Re: Simple Windows incident response methodology

[Harlan Carvey <keydet89 () yahoo com>]

> Perhaps it would be helpful to consider the six
> steps of incident response as a framework:
>
> 1) Preparation
> 2) Detection
> 3) Containment
> 4) Eradication
> 5) Recovery
> 6) Follow-up

Rather than covering all that, I have been focusing
more on the Detection and Identification (as you
pointed out) phases.  The reason being is that these
phases seem to require the most attention...from
experience and from what I've seen on this list, the
Identification phase seems to consist predominantly of
speculation, and the poster then jumps directly to
Containment and Eradication.
 
> Some of the proposed Windows methodology is loosely
> following this format as it is. Working with it
> explicitly may
> help in working through some of the issues (so long
> as we don't get bogged down in semantics).

Agreed.
 
> I would also like to propose another step which may
> address the
> issue we're currently discussing: Identification. I
> would place
> this between Detection and Containment.

Agreed, as well.

> It's really at this point that the person(s)
> handling the incident
> must decide whether the desired outcome will require
> preservation
> of evidence or rebuilding the system. The answer to
> that question
> has profound impact upon the methodology used and by
> extension the costs involved.

True.  But that really depends on policy.  In the
absence of policy, it would be up to the investigator
or their manager to make a decision based on the
information, "best practices", and the political
landscape of their organization.

> This step is implicit in the process, however, I
> have seen it
> given inadequate attention frequently enough that
> I'm starting to
> think it should be explicitly stated. 

;-)