"Paul D. Robertson" wrote:
>
> I'm wondering if this is the start of an end-run around the usual
> community practice of contacting technical contacts during incidents? I
> know there's probably a lot of "Cybercrime" funding at stake here, and I'm
> sure that contacting a single attacker is sometimes a bad idea, but given
> that this is a terse little handout, I worry about the implications of
> emphatic statements without serious qualification.
I'd guess it is an effort to preserve evidence and the element of surprise.
To have any hope of finding the ultimate source in today's daisy chains
of compromised systems often requires lengthy, distributed, technical monitoring.
To have a hope of successful prosecution likewise requires meticulous evidence
gathering and handling. Not all organizations have the resources necessary to
accomplish the former or the knowledge of procedures to accomplish the latter
without outside help.
If law enforcement's goal is to apprehend the perpetrator(s), then the
advice makes perfect sense. In a perfect world, law enforcement would
receive a report and immediately start investigative procedures at the
apparent source of attack lending the associated organization technical
and procedural help as appropriate.
On the other hand, if an organization doesn't want to expend the resources
necessary for distributed evidence gathering and instead just wants to
clean up the mess and move forward as soon as possible, then there is little
harm in contacting the source of the attack regardless of their resources,
incident handling procedures, or capabilities to help. There are many
networked organizations with GUI-only administrators, RJ45 level network
knowledge, and little or no economic interest in becoming involved with a
long term investigation with questionable results. Unless law enforcement
can provide the technical investigative resources (like they do for other
criminal investigations), those organizations aren't likely to be of much
use either way except to wipe and reload the compromised system.
Gary Flynn
Security Engineer - Technical Services
James Madison University
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
