Unformatted text preview: s who make up the analysis team must have a variety of
skills. They must also have a solid understanding of the systems affected by the incident, the system and application vulnerabilities, and the network and system configurations. Although formal education is important, real-world applied experience
combined with proper training is key for these folks. One of the biggest challenges they
face is the dynamic nature of logs. Most ISPs purge or overwrite their logs in a short
timeframe, and time is lost the moment the incident occurs. Several hours may pass
before an incident is reported or detected. Some countries are considering legislation
that would require longer log file retention. However, such laws pose privacy and storage challenges. We can never win.
Once we have as much information as we can get in the last stage and have answered as many questions as we can, we then move to the tracking stage. (Tracking may
also take place in parallel with the analysis and examination.) We determine whether
the source of the incident was internal or external and how the offender penetrated and ch10.indd
ch10.indd 885 12/4/2009 11:39:11 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 CISSP All-in-One Exam Guide 886
gained access to the asset. If the attacker was external, the team would contact their ISP
to help them in gathering data and possibly help in finding the source of the attack.
Many times this is difficult because attackers move from one system to the next, so several ISPs may have to get involved. Thus, it is important that the analysis and tracking
team have a good working relationship with third parties such as ISPs, other response
teams, and law enforcement.
Once the incident is understood, we move into the recovery (or follow-up) stage,
which means we implement the necessary fix to ensure this type of incident cannot
happen again. This may require blocking certain ports, deactivating vulnerable services
or functionalities, switching over to another process...
View Full Document