Educause Security Discussion mailing list archives
Re: Incident Response / Forensic Decision Tree
From: Charlie Derr <cderr () SIMONS-ROCK EDU>
Date: Mon, 6 May 2013 13:46:25 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/06/2013 01:41 PM, randy wrote:
Dan, that link points me to an Outlook signin page. -r.
The text works (if you manually paste it into the browser instead of clicking on the link). Another argument for plain-text (non-HTML) emails. ~c
On Mon, May 6, 2013 at 1:26 PM, Dan Sarazen <dsarazen () brandeis edu <mailto:dsarazen () brandeis edu>> wrote: Hi Bryan, UMass Amherst has spent a great deal of time on their planning and it can be found here: http://www.oit.umass.edu/category/keywords/incident-response-procedures <https://bl2prd0511.outlook.com/owa/redir.aspx?C=eqgxdWdlRUCBfbp9mn7jCN3Q0W_qHdAIqeKbV-wf7gOguQ06IbsBtsaVT4FRTTn3N-FrKSrrWbM.&URL=http%3a%2f%2fwww.oit.umass.edu%2fcategory%2fkeywords%2fincident-response-procedures> Good Luck, Dan Sarazen Senior IT Auditor The Boston Consortium for Higher Education Cell: 781-296-4444 <tel:781-296-4444> *From:*The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU>] *On Behalf Of *Bryan Zimmer *Sent:* Monday, May 06, 2013 1:08 PM *To:* SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> *Subject:* Incident Response / Forensic Decision Tree Hi All, Does anyone have an Incident Response decision tree or process flow they can share? I'd like to see the whole flow from "We think we have a compromised box" to "Lessons Learned meeting." I'm especially interested in how you decide whether or not to do full forensics and/or malware analysis on compromised systems that access or store sensitive data. Right now we do a basic check of malware's capabilities by Googling for the name, and also upload the file to Anubis. However making the judgement call of "are we reasonably sure sensitive data was not accessed" can be difficult based on this info alone. That's when we in theory would send the system to a 3rd party for analysis, but if we don't carefully quantify that decision we could be spending a lot of money that isn't necessary. Any guidance would be greatly appreciated. Thanks, -Bryan ---- Bryan Zimmer Senior Security Analyst UCSC Security Team
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJRh+xwAAoJELuLPXMxqTZ/NjkQALmbPaUZI1Y+JEyz4euYDBo3 tmYQf5orfE+3trzbhXCMd/CuFdDJJHUMRv4LkxNu/CwglutukQQcGwfCQoJTTMwz oi8gr8+4DZrRUk473PL7+vQwO/pdQny+N2HD/svOHLW4ig0lUXMbMw0qgi+3QrWp JY6SCoBIGcGlZNwKwl6PpLp6+jDfNr20foo1n20O2Gi2W0yj2anQYgtKQEVM0Gr8 n4VOcpgHm0llN7E3pdv3xzwKfIqqvm1MDQyPSQrUIlYeqntc+woWF/mMdwVq7UFB a8AUA966RW4HOESHmcWBV+1R5PboKt56LTUNHv66T7d9GNJjNWly4YIcoiOIOhqF QqZG8PrygAPQJZt5Yd1csZCXllqi6/m9ifrKgwDvunCHYM2BX/xVQu77ICwFbnOR kRfReDx9WZVVkWLP5U2GSvcfXFrKWAeqoF2GE/3e1HDlAa5x4Evf9l0kIntXt1jp A0qgubAhL+sCDB+D6L4P7OAElpnAuqAySFvyXGN8TVstapw5XncYCK9b8HK/NI2c PIVx7S/Wn/ASGQWsr/yTnc7WiShTmVcaFR9a3rlhNoXHC6fzbkEKuH95auR1cY4/ MrsL2CtIIvrotJuYVOv19zQxi9wFB0Bnk/AGH9uKz4z5T4jNHucsskTMKkV3I/al imh1Rmh7kfPiYwrCaf3a =YgRT -----END PGP SIGNATURE-----
Current thread:
- Incident Response / Forensic Decision Tree Bryan Zimmer (May 06)
- Re: Incident Response / Forensic Decision Tree Dan Sarazen (May 06)
- Re: Incident Response / Forensic Decision Tree randy (May 06)
- Re: Incident Response / Forensic Decision Tree Charlie Derr (May 06)
- Re: Incident Response / Forensic Decision Tree randy (May 06)
- Re: Incident Response / Forensic Decision Tree Alan Stockdale (May 06)
- Re: Incident Response / Forensic Decision Tree Valerie Vogel (May 06)
- Re: Incident Response / Forensic Decision Tree Brian J Smith-Sweeney (May 08)
- Re: Incident Response / Forensic Decision Tree Dan Sarazen (May 06)