Ask HN: Anonymous person sent proof of SSH access to our production server
Anonymous person (under a nickname) sent screenshot as a proof that they managed to gain SSH access to our production server. The screenshot is legit, information displayed in it could not be faked without actual access.
Just a proof, not some ransom request or anything equal.
What would be a smart next step? Other than checking if there are any security updates for all the software in our stack.
We are a small company and don't have any security experts, etc.
Thanks!
245 comments
[ 2.1 ms ] story [ 246 ms ] threadFind one.
Since he contact you Anonymously and is not trying to extort you he's just trying to point the issue out so there's no point in over reacting.
1. figure out the intentions of the individual
2. quickly finding and fixing the affected system
To be clear it doesn't matter if the information is true or false because if it's true you can find evidence on the system to confirm it and if it's false it could still prove useful.
You can nuke it from orbit later that could take hours or even days depending on how much stuff you have on it plus if the entry-point was trough the new app you just created nuking it won't fix the issue.
The moment you put the app on the new server you opened yourself up to get hacked again.
We all know a constantly updated system with nothing happening on it is incredibly hard to hack vs a system that has a lot of things happening on it the more things you're doing on a server the higher the attack surface plus it's a small company we're talking about here so they probably want to keep costs down by doing everything on as few servers as possible.
However, doing anything less than clean reinstall of the tainted system and implementing the fix there would be underreacting. Verifying if that system was/wasn't backdoored takes ten (if not hundred) times more effort than nuking it from orbit and reconfiguring a new one.
Without a "security expert" there really is nothing they can do.
Except some semblance of an idea of where to find a security expert. Even if it's a slight remix of "where to find ryanlol", that's plenty more insight and guidance. :)
(It probably seems obvious to you, but most people don't know where to find one.)
If unsure about how much a reward should be, keep in mind how expensive it could get without.. often a costly chain-reaction of disasters.
The practical solution for most is to outsource, but it can be challenging to find affordable and high-quality service at a reasonable price.
I'm getting ready to launch in this space. With few exceptions, the services I trust are focused on the glut of opportunities with deep pocketed clients. I can count on my fingers (and maybe toes) the number of colleagues and companies who are willing to pass that gold rush up to deal with the needs of the smaller clients in a meaningful way.
But it comes down to:
- Take existing server down immediately. I'm assuming it is not on an isolated network -- so this should really be a priority.
- Prep a new patched server (with a smaller attack surface and updated security credentials)
- Postmortem the old box on an isolated network. Try to understand how the attacker got in. If necessary, get security professionals involved.
You could also get looped into tax evasion if the person you paid doesn't report the bug bounty income. You can still maintain anonymity by not announcing the person who found it, but it's not a good idea to give money to anonymous people for work.
-> disable root being able to login inside your sshd_config file. Make sure PermitRootLogin no
-> rename the root account too so if they are using an exploit based on user authentication then perhaps they won't be able to elevate to root.
-> disable password based logins and go to cert based auth. This will shutdown brute force attacks.
-> lower MaxAuthTries in sshd_config to something like 1 or 2 to help slow down attackers.
-> change the port you listen on. A little security through obscurity while not very effective might slow future casual port scanners that are testing a single port. In practice I've seen this really eliminate a lot of reconnaissance or farming type activities.
-> Make sure you're openssl and openssh are at the latest stable releases.
-> If the perp is coming from the same IP, you can use an iptables rule to block the netblock. Again, not perfect but may help slow things down.
-> grab shell history of all the user accounts on the box. Example ~/.bash_history. This is more reconnaissance but may be helpful if they are sloppy - you might see what they were doing on the box.
-> look for any modified files or new ones. Obviously logs will show up in the list but you're looking for things that should not be there. Example: find / * -mtime -60 -print where 60 is how many days ago you want to go back.
-> look at chron file to see if any timed delay bombs exist.
-> look at ps -aux output for any running processes that don't make sense
-> look at iptraf for any suspicious traffic to IPs you can't reconcile.
Good luck!
(Just kidding.)
command history is also easy to alter if you know what you are doing.
Re the command history, is there any way around them wiping it - e.g. piping all .bash_history entries to an append-only store?
You can also use a global bash configuration that would log all commands [1] entered into any bash shell to a central log, which could be shipped off-server simultaneously.
