RE: Simple Windows incident response methodology

["Mike Lyman" <mlyman-security () comcast net>]

> I would also like to propose another step which may address the
> issue we're currently discussing: Identification. I would place
> this between Detection and Containment.
>
> It's really at this point that the person(s) handling the incident
> must decide whether the desired outcome will require preservation
> of evidence or rebuilding the system. The answer to that question
> has profound impact upon the methodology used and by extension
> the costs involved.
>
> This step is implicit in the process, however, I have seen it
> given inadequate attention frequently enough that I'm starting to
> think it should be explicitly stated. Given that much of the
> proposed methodology is directed toward this exact goal, I
> don't think it's much of a stretch.

The decision to end and an incident as quickly as possible or to take legal
action was often explicitely spelled out in our incident response plans in my
previous job as was reevaluation that decision all along the way. Include was
the recognition that it was easy to go from preparing to take legal action to
fight the fire but extremely difficult to go from fight the fire to prepare to
take legal action.

Management will rarely understand there is a difference in the methodologies if
it is not spelled out. They probably still won't but it's better to document it.

Mike Lyman, CISSP
mlyman () west-point org
pgp keyid 0xAB7F35DA