The information security community loves lists, cycles, and other guides for actions. We have important steps that need to be followed, but no investigation is exactly the same, and every one requires a bit of improvisation. So how do you balance these needs? The paradox of disciplined steps mixed with room to adapt to a situation. Lots of groups are posing solutions, some useful, some not so useful, and some 100% misconstrued....
It’s impossible to be involved in the information security community right now and to avoid the incident going on at Sony. All of the details of the attack by “The Guardians of Peace” may never be publicly known, but it is safe to say that this has become one of the defining computer security events from a public perspective. Plenty of people are addressing this from a variety of angles so I just want to speak to one, somewhat tertiary but none the less key issue, the “attribution” debate....
I suppose it makes sense that when you work for a company everyone assumes you know everything about using its products. When I worked at Symantecs Managed Security Services people asked me all the time how to use the antivirus. It’s a normal assumption, even if it’s off base. So working at GitHub I get asked git & GitHub questions all the time. #REALTALK: The fact is I’m not a great Git user....
One part of intrusion response that rarely gets enough attention in DFIR circles is the communications victim companies make to their own customers. This is almost always the only real information the public (and even security community) see about an intrusion and communicating what happened effectively is crucial to minimizing damage, both to customers and to your organization’s reputation. The 5 Keys to Incident Response Communication It’s difficult to investigate many intrusions....
I started writing this at the end of March right after two trips in a row. I’ve since done another type of packing, moved, and now I’m finally catching up, so forgive some out of date thoughts. I’ve basically traveled non stop for the last two weeks, home only for last weekend. Back to back travel of fairly similar lengths makes it easy to compare, experiment, and plan a bit better....