[0]: http://rkhunter.sourceforge.net
[1]: http://askubuntu.com/questions/93566/how-to-log-all-bash-com...
However, rkhunter has additional logic to specifically seek out rootkits and malware-like behavior, and is more specifically targeted to system file modifications. Combining it with unhide (to compare actual processes running with those visible from userspace) provides a reasonable assurance that nothing nefarious is going on.
They're all part of a spectrum, however. I use scanners like aide alongside rkhunter as well, but I'm the sort of guy that will spend a day tuning the config of aide to avoid constant false alarms.
I'm curious why you think owning a DC makes you less qualified to respond? Presumably because someone that senior is less in touch with day-to-day security operations?
The few times we've been in this position, its always been someone's desktop that's been compromised. If you don't have a strong desktop security policy, a UTM, traffic inspection, key encryption policy, etc and you store keys or passwords locally, then this becomes a risk.
But in the meantime I'd have to assume everything is compromised: save a copy or an image of the server for analysis, but take it offline and build a new one. Rotate all passwords and credentials. Assuming you're not doing something strange with SSH, they probably got legitimate credentials from a compromise somewhere else or password reuse or a compromised development machine, etc. There are guides online for doing this: https://support.rackspace.com/how-to/recovering-from-and-dea...
It sucks. Sorry.
As the 2 comments so-far have suggested getting security experts, where would be a good place to source security experts? I'm envisioning 2 kinds:
* Consultant, working for a fee (with retainer?);
* Independent, may be consultant, but could also be someone currently looking for a new permanent role and would bring welcome diversity/expertise to a small team - potentially illiquid / poorly matched hiring market that could be nice for many smaller companies to tap? Working remotely could work too - no borders/boundaries.
There's no universal good answer for this.
I spend a lot of time on ##crypto (irc.freenode.net), and a lot of smart folks hang out there. Some are very well connected to other security experts in their own isolated communities.
However, there are undoubtedly silos of security expertise that remain untapped if you rely on just IRC.
You could also find folks who talk about security here on HN and follow their Twitter accounts (if public).
You could try "[development stack] security expert" in a Google search, as a last resort. (My company's currently at the bottom of the first page for PHP, although that's likely only true because of our filter bubble.)
A diverse approach is probably most likely to succeed here.
You could go with a known firm like iSec Partners, Matasano (now NCC) or Mitnick Security. They won't be cheap - at worst they may be able to refer you to some other reputable firm if your budget is limited.
Please no. Not Mitnick.
I'd rather funnel clients towards my competitors than Kevin Mitnick.
He's a skilled social engineer, and his greatest social engineering success was manipulating the media into believing he speaks for hackers in general.
He is not a programmer, his opinions on cryptography aren't insighful, etc. His only skill is deception.
If by hack, you mean use conned or password-guessed credentials to get in... Not my definition of the word.
I tend to work mainly with small businesses and professionals in healthcare, law, etc to avoid and prepare for incident response, but I also work with clients in the middle of a breach.
In lieu of someone like me or a dedicated breach coach/resolution company, there are a handful of good attorneys who understand tech/startup culture and even enough of the technical intricacies to provide a good response.
Our new website will include resources, but it hasn't launched yet. I'm often available to do a short call at no cost to discuss level of effort and get a company or startup moving down the right path. If you want to take me up on that, hit me up on https://www.linkedin.com/in/clintonjcampbell now (or quirktree.com starting next Monday).
I understand you're running a business which makes it that much more scary. If he's not asking for ransom, you might ask him how he'd fix it. I know it might seem like blackmail, but you might even offer him a "consulting fee". He's probably just someone looking to try new things out and not malevolent.
But if we treat every hacker like that by default then what kind of world do we create? Certainly take prudent safety action, but then practice what many here claim to value: knowledge sharing among curious individuals.
Does your company / product have an official responsible disclosure policy?
It's not that rewards should be small for big finds, but if you are legit poor, you have limits on what you can do.
I feel like I've been embiggened by learning it today.
The server running this software was in our main server room although it was technically not our department. So one day, when a fairly serious bug was found, I had to chaperone the non-technical person into the service room. She was on the phone with these guys. For political reasons within the company, all I could do was watch. They instructed her, over the phone, symbol-and-letter by symbol-and-letter to add to live production code. What they added? A giant "if false" block around the buggy code.
Even odds it's a current employee, anyway.
