SOLVED

Risk of cookies, trackers; Should clearing cache be part of IR.

%3CLINGO-SUB%20id%3D%22lingo-sub-2620089%22%20slang%3D%22en-US%22%3ERisk%20of%20cookies%2C%20trackers%3B%20Should%20clearing%20cache%20be%20part%20of%20IR.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2620089%22%20slang%3D%22en-US%22%3E%3CP%3EDShield's%20Aug%205th%2C%20'21%20article%20mentions%20cookies%20on%20a%20phishing%20page.%20It%20made%20me%20think%20if%20they%20should%20be%20considered%20for%20incident%20response.%20Example%2C%20defender%20alerts%20a%20user%20clicked%20a%20link.%20Proxy%20logs%20show%20they%20visited%20and%20no%20other%20traffic%2C%20referrals%2C%20posts%2C%20etc.%20The%20user%20didn't%20download%20the%20phishing%20document.%20Generally%2C%20analysis%20concludes%20the%20risk%20has%20ended%2C%20no%20further%20action%20to%20take.%20Yet%2C%20would%20a%20malicious%20site%20leverage%20cookies%2C%20trackers%2C%20and%20similar%20objects.%20Should%20incident%20response%20include%20clearing%20cookies%20and%20cache%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2620270%22%20slang%3D%22en-US%22%3ERe%3A%20Risk%20of%20cookies%2C%20trackers%3B%20Should%20clearing%20cache%20be%20part%20of%20IR.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2620270%22%20slang%3D%22en-US%22%3ECookies%20have%20limit%20functionality%2C%20like%20they%20won't%20be%20able%20to%20inject%20code%20or%20harm%20your%20system.%20They%20will%20be%20able%20to%20track%20like%20your%20activity%20in%20the%20website%20and%20also%20in%20case%20there%20is%20a%20third-party%20cookie%2C%20in%20other%20websites%20they%20could%20keep%20track.%3CBR%20%2F%3EYou%20don't%20have%20to%20concern%20about%20delete%20and%20removing%20Cookies.%3CBR%20%2F%3EThe%20best%20strategy%20would%20be%20managing%20Cookies.%3CBR%20%2F%3EYou%20could%20do%20it%20easily%20in%20Microsoft%20Edge%20using%20Group%20Policy%2C%20take%20a%20look%20at%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdeployedge%2Fmicrosoft-edge-policies%3C%2FA%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

DShield's Aug 5th, '21 article mentions cookies on a phishing page. It made me think if they should be considered for incident response. Example, defender alerts a user clicked a link. Proxy logs show they visited and no other traffic, referrals, posts, etc. The user didn't download the phishing document. Generally, analysis concludes the risk has ended, no further action to take. Yet, would a malicious site leverage cookies, trackers, and similar objects. Should incident response include clearing cookies and cache?

1 Reply
best response confirmed by JimLeary (Occasional Contributor)
Solution
Cookies have limit functionality, like they won't be able to inject code or harm your system. They will be able to track like your activity in the website and also in case there is a third-party cookie, in other websites they could keep track.
You don't have to concern about delete and removing Cookies.
The best strategy would be managing Cookies.
You could do it easily in Microsoft Edge using Group Policy, take a look at:
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies
www.000webhost.com