Security Incidents mailing list archives
Re: Simple Windows incident response methodology
From: Harlan Carvey <keydet89 () yahoo com>
Date: Fri, 11 Jun 2004 07:44:56 -0700 (PDT)
Perhaps it would be helpful to consider the six steps of incident response as a framework: 1) Preparation 2) Detection 3) Containment 4) Eradication 5) Recovery 6) Follow-up
Rather than covering all that, I have been focusing more on the Detection and Identification (as you pointed out) phases. The reason being is that these phases seem to require the most attention...from experience and from what I've seen on this list, the Identification phase seems to consist predominantly of speculation, and the poster then jumps directly to Containment and Eradication.
Some of the proposed Windows methodology is loosely following this format as it is. Working with it explicitly may help in working through some of the issues (so long as we don't get bogged down in semantics).
Agreed.
I would also like to propose another step which may address the issue we're currently discussing: Identification. I would place this between Detection and Containment.
Agreed, as well.
It's really at this point that the person(s) handling the incident must decide whether the desired outcome will require preservation of evidence or rebuilding the system. The answer to that question has profound impact upon the methodology used and by extension the costs involved.
True. But that really depends on policy. In the absence of policy, it would be up to the investigator or their manager to make a decision based on the information, "best practices", and the political landscape of their organization.
This step is implicit in the process, however, I have seen it given inadequate attention frequently enough that I'm starting to think it should be explicitly stated.
;-)
Current thread:
- Simple Windows incident response methodology Lachniet, Mark (Jun 08)
- RE: Simple Windows incident response methodology Security Guy (Jun 09)
- RE: [ok] Simple Windows incident response methodology Curt Purdy (Jun 09)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- Re: Spammers bypassing Cisco ACL's?? Mark Coleman (Jun 10)
- RE: [ok] Simple Windows incident response methodology Harlan Carvey (Jun 14)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- <Possible follow-ups>
- Re: Simple Windows incident response methodology H Carvey (Jun 08)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 09)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- Re: Simple Windows incident response methodology Steve Barnet (Jun 11)
- Re: Simple Windows incident response methodology Harlan Carvey (Jun 11)
- RE: Simple Windows incident response methodology Mike Lyman (Jun 14)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 14)
- RE: Simple Windows incident response methodology Brad Webb (Jun 20)