Don't forget chain of custody is very important. You need to document who has the information (logs etc) and put it away, else you will run into lawyers saying the information was tampered.
-----Original Message----- From: Micheal Espinola Jr [mailto:[email protected]] Sent: Saturday, January 10, 2009 9:03 AM To: NT System Admin Issues Subject: Re: Facts, thoughts, references for security intrusion (espionage) reporting Thanks, Ben. I appreciate the thoughts. This is all in-line with my expectations and initiatives. We have an "in" with some local gov vip's, so we were able to get the feds in the next day. It should be interesting to say the least. -- ME2 On Thu, Jan 8, 2009 at 8:38 AM, Ben Scott <[email protected]> wrote: > On Wed, Jan 7, 2009 at 10:21 PM, Micheal Espinola Jr > <[email protected]> wrote: >> I was wondering if anyone would care to share any anecdotes, stories, >> procedures they went through in following though with a security >> intrusion - with ISP logs, involving the authorities, etc. > > In the private sector, you generally have to go through the law > enforcement agencies which have juristiction. In the US, if it > appears to cross state or international lines (typical), your main > option is to contact the FBI. Keep in mind that they are generally > overwhelmed and thus small stuff tends to fall through the cracks. If > it's international and involves certain countries, however, you'll get > a better response. Be warned that affected computers may be seized as > evidence. > > See also: http://www.fbi.gov/cyberinvest/cyberhome.htm > > Where I work, we're mainly a DoD subcontractor, so we have our own > channels. I'll see if anyone knows of any other avenues for private > sector people. > > Generic advice: > > Save all logs from everything to offline archives as soon as you > discoverer an intrusion attempt. If it's a compromise, ideally, take > the affected system(s) offline as soon as you discover it. Make > complete block-level images of each individual disks before putting > them back online. If there is evidence of system-level compromise > ("Administrator", root kit, etc.) wipe-and-reload the entire system. > > Contacting ISPs can be a mixed bag. They often don't log what you > need info on. When they do, it will often be rotated on a short time > span. Then getting through to someone with clue before the logs get > deleted is often the hard part. OTOH, when this does pay off it's > some of the best kind of evidence. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
