Full Disclosure mailing list archives

Re: Things that make you go "Hmmm"

From: Matt <smp.repicky () gmail com>
Date: Fri, 4 Mar 2005 10:08:41 -0500

Actually the point of policy is not to determine HOW the person who is
investigating the response will do their job, but how the machine that
is held suspect will be treated.

Some sample policy guidelines will include whether the machine is to
remain on until a forensics expert can look at the machine and make an
active backup of it while it is running...  Or if it is to remain on,
but not connected to the internet thatway no damage can be done to
other machines through the suspect machine...  Or if the machine is to
be immediately turned off.

Forensics investigation is not something that can be controlled by
policy.  It can be very different on each machine you study.  There
should only be a 3 part policy restricting IR professionals.

1.  Document everything.  From the time you get the call that
something is wrong, to when you arrive at the machine (including the
presence of physical security around the machine), until you are
completed with your investigation and are ready to give your report.

2.  Do not let other people influence your work...  Because someone
always has an agenda, whether it's to find A problem or put the blame
on A person, don't let that direct the way you go about your
investigation.  You might find out they're trying to pin it on someone
who was someplace they weren't supposed to be, but really the machine
was hacked by someone else long before that which allowed that person
to get to where they shouldn't have been.  And if you let them
influence your work you might not have found the original breach.

3.  Make backups of EVERYTHING before you even start.  If you can
avoid changing something, don't make the change.  Think of it in the
way your parents taught you how to behave... "Look, don't touch."


--

On Thu, 3 Mar 2005 23:15:15 +0000 GMT, Jason Coombs <jasonc () science org> wrote:

Matt wrote:

In a good company Incidence
Response isn't dictated by any of
what you said above.  It's dictated
by policy.


Good point. Even in a good company, though, incident response often occurs outside of policy.

An incident response professional who works for clients during emergencies is presented with variables and 
circumstances with which to contend, not a policy playbook to follow.

I agree that it would be nice if we could schedule and plan all of our emergencies according to policy. :-)

Cheers,

Jason Coombs
jasonc () science org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Things that make you go "Hmmm", (continued)
- - - Re: Things that make you go "Hmmm" Matt (Mar 02)
    - RE: Things that make you go "Hmmm" Aditya Deshmukh (Mar 02)
    - Re: Things that make you go "Hmmm" James Tucker (Mar 03)
    - Retrieve Internet Explorer protected storage ? Frederic Charpentier (Mar 03)
    - Re: Retrieve Internet Explorer protected storage ? Egoist (Mar 03)
    - RE: Re[2]: Things that make you go "Hmmm" Aditya Deshmukh (Mar 02)
- Re: Things that make you go "Hmmm" Jason Coombs (Mar 03)
  - Re: Things that make you go "Hmmm" Matt (Mar 03)
- Re: Things that make you go "Hmmm" Jason Coombs (Mar 03)
  - Re: Things that make you go "Hmmm" Michael Simpson (Mar 04)
  - Re: Things that make you go "Hmmm" Matt (Mar 04)