Re: Incident Response / Forensic Decision Tree

[Alan Stockdale <astockdale () EDC ORG>]

Bryan,

Have you taken a look at:
Computer Security Incident Handling Guide (NIST Special Publication 800-61, Rev. 2). August 2012.
Guide to Malware Incident Prevention and Handling for Desktops and Laptops (NIST Special Publication 800-83 Rev. 1. 
Draft.) July 2012.
http://csrc.nist.gov/publications/PubsSPs.html

Alan.





[cid:edc_logo1fae831]<http://www.edc.org>
EDCInc

On 5/6/2013 1:07 PM, Bryan Zimmer wrote:
Hi All,
Does anyone have an Incident Response decision tree or process flow they can share? I'd like to see the whole flow from "We think we have a compromised box" to 
"Lessons Learned meeting." I'm especially interested in how you decide whether or not to do full forensics and/or malware analysis on compromised systems that 
access or store sensitive data. Right now we do a basic check of malware's capabilities by Googling for the name, and also upload the file to Anubis. However making the 
judgement call of "are we reasonably sure sensitive data was not accessed" can be difficult based on this info alone. That's when we in theory would send the system 
to a 3rd party for analysis, but if we don't carefully quantify that decision we could be spending a lot of money that isn't necessary.

Any guidance would be greatly appreciated.
Thanks,
-Bryan

----
Bryan Zimmer
Senior Security Analyst
UCSC Security Team



--
Alan Stockdale, Ph.D.
Information Security Coordinator
Education Development Center
43 Foundry Avenue, Waltham, MA 02453-8313
Work: 617 618 2731
Fax: 617 969 3401
E-mail: astockdale () edc org<mailto:astockdale () edc org>
Web: http://www.edc.org/