Wednesday, August 17, 2005

Industry_Insider article

An article I wrote appeared in the MS Industry Insider blog recently. The article is about two misconceptions I see in the IT world when it comes to incident response, specifically on Windows systems...that the best thing to do if you think that a Windows system has been compromised or infected is to wipe it and re-install from clean media, and that bootable Linux distributions are the best tools to use for Windows incident response.

My comments on these misconceptions are supported by the recent NIST document SP 800-86: Guide to Computer and Network Data Analysis: Applying Forensic Techniques to Incident Response. I found the link to this paper over on Keith Jones' blog.

So...take a look, I'd appreciate any comments you may have, particularly regarding the article.


Bryan said...

It's a great article Harlan ... about time someone started attacking this wrongheaded 'common' wisdom! I've been doing root-cause analysis during small and large outbreaks for many years, and I think it has been a big value to the organizations I worked for. At first many other admins didn't see the value. "Why are we screwing around on this one machine while the HelpDesk phone banks are lit up?" one asked me ... only to be enlightened a few hours later as I released a script which would close the hole on all our systems, while flagging infected ones.

I do have one nit to pick, though. You say:

" But why aren't more system administrators performing root cause analyses? Is it because they take too long? The solution to that is Properly trained administrators have no trouble drawing on their tools and skills to diagnose a system and determining where the issue lies in a timely manner. Any task for which someone is trained goes much faster and is completely accurately, due to familiarity. "

I agree somewhat - training in root-cause analysis /would/ make the task happen more often. But many if not most of the sysadmins and help desk people I know are not the product of training course, but of their own interest in computers combined with the school of hard knocks.

They weren't formally trained on the many other skills they have ... yet they have those skills. So I don't think training alone is the answer to this. I think more folks like you and I need to be pushing the message that root-cause analysis is necessary and important - not just during a security breach but during many problem scenarios.

Just getting the word out about the /value/ of root-cause analysis will awaken more than a few of the first responders out there. I salute you for doing so!

Keydet89 said...


Thanks for the comments!

You're right, in the sense that most folks will take it upon themselves to develop the necessary skills once they see the value in performing IR or RCAs.

What I was hoping to gear my comment towards was this...if an admin is sent to training, then the senior management will have seen/determined the value of the skill set. If it's important to the guy who signs my paycheck, I'm going to "see the value" right away!

Again, thanks!