Re: Incident Response / Forensic Decision Tree

[Charlie Derr <cderr () SIMONS-ROCK EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/06/2013 01:41 PM, randy wrote:
> Dan, that link points me to an Outlook signin page. -r.

The text works (if you manually paste it into the browser instead of clicking on the link).

Another argument for plain-text (non-HTML) emails.

   ~c


> On Mon, May 6, 2013 at 1:26 PM, Dan Sarazen <dsarazen () brandeis edu <mailto:dsarazen () brandeis edu>> wrote:
>
> Hi Bryan,
>
> UMass Amherst has spent a great deal of time on their planning and it can be found here:
>
> http://www.oit.umass.edu/category/keywords/incident-response-procedures 
> <https://bl2prd0511.outlook.com/owa/redir.aspx?C=eqgxdWdlRUCBfbp9mn7jCN3Q0W_qHdAIqeKbV-wf7gOguQ06IbsBtsaVT4FRTTn3N-FrKSrrWbM.&URL=http%3a%2f%2fwww.oit.umass.edu%2fcategory%2fkeywords%2fincident-response-procedures>
>
>  Good Luck,
>
> Dan Sarazen
>
> Senior IT Auditor
>
> The Boston Consortium for Higher Education
>
> Cell:     781-296-4444 <tel:781-296-4444>
>
>
>
>
>
>
>
> *From:*The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU 
> <mailto:SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Bryan Zimmer *Sent:* Monday, May 06, 2013 1:08 PM *To:*
> SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> *Subject:* Incident Response / Forensic
> Decision Tree
>
>
>
> Hi All,
>
> Does anyone have an Incident Response decision tree or process flow they can share? I'd like to see the whole flow 
> from "We think we have a compromised box" to "Lessons Learned meeting." I'm especially interested in how you
> decide whether or not to do full forensics and/or malware analysis on compromised systems that access or store
> sensitive data. Right now we do a basic check of malware's capabilities by Googling for the name, and also upload
> the file to Anubis. However making the judgement call of "are we reasonably sure sensitive data was not accessed"
> can be difficult based on this info alone. That's when we in theory would send the system to a 3rd party for
> analysis, but if we don't carefully quantify that decision we could be spending a lot of money that isn't
> necessary.
>
>
>
> Any guidance would be greatly appreciated.
>
> Thanks,
>
> -Bryan
>
>
>
> ---- Bryan Zimmer Senior Security Analyst UCSC Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJRh+xwAAoJELuLPXMxqTZ/NjkQALmbPaUZI1Y+JEyz4euYDBo3
tmYQf5orfE+3trzbhXCMd/CuFdDJJHUMRv4LkxNu/CwglutukQQcGwfCQoJTTMwz
oi8gr8+4DZrRUk473PL7+vQwO/pdQny+N2HD/svOHLW4ig0lUXMbMw0qgi+3QrWp
JY6SCoBIGcGlZNwKwl6PpLp6+jDfNr20foo1n20O2Gi2W0yj2anQYgtKQEVM0Gr8
n4VOcpgHm0llN7E3pdv3xzwKfIqqvm1MDQyPSQrUIlYeqntc+woWF/mMdwVq7UFB
a8AUA966RW4HOESHmcWBV+1R5PboKt56LTUNHv66T7d9GNJjNWly4YIcoiOIOhqF
QqZG8PrygAPQJZt5Yd1csZCXllqi6/m9ifrKgwDvunCHYM2BX/xVQu77ICwFbnOR
kRfReDx9WZVVkWLP5U2GSvcfXFrKWAeqoF2GE/3e1HDlAa5x4Evf9l0kIntXt1jp
A0qgubAhL+sCDB+D6L4P7OAElpnAuqAySFvyXGN8TVstapw5XncYCK9b8HK/NI2c
PIVx7S/Wn/ASGQWsr/yTnc7WiShTmVcaFR9a3rlhNoXHC6fzbkEKuH95auR1cY4/
MrsL2CtIIvrotJuYVOv19zQxi9wFB0Bnk/AGH9uKz4z5T4jNHucsskTMKkV3I/al
imh1Rmh7kfPiYwrCaf3a
=YgRT
-----END PGP SIGNATURE-----