tag:blogger.com,1999:blog-9518042.post339606513211350339..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Host-Based AnalysisUnknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-9518042.post-55232096909355687362012-06-05T18:51:28.482-05:002012-06-05T18:51:28.482-05:00Keep an eye on Twitter, this blog, LinkedIn, etc.....Keep an eye on Twitter, this blog, LinkedIn, etc....I'll be sure to let you know when we're having another course.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-53769164247003423412012-06-05T11:28:55.529-05:002012-06-05T11:28:55.529-05:00Thank you for the mention! I'm still amazed y...Thank you for the mention! I'm still amazed you read my blog.<br /><br />I'm putting your course on my wish list. Hopefully it will be on the corporate budget sometime in the future. It sounds amazing!Girl, Unallocatedhttps://www.blogger.com/profile/14531145168136293345noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-44113602933007877282012-06-02T08:09:19.811-05:002012-06-02T08:09:19.811-05:00Corey,
Excellent points. What good is it to have...Corey,<br /><br />Excellent points. What good is it to have your users change their passwords when the initial infection vector (IIV) was via the user context, used an exploit for privilege escalation (or didn't even have to), and moved on from there?<br /><br />That's an excellent way to tie things back to intel-driven defense. While I agree that much of what the AV (and other) vendors state are overall best practices, sometimes we have to be careful about where we put our efforts.<br /><br />Sometimes stuff just needs to be said again...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-32756735196732130432012-06-02T08:04:51.327-05:002012-06-02T08:04:51.327-05:00Another benefit to host-based analysis is that it ...Another benefit to host-based analysis is that it can provide more context about the malware and where it was found than an AV report could ever provide. Most AV reports use the shotgun approach for security improvement recommendations. Turn on firewall, update software, be careful opening attachments, use caution clicking links on webpages, use strong passwords, put your users in a bubble... The reason being AV companies don't know the environment where the samples came from so it seems like they are covering their bases. Host based analysis on the other hand will tell you exactly what security recommendations to make since it will reveal the technical breakdown that allowed the malware onto the system. I know my comment sounds more like an echo chamber to your point about intelligence-driven defense; it is an excellent point and should be repeated.Corey Harrellhttp://journeyintoir.blogspot.com/noreply@blogger.com