Re: Simple Windows incident response methodology

[Steve Barnet <barnet () chem wisc edu>]

Harlan Carvey wrote:

> > 2)  YES, this is not an assessment methodology that
> > will be easy to defend in court.  
> >    
>
> I doesn't look as if it were intended to be.  Not
> every investigation is litigious...in fact, from the
> folks I've spoken to, more and more investigations are
> become non-litigious, even in the face of laws such as
> SB 1386.  
>  
Perhaps it would be helpful to consider the six steps of
incident response as a framework:

1) Preparation
2) Detection
3) Containment
4) Eradication
5) Recovery
6) Follow-up

Certain processes and tools will be appropriate at each stage.
Some of the proposed Windows methodology is loosely
following this format as it is. Working with it explicitly may
help in working through some of the issues (so long as we don't
get bogged down in semantics).

I would also like to propose another step which may address the
issue we're currently discussing: Identification. I would place
this between Detection and Containment.

It's really at this point that the person(s) handling the incident
must decide whether the desired outcome will require preservation
of evidence or rebuilding the system. The answer to that question
has profound impact upon the methodology used and by extension
the costs involved.

This step is implicit in the process, however, I have seen it
given inadequate attention frequently enough that I'm starting to
think it should be explicitly stated. Given that much of the
proposed methodology is directed toward this exact goal, I
don't think it's much of a stretch.

Best,

---Steve