tag:blogger.com,1999:blog-9518042.post8855631222704894527..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: When First Responders Attack!!Unknownnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-9518042.post-88748856922293733602008-03-07T13:02:00.000-05:002008-03-07T13:02:00.000-05:00I would guess that the hard part is defining an in...<I>I would guess that the hard part is defining an incident and educating IT staff.</I><BR/><BR/>In my experience so far, it's not hard defining anything...especially "incidents". There are many sites that all define incidents pretty much the same, be they CERT, FIRST, whatever. The hard part is getting senior management on board and making IR of any kind relevant to the business of the organization.<BR/><BR/><I>How does one tell when a daily "my system is acting funny" request or "what's this traffic hitting the firewall?" question will turn into an incident?</I><BR/><BR/>Basic troubleshooting 101...I learned it as a 2dLt years ago, and applied what I learned to the digital side of things. It's also something that not many IT admins are familiar with.<BR/><BR/><I>...based on how quickly they get the customer back up and running...</I><BR/><BR/>Exactly my point! Where does this priority come from, but senior management. And one doesn't have to "put on the brakes" if they know what they're doing...b/c they've been trained.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-2700834850912879942008-03-07T10:56:00.000-05:002008-03-07T10:56:00.000-05:00I would guess that the hard part is defining an in...I would guess that the hard part is defining an incident and educating IT staff. How does one tell when a daily "my system is acting funny" request or "what's this traffic hitting the firewall?" question will turn into an incident? IT admins will probably always approach issues as normal issues, until they realize that something falls into the realm of an incident.<BR/><BR/>One would definitely approach a pornography or data theft issue far differently then those two issues above. Kinda like if I have my hands on a system doing normal work and find child porn on it, I really have to take my hands off the keyboard, stop everything, and escalate.<BR/><BR/>Issues like that are easy to define. But when IT staff is often evaluated on their customer satisfaction which is based on how quickly they get the customer back up and running, taking the time to put on the brakes is costly if they're wrong.Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-29816930269848149662008-03-07T10:24:00.000-05:002008-03-07T10:24:00.000-05:00Many companies make the mistake of trying to hire ...Many companies make the mistake of trying to hire small computer repair shops to do their investigation. The Laywers try to rip the Techs from their work by threat of subpoena. The Tech, without experience in forensics or desire to backlog his repair work is in a bad position and will probably act like a hostile witness. The only thing you should ask a local repair shop to do is image the drive, period.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-42274858986868179392008-02-25T14:40:00.000-05:002008-02-25T14:40:00.000-05:00Interesting note, in more recent cases where I've ...Interesting note, in more recent cases where I've been called on for forensic analysis relating to (potential)theft of IP, Im getting asked by the CEO/CIO s to ALSO determine "what did my IT admin(s) do?" ...sigh...Anonymousnoreply@blogger.com