- Debian provides SHA-512 checksums of those ISO images
- the checksums are signed cryptographically
- web server is not the only distribution point
- Debian packages are distributed signed, so once you have your OS installer somehow verified, you're much safer than with Homebrew
Granted, SHA-512 checksums and their GPG signatures are not exposed very prominently on Debian's homepage. You need to go to the listing of directory with ISO instead of clicking "download ISO" direct link.
Speaking only for myself.. If I were to go the trouble to anonymously tip somebody off about a security vulnerability, it would be because I cared that they were secure and that I did not wish to be identified. I would neither expect nor accept a reward.
I think just the fact that they didn't do this points to malevolence. I would expect the ransom demands to follow shortly.
On new re-installed server:
1. Change SSH service port to non-default one. 2. Do not allow root user to remotely connect (change sshd config) 3. Create new user which you will be using for administration to login as root. 4. If possible restrict which IP addresses are allowed to connect via SSH using firewall.
Subsequently, refer to "Essential Security for Linux Servers" [0] and "7 Security Measures to Protect Your Servers" [1].
[0] https://plusbryan.com/my-first-5-minutes-on-a-server-or-esse...
[1] https://www.digitalocean.com/community/tutorials/7-security-...
[2] https://www.digitalocean.com/community/tutorials/how-to-set-...
Step 2) Hire a security expert / forensics company. Give them the image, ask them how to proceed.
Things to keep in mind:
- You don't know now much you can trust the person who has contacted you. It's possible they think they're a good samaritan, though logging into a system as a proof of concept is pretty far into grey-hat.
- Anything you say to them may one day be public record, attached to your company forever.
- It's possible they've compromised far deeper than this, and they just haven't said so
- If they've gotten in, it's possible that they aren't the only ones, so even if they cooperate and help you close the hole, you still want to do steps 1 and 2 above.
Step 2: Next step is setting up new systems, and start from scratch. Install the systems, start with basic system hardening and up-to-date software packages. Use https://github.com/CISOfy/lynis to validate your configuration.
Do not have any interaction or data exchange with the old (compromised) systems.
Step 3: Save all running systems to learn from the event. See if you can find the main cause why this happened.
Step 4: Learn about security, hire someone on your team with security knowledge.
Step 5: Do regular (technical) audits.
This should be:
"Thank this person and provide a reward"
Looking at all the other steps you'll have to go through to remedy the situation, this is the least of your costs. (Provided they cooperate and are not malicious)
If you must, at least do these steps:
- Disable password SSH login - Install root kit scanner, like rkhunter and check if your networked systems are infected. s/he might gained access to other instances in your infra. - Use port scanning on all your instances and check if there is any suspecious rpc port is open that you are not familiar wtih. - Enable unattended security upgrades. - Check for the vulnerabilities listings for your internet facing services, like nginx, apache, HAproxy, etc.. - forward all your syslog logs to remote system so the attacker can't cleanup her/her traces after establishing the attack. - enable automatic blockers like fail2ban.
If you have the infrastructure and capability to put it on a different network by all means make it inaccessible but for most businesses there's really no other option anyway.
Simpler (better, IMHO) advice would be to make key-based authentication mandatory for your production servers. That way a brute force attack is unlikely to ever succeed. It also rules out stealing passwords since the attacker would need to obtain the entire SSH key before they could login.
Having said that, we don't know how the attacker got in. They could have created an account for themselves or changed the root password/system configuration via a vulnerability. If that's the case they could modify sshd_config so that it listens on the public IP which would make "don't expose it to the public" moot (firewalls notwithstanding).
1. firewall - only allow SSH connections from trusted static IPs
2. Use SSH keys then disable password logins. Lots of guides online to create keys, so I'll just cover the 2nd point: as root or sudo, edit /etc/ssh/sshd_config
(edit: make sure the SSH keys have passphrases. That way you have an extra bit of security in case any workstations get compromised)3. Disable root access. edit /etc/ssh/sshd_config
4. Limit SSH access to specific user accounts. This prevents users creating their own key (in the case of mountable home directories) or other machine accounts with passwords (if you've not done #2): 5. Install auto-firewalling for failed SSH logins. I personally favour fail2ban as that covers other scenarios too, but I've also used denyhosts and that's worked well for SSH.6. Lastly, and by far the best option, don't enable SSH on any internet facing IPs.
