tag:blogger.com,1999:blog-4080617372940068027.post7764926630800002184..comments2024-03-13T01:32:25.097-04:00Comments on Journey Into Incident Response: Compromised Root Cause Analysis Model RevisitedCorey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-4080617372940068027.post-29099339783656083842015-07-06T06:55:10.348-04:002015-07-06T06:55:10.348-04:00Dear Corey,
Good article, especially as you've...Dear Corey,<br />Good article, especially as you've added examples, which bring the power of the methodical approach of the CoRCAM model to the fore.<br />I agree with you and Harlan, many organisations see RCA as "too hard", or "too techie and time consuming" and senior management expects quick solutions.<br />Sometimes, after organisations invest in tools and instrumentation, they forget to invest (or to keep investing) in people and therefore, they miss the insights that good RCA would bring them. They rarely have a good threat taxonomy and so they cannot focus the security budget on the important areas. Sometimes, they even outsource operational security and incident response and say they will concentrate on risk management instead, without ensuring that the managed services provider has the skills and capabilities to do RCA and to really understand how to protect them on an on-going basis (i.e. not just to administer the protective controls). Security can be a lonely job sometimes.Ionut Ionescunoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-26609190400228693842015-03-23T09:11:58.425-04:002015-03-23T09:11:58.425-04:00@Harlan,
Great points; thanks for commenting. I t...@Harlan,<br /><br />Great points; thanks for commenting. I think one of the big advantages to doing root cause analysis (besides the knowing what an attacker did) is to help make better business decisions. Years ago when I just started doing RCA on a consistent basis I was helping an acquaintance’s organization with a malware infection. In this organization, an assumption was made about how the infection occurred. This resulted in advice being provided to the user and a general announcement to the whole organization with similar advice. After I did RCA I determined the infection vector was different than the assumption. In the end the wrong advice was provided and the time/resources spent doing it would have zero impact on reducing a similar infection from re-occurring.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-38867450176953811652015-03-22T07:33:01.842-04:002015-03-22T07:33:01.842-04:00Corey,
Your post is yet another prime example of ...Corey,<br /><br />Your post is yet another prime example of what's missed in a great many organizations. There is no investment into an RCA process, and as such, organizations that get compromised throw out a SWAG as to the IIV, and never actually validate the root cause. This leads to poor business decisions being made based on bad technical information, and the organization continues to be compromised. <br /><br />I presented my findings regarding a RAT infection at a conference for "APT researchers" a while back. I described the RAT, and most in the room were familiar with it. When I asked, "what is the infection vector?", everyone that responded said, "spear phish". That's the easy route...see the IDS/IPS alert for the RAT on the wire, assume it was the result of a phish. This one was installed by the user, from a USB drive...information which radically changes the approach and the solution. <br /><br />Everything that is new and unfamiliar is "hard" and "takes too much time". Invest in the capability to do this, either by developing staff or signing a retainer contract. The other option is to just turn off your IPS, disable logging, etc. After all, if you're not going to do the RCA, what's the point of all that instrumentation? H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-53959845586476990452015-03-15T13:15:33.459-04:002015-03-15T13:15:33.459-04:00Very good and informative work. Thank youVery good and informative work. Thank youSunil Varkeynoreply@blogger.com