also called "payloads") in emails. The first part covers sandboxes, a convenient way to analyse potentially malicious files and links, and the second part is an introduction to analysing the files manually.
• Website Incident Response - This chapter is about performing incident response for websites. Most civil society organisations have a website, and issues with them are common. Sometimes, this is merely frustrating: The organisation temporarily loses a public presence but is otherwise able to continue its activities. Often, though, a non-functioning website seriously hampers the organisation's ability to perform its tasks. This chapter provides an introduction to websites, web servers, and web hosting, and it looks at the most common platforms used by civil society organisations to publish their content online.
• iOS Incident Response - This chapter is meant to help the reader become familiar with iOS so they can perform some basic forensics on iPhones and iPads to check their security and confirm infection or, just as importantly, confirm a device is likely clean.