RE: Incident Response

["Murda Mcloud" <murdamcloud () bigpond com>]

I'd suggest using a basic framework to structure your investigation:
On a basic level, might go something like this.

1. Confirm that you have an incident
2. Gather data and decide whether to contain the 'attack'
3. recovery and analysis
4. Review/report/lessons learned etc recommend

And all the way through thoroughly document what is happening/has happened.

Some people would suggest that incident handling includes a prep phase-ie be
prepared for attacks/incidents-servers go down so have backups or failovers
in place. As you're doing an exercise this prep will be more likely part of
your recommendations.
The Honeynet project images are a great tool to learn with.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of esecuritydude () gmail com
Sent: Friday, June 08, 2007 12:21 AM
To: security-basics () securityfocus com
Subject: Incident Response

Hi List,


I'm currently doing a uni assignment where I have to investigate an
intrusion into a *nix file server and describe:


a) What I would do for the current incident


b) What I would recommend for the future.


Does anyone have any classic real life examples of  this? and where could I
find a good/standard incident response procedure?


Thanks in Advance,

Miguel