Security Incidents mailing list archives
RE: Simple Windows incident response methodology
From: "Mike Lyman" <mlyman-security () comcast net>
Date: Sat, 12 Jun 2004 15:01:20 -0500
I would also like to propose another step which may address the issue we're currently discussing: Identification. I would place this between Detection and Containment. It's really at this point that the person(s) handling the incident must decide whether the desired outcome will require preservation of evidence or rebuilding the system. The answer to that question has profound impact upon the methodology used and by extension the costs involved. This step is implicit in the process, however, I have seen it given inadequate attention frequently enough that I'm starting to think it should be explicitly stated. Given that much of the proposed methodology is directed toward this exact goal, I don't think it's much of a stretch.
The decision to end and an incident as quickly as possible or to take legal action was often explicitely spelled out in our incident response plans in my previous job as was reevaluation that decision all along the way. Include was the recognition that it was easy to go from preparing to take legal action to fight the fire but extremely difficult to go from fight the fire to prepare to take legal action. Management will rarely understand there is a difference in the methodologies if it is not spelled out. They probably still won't but it's better to document it. Mike Lyman, CISSP mlyman () west-point org pgp keyid 0xAB7F35DA
Current thread:
- RE: Simple Windows incident response methodology, (continued)
- RE: Simple Windows incident response methodology Security Guy (Jun 09)
- RE: [ok] Simple Windows incident response methodology Curt Purdy (Jun 09)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- Re: Spammers bypassing Cisco ACL's?? Mark Coleman (Jun 10)
- RE: [ok] Simple Windows incident response methodology Harlan Carvey (Jun 14)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- Re: Simple Windows incident response methodology H Carvey (Jun 08)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 09)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- Re: Simple Windows incident response methodology Steve Barnet (Jun 11)
- Re: Simple Windows incident response methodology Harlan Carvey (Jun 11)
- RE: Simple Windows incident response methodology Mike Lyman (Jun 14)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 14)
- RE: Simple Windows incident response methodology Brad Webb (Jun 20)