Security Incidents mailing list archives
RE: Incident investigation methodologies
From: Harlan Carvey <keydet89 () yahoo com>
Date: Mon, 7 Jun 2004 05:32:08 -0700 (PDT)
Kevin,
The keys to good incident response and effective forensics investigations are your process and your approach. Technology comes second.
Agreed. That's what I'm trying to get across. Perhaps I took it somewhat for granted that this was already understood. My thoughts on this, reading the lists and working with folks (sysadmins, etc) is that the technology is there, but it's the process/methodology that is lacking.
I cannot think of anything that would be of greater value to an incident handler or a computer crime investigator (especially one new to the field) than a basic approach that has been tested and tried.
If the technology is understood, and the process is then implemented in a live, incident response tool, both the first responder and the investigator would benefit greatly. What I see lacking in many cases is two-fold: either the process (and tools used to implement the process) are lacking, or the information isn't communicated effectively. Take the post that started this thread for example...the original poster (OP) had stated that they hadn't seen anything suspicious in the output of netstat.exe. One respondant stated that "a hacker could..." do something malicious to cause the output of netstat to be untrustworthy. Well, there are several things to consider: 1. The OP could have stated that the output of netstat.exe corresponded directly with the results of an nmap scan of the box. 2. The OP could have stated that prior to running netstat.exe, he'd verified the hash for the tool (something passed via personal email and not communicated with the list). 3. The OP could have used several disparate tools, all copied to a CD, to ensure the integrity of the tools, as well as providing corroborating evidence that the information seen in netstat.exe was indeed accurate. 4. When dealing with Win2K/XP/2K3, one has to take WFP into account. Yes, I know that many of the readers of this post are going to send me links to information showing how easy it is to disable WFP, but consider this for a moment...what if the first responder or investigator is able to demonstrate that there is no evidence that WFP has been disabled? Wouldn't something like this then be added to a methodology/process for examining Windows systems? What if the data collection portion of this were automated to a degree that it can be done by anyone?
Having a group of skilled and experienced professionals who work together to build and maintain them would ensure that they are both useful and accurate. This, I believe, is one half of what Harlan is trying to create. I, for one, applaud this effort.
Thanks. You hit the nail on the head.
The second half of what I believe Harlan is trying to do is to take discussion from the realm of theory into the realm of practical experience.
Very much so.
We all know what rootkits should be able to do. We all know that there are thousands of exploits in the wild. It would seem to me that instead of saying that a rootkit could do something, it would be more beneficial to the community at large to: - State the capabilities of specific rootkits - Describe some of the indications that a rootkit may be present on a system - Describe how the rootkit presence could be verified - Identify how the rootkit can be removed - Identify the steps that may be taken to discover how the rootkit ended up on the system in the first place This information should be collected using real, controlled test scenarios or real-world experience rather that a bunch of theory that anyone who can read can get from the local book store. Again, I think that this effort would be extremely valuable.
As do I. And I also think that it would greatly benefit the community, by moving us beyond the stagnation faced by phrases like "...but a hacker could...". Some small degree of paranoia...perhaps "caution" is a better term...is necessary in the security profession, as no one person can know everything there is to know. However, many of us working together can know quite a lot...
Current thread:
- Re: Incident investigation methodologies FRCMSEC (Jun 04)
- Re: Incident investigation methodologies Harlan Carvey (Jun 04)
- <Possible follow-ups>
- Re: Incident investigation methodologies Maarten Van Horenbeeck (Jun 04)
- RE: Incident investigation methodologies Fiscus, Kevin (Jun 04)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- Re: Incident investigation methodologies Barry Fitzgerald (Jun 09)
- RE: Incident investigation methodologies Tim Hollebeek (Jun 10)
- Re: Incident investigation methodologies Harlan Carvey (Jun 14)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Gaydosh, Adam (Jun 04)
- RE: Incident investigation methodologies Steven Trewick (Jun 07)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Dave Paris (Jun 07)
- RE: Incident investigation methodologies Harlan Carvey (Jun 07)
- RE: Incident investigation methodologies Fiscus, Kevin (Jun 07)
- RE: Incident investigation methodologies pfft (Jun 13)