Security Incidents mailing list archives
Re: Simple Windows incident response methodology
From: Steve Barnet <barnet () chem wisc edu>
Date: Fri, 11 Jun 2004 09:03:22 -0500
Harlan Carvey wrote:
2) YES, this is not an assessment methodology thatwill be easy to defend in court.I doesn't look as if it were intended to be. Not every investigation is litigious...in fact, from the folks I've spoken to, more and more investigations are become non-litigious, even in the face of laws such asSB 1386.
Perhaps it would be helpful to consider the six steps of incident response as a framework: 1) Preparation 2) Detection 3) Containment 4) Eradication 5) Recovery 6) Follow-up Certain processes and tools will be appropriate at each stage. Some of the proposed Windows methodology is loosely following this format as it is. Working with it explicitly may help in working through some of the issues (so long as we don't get bogged down in semantics). I would also like to propose another step which may address the issue we're currently discussing: Identification. I would place this between Detection and Containment. It's really at this point that the person(s) handling the incident must decide whether the desired outcome will require preservation of evidence or rebuilding the system. The answer to that question has profound impact upon the methodology used and by extension the costs involved. This step is implicit in the process, however, I have seen it given inadequate attention frequently enough that I'm starting to think it should be explicitly stated. Given that much of the proposed methodology is directed toward this exact goal, I don't think it's much of a stretch. Best, ---Steve
Current thread:
- Simple Windows incident response methodology Lachniet, Mark (Jun 08)
- RE: Simple Windows incident response methodology Security Guy (Jun 09)
- RE: [ok] Simple Windows incident response methodology Curt Purdy (Jun 09)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- Re: Spammers bypassing Cisco ACL's?? Mark Coleman (Jun 10)
- RE: [ok] Simple Windows incident response methodology Harlan Carvey (Jun 14)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- <Possible follow-ups>
- Re: Simple Windows incident response methodology H Carvey (Jun 08)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 09)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- Re: Simple Windows incident response methodology Steve Barnet (Jun 11)
- Re: Simple Windows incident response methodology Harlan Carvey (Jun 11)
- RE: Simple Windows incident response methodology Mike Lyman (Jun 14)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 14)
- RE: Simple Windows incident response methodology Brad Webb (Jun 20)