RE: Incident investigation methodologies

["Fiscus, Kevin" <kfiscus () allianttech com>]

Perhaps I have missed something but I don't have a clue what we are talking about now.  As I see it, investigations and 
forensics are just another part of security and thus must be addressed with regard to risk.  Based on the 
circumstances, one must assess the risk vs. reward of performing certain actions versus and make a decision.  In some 
circumstances, it makes sence to take a production system off-line and in other cases, it doesn't.  In some cases, it 
may even make sence to simply monitor the situation and otherwise do nothing.
 
If a web server, containing no critical informatin (isolated from the corporate network also) gets defaced, it may make 
sence to simply restore from backup.  (How do you determine what happened to prevent it from happening again?)
 
If a mission critical application with thousands of credit cards, legislatively protected data (CA SB 1386, HIPAA, 
GLPA, Sarbanes-Oxley, 21 CFR Part 11) gets compromised, legal action may be waranted and thus an a detailed forensics 
examination would be required.  
 
It is important to remember, when dealing with these metaphores, that unlike a human, a computer can be imaged and 
returned to production.  The dead cannot generally be restored to life.  The key factor here is that the response must 
fit the situation.  Sometimes a doctor will do a simple, cheap, non-invasive procedure.  Sometimes treatment involves 
massively invasive surgery and prolonged, painful theropy.  It depends on the situation.  
 
It seems like people keep wanting a 1-size-fits-all solution.  That is just not the case.  Statements such as "In the 
real world, production systems need to go back into production ASAP." and "Time = Money, that's a cold, hard fact, and 
there simply isn't any way
around it." imply that no organization can afford to take a production system offline to do an investgation.  If the 
compromise could result in regulatory penalties, significant loss of revenue, potential disclosure of certain types of 
information, an organization may not be able to afford not to.
 
I agree that frontline support staff generally don't have the time, resources or knowledge to conduct investigations.  
That is why we are here.  These comments, however, illustrate the value of the initial focus of this thread.
 
Kevin B. Fiscus, CISSP
GIAC Certified Forensics Analyst
CCNA, SCSA, RCSE
Senior Information Security Engineer
Alliant Technologies, LLC.
____________________________________
 
Phone: (973) 267-5236 x 4224
Cell: (201) 650-4172
mailto:kfiscus () allianttech com
http://www.allianttech.com
 

________________________________

From: Steven Trewick [mailto:STrewick () joplings co uk]
Sent: Mon 6/7/2004 10:46 AM
To: 'Harlan Carvey'; incidents () securityfocus com
Cc: Ansgar -59cobalt- Wiechers
Subject: RE: Incident investigation methodologies




> One more thing to think about...what happens when you
> go to the doctor?  When you go to a doctor's office
> with a complaint, does he simply give you a lethal
> injection then perform an autopsy to determine what
> was wrong with you?  Or does he collect volatile
> information...interview you, ask you questions, take
> your temperature and blood pressure, etc? 


That is simply the single most bogus metaphor I've heard this week.

In the real world, production systems need to go back into production
ASAP.

Frontline support staff simply do not have the time or resource
(or often even the knowledge) to conduct lengthy forensic investigations.

Time = Money, that's a cold, hard fact, and there simply isn't any way
around it.

If my choice as a human being was to perform a procedure on myself
that would cost a minimal amount of resource, and take a minimal
amount of time, or a lengthy and costly series of investigations
that would take forever, be painful, and possibly, ultimately
inconclusive, which would I pick ?






















</code>
The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. 
If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in 
this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group 
operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by 
viruses being passed.
joplings.co.uk