If you need SFTP enabled, then let me know and I'll post some details on how to harden SFTP so attackers cannot gain an SSH shell.
However it's possible that the attacker's screenshot was of a remote shell initiated via some other means and the OP assumed it was via SSH.
Edit: why was this downvoted? If there's an error then I need to be educated. I've spent enough years of my professional life hardening servers to have some idea what I'm talking about, but I'd be an idiot if I didn't listen to the expertise of others. So please correct me rather than downvote me :)
Probably doesn't help I've been working long hours this week so a little on edge to begin with.
I'm curious how to go from obtaining X info/access to an SSH session.
I'm curious how to go from obtaining X info/access to an SSH session.
It's far more likely that the attacker got legit credentials via another means, web application vulnerability, social engineering or malware attack on company machines, etc. I'd look at the less common applications you run, particularly anything that doesn't particularly look like it was designed to run facing the internet. For example, the elasticsearch guys decided that it would be a great idea to allow anyone who can access it to run java code on the server at one point...
1. firewalling to only the sysadmin's IPs,
2. SSH keys + disabling password logins
6. and disabling SSH on internet facing IPs altogether (if possible).
If someone in the datacenter can image the VM and mount it some place in their own machine, reset the ssh rsa key, etc.
Is it good enough to "produce" the proof of the hack?
If so, than no amount of "clean up" can fix the issue, right?
The rest of that article is very helpful as well!
Foxpass also offers a nice audited, limited duration 2fa ssh auth service.
If you really want to hide SSH from script kiddies then you're better off setting up firewall rules to whitelist trusted IPs. Heck, even port knocking[1] would be a better option than changing the port number.
[1] https://en.wikipedia.org/wiki/Port_knocking
FWIW, I've never seen a brute force attack on SSH other than on port 22. Most likely, a targeted attacker would realise if you change the port, you're probably not going to have a trivial password.
Random IPs are unlikely to be port scanned but any reasonably popular site will.
However, proper ingress filtering or local iptables/pf rules would stop any unwanted inbound traffic from reaching your server, and you should definitely be using ingress and egress filtering on your network.
It is basically zero inconvenience to add an extra argument or shell setting.
You're right that key only logins are the easiest quick win, but it's also worth remembering that they can still be vulnerable if the box needs passphraseless keys (eg lazy automation) or if you cannot guarantee the security of those keys (eg they're generated by third parties and/or stored on third party systems). In those situations it would pay to firewall SSH and specifically whitelist the third parties IP address.
Good suggestion about the logs too. That's an often forgotten step yet invaluable when it comes to forensics.
Test the new access before closing the current session! If you made a mistake in any of the steps you will still be able to fix it. If you close the SSH session before testing, and then find that you made a mistake (e.g. forgot to `chmod 600` the private SSH key or something similar) you're stuck!
I also love how you can take genuinely helpful posts - after all, it's better to harden SSH regardless of whether this specific attack initially came directly from SSH - and somehow turn those contributions into something negative. God bless internet messageboards.
No, it doesn't secure you against the above attack. If they can use an XSS to get full access to the server and get the SSH key, then hardening SSH does pretty much nothing, they just whitelist their IP and continue accessing the server. We don't know that they got SSH access via SSH. Until we understand how they gained access to the server, blocking off other means of access that might have nothing to do with how they gained access does nothing.
> I also love how you can take genuinely helpful posts - after all, it's better to harden SSH regardless of whether this specific attack initially came directly from SSH - and somehow turn those contributions into something negative. God bless internet messageboards.
Sure, hardening SSH is always a good idea, but until we actually understand how the SSH access was obtained, we don't know that it fixes the immediate problem. It absolutely is negative to give people information that persuades them their problem has been solved when it hasn't been solved.
I don't see any reason for you to take my post personally. It's not an attack on you, it's just pointing out that we need more understanding of the problem to actually solve it. Don't shoot the messenger.
Someone else suggested that and my reply was that if they already have access to remotely execute code as root then they can easily gain root shell access with much less effort than having to do the above workarounds to enable the systems default OpenSSH server (and there are plentiful other ways to execute remote shells without needing SSH)
> Sure, hardening SSH is always a good idea, but until we actually understand how the SSH access was obtained, we don't know that it fixes the immediate problem.
Since you agree that hardening SSH is a good idea, then it doesn't matter how the attacker gained access to SSH, you'd recommend they review the security of their SSH server regardless. So your latter statement becomes irrelevant to the former statement.
