Apr 26 2009
I’m the first to admit that my own direct experience at forensics is limited, but what I’ve seen has always been done using a set of tools collected and mastered by the individual responding to the incident and that any framework surrounding the response has been developed through experience. It’s hard work that takes a very specific skill set that only a limited number of individuals have. I don’t have those skills and admire those who do.
I had a chance to sit down on the show room floor at the RSA Conference and talk to Dave Merkel about Madiant’s ‘red box’ Intelligent Response (MIR). Intelligent Response allows the forensics responder to collect important information from a large number of hosts quickly, and more importantly, consistently. Once the vector of infection or attack has been identified, MIR can be used to scan the systems with very specific instructions, allowing the specialist to find other compromised systems quickly and with a high degree of confidence.
Dave Merkel and I talk about how Madiant works as well as his opinions about recent news of breaches and compromises. If anything, Dave thinks some of the reports on SCADA compromises may be under reported, something that really makes me worry.