Re: Incident Response / Forensic Decision Tree

[Dan Sarazen <dsarazen () BRANDEIS EDU>]

Hi Bryan,

UMass Amherst has spent a great deal of time on their planning and it can
be found here:

http://www.oit.umass.edu/category/keywords/incident-response-procedures<https://bl2prd0511.outlook.com/owa/redir.aspx?C=eqgxdWdlRUCBfbp9mn7jCN3Q0W_qHdAIqeKbV-wf7gOguQ06IbsBtsaVT4FRTTn3N-FrKSrrWbM.&URL=http%3a%2f%2fwww.oit.umass.edu%2fcategory%2fkeywords%2fincident-response-procedures>

Good Luck,

Dan Sarazen

Senior IT Auditor

The Boston Consortium for Higher Education

Cell:     781-296-4444







*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Bryan Zimmer
*Sent:* Monday, May 06, 2013 1:08 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Incident Response / Forensic Decision Tree



Hi All,

Does anyone have an Incident Response decision tree or process flow they
can share? I'd like to see the whole flow from "We think we have a
compromised box" to "Lessons Learned meeting." I'm especially interested in
how you decide whether or not to do full forensics and/or malware analysis
on compromised systems that access or store sensitive data. Right now we do
a basic check of malware's capabilities by Googling for the name, and also
upload the file to Anubis. However making the judgement call of "are we
reasonably sure sensitive data was not accessed" can be difficult based on
this info alone. That's when we in theory would send the system to a 3rd
party for analysis, but if we don't carefully quantify that decision we
could be spending a lot of money that isn't necessary.



Any guidance would be greatly appreciated.

Thanks,

-Bryan



----
Bryan Zimmer
Senior Security Analyst
UCSC Security Team