Educause Security Discussion mailing list archives
Incident Response / Forensic Decision Tree
From: Bryan Zimmer <bzimmer () UCSC EDU>
Date: Mon, 6 May 2013 10:07:51 -0700
Hi All, Does anyone have an Incident Response decision tree or process flow they can share? I'd like to see the whole flow from "We think we have a compromised box" to "Lessons Learned meeting." I'm especially interested in how you decide whether or not to do full forensics and/or malware analysis on compromised systems that access or store sensitive data. Right now we do a basic check of malware's capabilities by Googling for the name, and also upload the file to Anubis. However making the judgement call of "are we reasonably sure sensitive data was not accessed" can be difficult based on this info alone. That's when we in theory would send the system to a 3rd party for analysis, but if we don't carefully quantify that decision we could be spending a lot of money that isn't necessary. Any guidance would be greatly appreciated. Thanks, -Bryan ---- Bryan Zimmer Senior Security Analyst UCSC Security Team
Current thread:
- Incident Response / Forensic Decision Tree Bryan Zimmer (May 06)
- Re: Incident Response / Forensic Decision Tree Dan Sarazen (May 06)
- Re: Incident Response / Forensic Decision Tree randy (May 06)
- Re: Incident Response / Forensic Decision Tree Charlie Derr (May 06)
- Re: Incident Response / Forensic Decision Tree randy (May 06)
- Re: Incident Response / Forensic Decision Tree Alan Stockdale (May 06)
- Re: Incident Response / Forensic Decision Tree Valerie Vogel (May 06)
- Re: Incident Response / Forensic Decision Tree Brian J Smith-Sweeney (May 08)
- Re: Incident Response / Forensic Decision Tree Dan Sarazen (May 06)