> It absolutely is negative to give people information that persuades them their problem has been solved when it hasn't been solved.
I never once suggested this would fix their problems. In fact my language was very clear that my advice would harden against SSH attacks, specifically. However they have asked for next steps and while other people have rightfully focused on the forensics side of the investigation, I have complimented their advice with tips on hardening SSH. One recommendation doesn't have to override another :)
> I don't see any reason for you to take my post personally. It's not an attack on you, it's just pointing out that we need more understanding of the problem to actually solve it. Don't shoot the messenger.
The server is compromised thus it's already too late to "solve". However that doesn't mean people cannot offer advice on hardening against potential future attacks on new or existing infrastructure in conjunction with analyzing the point of attack on the compromised (and hopefully now isolated) equipment.
The snarky tone of my replies are because you have not offered tips that take precedence over my own recommendations, which if you had then I would have taken your criticisms seriously. But as it stands you're currently just disagreeing for the sake of disagreeing. Which is something I see far too often online and often just from people who want to seem knowledgeable but without imparting any actual knowledge and thus mitigate the risk of themselves looking stupid. Which is also why so many experienced individuals tire of contributing to public forums.
You say my advice doesn't solve the OP issues, well neither do your posts. So what was the point in posting them? I just see it as an odd kind of cyclic logic.
Given that the OP doesn't know how to address their immediate problem, however, posting a bunch of random good practices is probably not very helpful.
I contributed something constructive: I recommended figuring out what the vulnerability is and fixing that over fixing random things and hoping you fix the problem by chance.
> I never once suggested this would fix their problems. In fact my language was very clear that my advice would harden against SSH attacks, specifically. However they have asked for next steps and while other people have rightfully focused on the forensics side of the investigation, I have complimented their advice with tips on hardening SSH. One recommendation doesn't have to override another :)
You said, "I was one of the people offering advice on hardening SSH. I mentioned firewalling sshd to a subset of trusted IPs - which would still secure you against the above attack."
If you want to claim you didn't say anything wrong and you were intending to suggest your solution in addition to the solution that actually solves the problem, that's your prerogative, but people can read the post history which shows that isn't true, so it would be more dignified to just admit you made a mistake. Nobody cares that you made a mistake--I'm not attacking you for that. I'm just trying to put up the correct information, since you didn't. It's not about you, so there's not much reason to take it personally, and you're not making yourself look good by claiming you didn't make mistakes that everyone can read.
This is not a mistake, this is something I've done in practice when auditing security at work. (Preventative pen testing rather than post breach forensics such as this situation calls for. But as I said before, that doesn't mean you cannot take lessons from the former in conjunction with the latter.
Anyhow, we really are just arguing about arguing now, which is an utterly pointless waste of both our time
But you didn't correct it, you proposed a solution that didn't address the attack I described.
> Your example required a web server attack that allowed arbitrary code execution and privladge elevation; which is a hugely specific attack and it's pretty fair to say it's unlikely (in the case of gaining root access and then choosing to enable SSH, which I'll get to).
The XSS attack is just an example of a vulnerability that wouldn't be addressed by hardening SSH. There are plenty of other vulnerabilities that wouldn't be addressed by hardening SSH.
> Furthermore, and at risk of sounding like a broken record, if an attacker can remotely execute code as root then they have absolutely no need to enable SSH for they already have far easier methods of firing off a remote shell. (To be honest they don't even need root to accomplish this).
There's a good reason to demonstrate SSH access even if they have root access: they might want to show their capabilities without exposing how they gained those capabilities (because knowing how they gained those capabilities would allow the OP to fix the problem).
> This is not a mistake, this is something I've done in practice when auditing security at work.
Just because you've made mistakes in practice when auditing security at work doesn't mean they aren't mistakes.
This isn't even time for a security audit. OP first really needs to do some forensics. A security audit should happen, but it can wait until the vulnerability has been found and fixed.
Well durr! We could be here all night listing things that SSH hardening wouldn't secure against. I never suggested it was a silver bullet to fix all security needs (which seems to be the faux argument you're accusing me off).
I'm loving all the personal attacks too. You cannot compete on an intellectual level so you make baseless accusations about my professional capabilities instead. God bless Internet message boards....
That's not what I accused you of--people can read our previous discussion and see both what I actually accused you of saying, and also that you said what I accused you of saying.
