Full Disclosure mailing list archives
Re: Things that make you go "Hmmm"
From: Matt <smp.repicky () gmail com>
Date: Fri, 4 Mar 2005 10:08:41 -0500
Actually the point of policy is not to determine HOW the person who is investigating the response will do their job, but how the machine that is held suspect will be treated. Some sample policy guidelines will include whether the machine is to remain on until a forensics expert can look at the machine and make an active backup of it while it is running... Or if it is to remain on, but not connected to the internet thatway no damage can be done to other machines through the suspect machine... Or if the machine is to be immediately turned off. Forensics investigation is not something that can be controlled by policy. It can be very different on each machine you study. There should only be a 3 part policy restricting IR professionals. 1. Document everything. From the time you get the call that something is wrong, to when you arrive at the machine (including the presence of physical security around the machine), until you are completed with your investigation and are ready to give your report. 2. Do not let other people influence your work... Because someone always has an agenda, whether it's to find A problem or put the blame on A person, don't let that direct the way you go about your investigation. You might find out they're trying to pin it on someone who was someplace they weren't supposed to be, but really the machine was hacked by someone else long before that which allowed that person to get to where they shouldn't have been. And if you let them influence your work you might not have found the original breach. 3. Make backups of EVERYTHING before you even start. If you can avoid changing something, don't make the change. Think of it in the way your parents taught you how to behave... "Look, don't touch." -- On Thu, 3 Mar 2005 23:15:15 +0000 GMT, Jason Coombs <jasonc () science org> wrote:
Matt wrote:In a good company Incidence Response isn't dictated by any of what you said above. It's dictated by policy.Good point. Even in a good company, though, incident response often occurs outside of policy. An incident response professional who works for clients during emergencies is presented with variables and circumstances with which to contend, not a policy playbook to follow. I agree that it would be nice if we could schedule and plan all of our emergencies according to policy. :-) Cheers, Jason Coombs jasonc () science org
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Things that make you go "Hmmm", (continued)
- Re: Things that make you go "Hmmm" Matt (Mar 02)
- RE: Things that make you go "Hmmm" Aditya Deshmukh (Mar 02)
- Re: Things that make you go "Hmmm" James Tucker (Mar 03)
- Retrieve Internet Explorer protected storage ? Frederic Charpentier (Mar 03)
- Re: Retrieve Internet Explorer protected storage ? Egoist (Mar 03)
- RE: Re[2]: Things that make you go "Hmmm" Aditya Deshmukh (Mar 02)
- Re: Things that make you go "Hmmm" Matt (Mar 03)
- Re: Things that make you go "Hmmm" Michael Simpson (Mar 04)
- Re: Things that make you go "Hmmm" Matt (Mar 04)