let me try again to explain what I am looking for. As I apparently was not clear. After we have had a incident, and stopped it, blocking the origionator we then will need to check our machines and recover. We have a staff of sysadmins who can re-install the system, but what we want is to have someone on retainer who we can call in to assist and to record evidence in case we can prosecute. Calling Cert will help us stop things as they are happening, but we are looking for assistance after that point. David Lang On Wed, 15 Sep 1999, Crumrine, Gary L wrote: > Date: Wed, 15 Sep 1999 07:23:42 -0400 > From: "Crumrine, Gary L" <[EMAIL PROTECTED]> > To: David Lang <[EMAIL PROTECTED]> > Subject: RE: Intrusion Response > > It depends on what you want to do once you find them and what the attack > was. First and foremost, I'd say your first item of business is to > terminate the session, next deny them access via the router etc., third, > protect the forensic evidence. Make sure you save the original log data, > copy it, and do any crunching on the copy. > > I think you will find that for the most part, it will be difficult and > expensive to track down an outsider. You had better decide up front if you > intend to prosecute or not. If there is not a willingness to take this > step, then don't waste the time in trying to track them down beyond simple > means and go beyond the steps above. > > Internal hacks usually end with much more positive results in tracking the > culprit. In those cases, you show them the evidence and fire them. > Prosecute them if you like, but the evidence has to be there in a pristine > state. > > A typical response that we take, is 1) determine where they are coming from, > block the IP at the router, do a forensic review of the system, report the > activity. We do not typically prosecute unless they penetrate and that has > not happened yet. We deal more with policy infractions and door rattling, > with the occasional DOS attack. Not to say that the hackers are not trying > though. We take hits all the time... > > -----Original Message----- > From: David Lang [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 14, 1999 7:26 PM > To: [EMAIL PROTECTED] > Subject: Intrusion Response > > > I am looking for reccomendations for (not advertisements from) intrusion > response teams. We have an extensive secrity system in place and are now > starting to catch our breath and plan for how to respond if (when) someone > manages to get through our defences. > > David Lang > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