> You cannot compete on an intellectual level so you make baseless accusations about my professional capabilities instead.
I did call your course of action a mistake, but that's not an attack on your professional capabilities. Everyone makes mistakes. I'm sure you're reasonably skilled at your job.
I think you'd enjoy this conversation a lot more if you didn't take my disagreement with your strategy as a personal attack. But if that's what you want to do I can't stop you.
Cleanly shutting down the server can trigger rootkits that might wipe evidence: talk to a professional. Pulling the plug can still remove the ability to observe the behavior of the attacker: talk to a professional. Touching the disks can expose you to the risk of being accused of tampering evidence: talk to a professional.
In reality, I think random answers on HN (or any answer/advice anywhere) shouldn't be trusted, but rather taken with a grain of salt and think about whether the answer really helps you.
>Touching the disks can expose you to the risk of being accused of tampering evidence
I don't understand this. What do you say touching the disks is? Like physical touch, or logging in and looking at the logs? I don't think both of those can be attributed to tampering of evidence, like criminal tampering since you use the word 'accused'
On a lighter note, do you always end your sentences with 'talk to a professional'?
Is this sarcasm?
If not, hypothetical situation for you:
OP works at a company that processes card information of customers. A hacker demonstrated gaining unauthorized access to production servers. Hacker pulls a db dump as well as any keys used in encryption of data (some bad practices here, but this is common). Hacker does not tell OP of his additional actions, only demonstrates unauthorized SSH entry.
OP does the logically correct thing of wiping his db servers, and "cleaning" the machine, because, well, mitigation of future damage.
Hacker pissed he/she was not given reward for demonstrating his proof of vulnerability, uses this production data for ill will. A third party audit (which will happen) finds that OP has done a full wipe of the server - logs for who pulled vulnerable information is now unknown.
With no finger to point (the hacker contacted him "anonymously", remember) OP is then implicated.
Yep. I was going for pointing out the fact that he obviously logged in so he 'touched' it and the OP is not so stupid as to wipe the whole drive when 90%~ of the comments of this post say no to. And I really doubt the 'logical' decision of anyone who manages to post to HN for advice will be to wipe the drive without getting a snapshot. And since it is a prod server, the same server has to be used unless they use AWS or some other cloud service.
I believe the point the parent was getting at is that there could be other unintended consequences to taking relatively good advice.
Honestly, I'd even argue there is some better advice on server fault/HN than some professionals - but the difference is getting the professional has a paper trail that you can't say "well, some DBA on server fault told me!"
10 days old and a throwaway. No irony here: I'm recommending the reader not to trust random HN comments including my own.
There is a reason why foresics data capture devices are so expensive and certified never to touch a bit.
> I don't think both of those can be attributed to tampering of evidence, like criminal tampering since you use the word 'accused'
There has been various cases of people accused of destruction of evidence for wiping (allegedly) compromised hosts.
I took action and updated firewall settings (which were too loose), ensured that offsite backups are in place if worse comes to worst, rotated all api keys etc, meanwhile trying to contact the anonymous person. Will rebuild the servers asap as well, super glad that we have properly maintained ansible scripts.
Also will try my best to convince the CEO to allocate some money for professional audit/consultancy since we are no experts in security and to reduce the chances of future incidents.
Trying to do our best and avoid things like SQL injection, XSS, etc but no one is secure after all.
Any idea how much can such a service cost, assuming web application with a very common stack (such as Ruby on Rails + PostgreSQL)? Is it something like $5k, $10k, or $20k+? Or it really depends? Sorry if it's a very amateur question, I have no experience in dealing with such companies so have no clue how much can it cost.
Security is not cheap.
Disclaimer: worked for such company.
Hire an incident response firm. They can usually react next day if you can sign a contract today.
If you need security professional I can help you. Is the box on AWS, if so that would be a perfect use case for us? You won't have to worry to much about costs since we're starting up we're willing to work with your budget if you provide a testimonial for our website.
Send me an email: contact@cloudhawk.io and we'll get started quickly.
I hate to be this guy, but you don't want to offer IR/forensic services if you don't have experience doing exactly that.
Your client can sue you if you get it wrong. (http://arstechnica.com/security/2016/01/security-firm-sued-f...)
You need to bring an expert and/or firm on-site.
[0] https://cisofy.com/lynis/