On Wed, Jan 7, 2009 at 10:21 PM, Micheal Espinola Jr <[email protected]> wrote: > I was wondering if anyone would care to share any anecdotes, stories, > procedures they went through in following though with a security > intrusion - with ISP logs, involving the authorities, etc.
In the private sector, you generally have to go through the law enforcement agencies which have juristiction. In the US, if it appears to cross state or international lines (typical), your main option is to contact the FBI. Keep in mind that they are generally overwhelmed and thus small stuff tends to fall through the cracks. If it's international and involves certain countries, however, you'll get a better response. Be warned that affected computers may be seized as evidence. See also: http://www.fbi.gov/cyberinvest/cyberhome.htm Where I work, we're mainly a DoD subcontractor, so we have our own channels. I'll see if anyone knows of any other avenues for private sector people. Generic advice: Save all logs from everything to offline archives as soon as you discoverer an intrusion attempt. If it's a compromise, ideally, take the affected system(s) offline as soon as you discover it. Make complete block-level images of each individual disks before putting them back online. If there is evidence of system-level compromise ("Administrator", root kit, etc.) wipe-and-reload the entire system. Contacting ISPs can be a mixed bag. They often don't log what you need info on. When they do, it will often be rotated on a short time span. Then getting through to someone with clue before the logs get deleted is often the hard part. OTOH, when this does pay off it's some of the best kind of evidence. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
