Dealing with Misinformation During Security Assessments and Forensic Investigations

Interview subjects don't always provide accurate information—they may not know details, remember incorrectly, or have incentives to mislead. Look for discrepancies between sources, ask similar questions multiple times, collect data to collaborate or refute claims, and spot-check whenever possible.

Information security professionals frequently encounter misinformation, especially while conducting security assessments and forensic investigations. These projects often involve interviewing clients or colleagues to learn about the IT infrastructure, security practices, data flows, and so on.

The Reality of Misinformation

Unfortunately, interview subjects don’t always provide accurate information. This is usually done without malice—the subjects might not know all the details and don’t want to look bad; or they might simply remember the details incorrectly. In some cases the subjects might have incentives to purposefully mislead the interviewer.

J. Andrew Valentine discussed this topic in his chapter in the book CyberForensics, where he advised memorizing and reciting a mantra such as:

“My job here is to help you. However, I cannot help you unless you tell me the truth.”

He also highlighted the need to fact-check and validate information presented during interviews. I agree.

10 Tips for Spotting and Handling Misinformation

Here are my 10 tips for dealing with misinformation during security assessments and forensic investigations:

Remember that interview subjects might purposefully or inadvertently present you with incorrect information.
Watch out for “lies by omission,” which is another form of misinformation.
Look for discrepancies between the information provided by different subjects and also between what you heard and what you saw in documentation.
Ask similar questions several times, though not in direct sequence, watching out for the discrepancies in the answers you might receive.
Collect your own data to collaborate or refute what you heard during interviews. You may be unable to check all information, but spot-checks should be within the realm of possibility.
Consider whether it’s wise to directly confront the subject when you notice misinformation—this might create friction without helping your objectives
If you have the opportunity, give the people whom you’ll interview a chance to get to know you—if they feel comfortable with you, they might be more truthful.
Remind subjects that it’s very important for you to have accurate information to provide meaningful analysis.
Take notes of the answers, confirming with subjects what you heard them say to avoid concerns over incorrect recollection of the statements.
Keep in mind that sometimes people don’t realize that they are providing misinformation—they might be simply misinformed.

The problem of misinformation is common in other professions, including lawyers and doctors. Note to self: research how other professions deal with it. Update: For additional thoughts along these lines, see Ed Moyle’s post Anticipate the Lies, Plan Accordingly. For more on the topic, see my Tips for Creating an Information Security Assessment Report Cheat Sheet. — Lenny Zeltser

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →