Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > security-basics > 02 > 121225.html (Request Expert securityfocus.com Support)

RE: Incident Response Guidelines

From: Robinson, Sonja <SRobinson(at)HIPUSA.com>
Date: Mon Dec 30 2002 - 12:40:52 EST


For all of you who have replied requesting a sample, I will be more than happy to respond. I am receiving hundreds of requests at the moment. We are short of staff due to the holidays and it make take a few days to respond to you all, please be patient. All I ask in return for the samples are, if you use anything from them, please credit me and my co-author and remember us if we are ever in need of assistance. We are not charging for the document or information contained therein so we would appreciate it if no one else reaps any monetary benefits for the document (i.e. consultants, etc.).

Basically we set down the whos and communication flows in documents along with their responsibilities. It allows people to understand their role and others roles and who to talk to instead of running around. Remember, we took an aspect of it as a process. In separate docs I have some suggestions on say e-mail tracing, spoofing, etc. It is almost impossible to document responses to particular types of attacks since there are 1000's. The idea is to make the response PROCESS or CIRT the same no matter WHO or WHAT initiates the initial alarm. So whether it is an admin saying I have a problem or and IDS saying hey there's this IP, the response process and escalation should be the same.

If, when performing any investigation, I am stumped about a particular issue or detailed procedure/hack/analysis and don't have any hints in my archives, docs, etc. I throw out my questions to others for assistance. Anyone should be able to pick up your CIRT document and be able to know what is going on and who to talk to. They should not have to read through 100 pages. Each expert that you involve in response should know what to look fo rthemselves respective to their areas, of course guidance and consultation will be imperative especially in the forensic collection of evidence/data.

I did a similar thing for virus. I have a 4 page detailed flow chart for that and a two page text doc to accompany it. The standards and responsibilities doc is separate and probably about 15? pages since it covers server & workstation configs as well.

> -----Original Message-----
> From: Robinson, Sonja
> Sent: Friday, December 27, 2002 2:33 PM
> To: 'John Smithson'; 'security-basics@security-focus.com';
> 'forensics@securityfocus.com'
> Subject: RE: Incident Response Guidelines
es_newmsn8ishe
re_3mf


This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email.

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Dec 31 13:27:11 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:03:33 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library