tag:blogger.com,1999:blog-9518042.post439960855683087272..comments2024-03-16T07:01:22.721-05:00Comments on Windows Incident Response: Why current IR models don't workUnknownnoreply@blogger.comBlogger1125tag:blogger.com,1999:blog-9518042.post-27340790958831413882007-03-26T05:16:00.000-05:002007-03-26T05:16:00.000-05:00I just returned from an IR where I had a similar e...I just returned from an IR where I had a similar epiphany. In my situation, the IT staff had good intentions, they just lacked the knowledge and experience to conduct a decent triage. When we arrived, we were handed a box of hard drives (from various hardware RAIDed servers) with little documentation detailing the IT's response efforts. Once we finally sorted out the hardware issues, we could see the staff's pseudo IR effort in attempting to identify the intruder. <BR/><BR/>Similar to the Marine needing vital weapon handling skills, the general IT staffer needs comparable security skills to identify suspicious activity and then preserve the volatile information until the IR team arrives. I certainly understand that training general IT to recognize and respond to malicious activity is not a trivial process but more has to be done. As a member of the IR team, we spent about 40% of our time undoing what the IT staff did as well as losing volatile data.<BR/><BR/>In your friend's scenario, the CEO (wife) realized there was a problem but failed to respond in a timely fashion worsening the problem. In my situation, the wife identified the problem and directed the kids to tear apart the entire house attempting to identify the problem. When the husband arrived home, he spent a decent amount of time repairing the kids' work.Anonymousnoreply@blogger.com