0000.PPT 04/19/2023 1

Successful Strategies in Enterprise Intrusion Investigations

SANS WhatWorks in Forensics and Incident Response Summit 2008

Michael CloppertMember Technical StaffLockheed Martin Computer Incident Response Team

2

Phase 2: Establish a presence

CompromiseSystems

Establisha

Presence

Steal data

3

But how?

4

So what now?

Yeah, it’s broken.

We have a process!

Oh you mean this one?

NIST Special Publication 800-61:Computer Security Incident Handling Guide CMU-SEI-2004-TR-015Defining Incident Management Processes:

A Work In Progress

5

Get Intelligent

IncidentResponse

MalwareAnalysis

NetDefenders

DigitalForensics

Compromises

Behaviors,Activity

Sys

tem

Foot

prin

tS

uspi

ciou

sFi

les

Suspicious

DataFootprints,

BehaviorsPartnerships &

Collaboration

Integration of intelligence acquired through analysis and collaboration is key to successfully managing incidents

6

Contact

Michael Cloppert

michael.j.cloppert@lmco.com