Security Ripcord

One of the cool things about taking the SANS GCIH through their OnDemand classes is that you get 10 weeks to interact with the other students instead of the usual one week of a conference. Somebody in my class set up a YahooGroup and the students were able to post questions when they didn’t understand a subject and needed extra clarification. The teacher, Ed Skoudis, and experienced students monitored the group and help was almost real-time.

Although I have already achieved my GCIH Silver Certification I am still a member of the YahooGroup associated with the class. Yesterday one of the students posted a question. Since it was a good question I thought I would include it and my response.

swangods question:

Hi folks,
I don’t know how many of you might still pay attention to this group,
but here’s a question for you. The book recommends something like
$5-10k of available funds. I think some of this was for on the spot
purchases like storage media, hubs/switches, taps, maybe even a
server. Has anyone had any luck with justifying this spending ability
or authority, and how have you presented this to management and what
sort of discussions did you have to go through for this pre-approval?

My response:

Here are some things to think about that might help you in this situation.
This might be more information than you need but I got on a roll.

One think you might consider is combining the “jump bag” to operate as
tools for “incident response” and “disaster recovery”. This helps double
up the need for such a bag and it gives you a good excuse to keep people
from lifting items from it when they can’t find similar items that are
used for normal operations. Additionally, many of the items could be
pulled from duplicate stock or by upgrading old tools and hardware to more
current versions. As for servers and workstations you could also pull
systems when they are being updated. (Remember, you’ll need systems to
perform forensic duties as well as systems to do practice incidents.)

If you are trying to justify just building an incident response or
forensic work area then you are going to have to consider how many
incidents you expect in the next 5 to 10 years. As you should start a
working relationship with a forensic company anyway, ask them to brief you
on how much typical forensic responses to an incident will cost. Give
them a couple of likely scenarios your company might experience. Now
multiply that number by the number of incidents. Then do your research
about how much spinning up a workstation will cost (include training on
forensic tools as well as GCIH for other team members). When you have the
comparison have the forensic company come back in and give the same
presentation to your executives. Then you give a quick presentation after
the forensic company leaves about how developing a incident response plan
and preparing certain tools could reduce these costs. Before you go into
this meeting double check your costs and be sure you are not missing
anything. One or two changes down the road will not hurt anything but an
more than that and they will begin to wonder about whether it was a good
idea which they will remember the next time you ask for something.

Also, don’t go overboard. You might not be able to afford things right
away. Start developing a plan to acquire things through time. And
remember, if you need something during an incident your management will
generally be willing to fork over the money. Just be ready with
suggestions and acquisition recommendations. Use a purchase of necessary
equipment during a response as a part of your lessons learn. “We had to
purchase a 500 GB drive because the RAID we had to image was 450 GB. The
purchase delayed our response by 8 hours. The request for the external
hard drive was initially denied. Here is a list of other items that we
denied at the same time as the external hard drive but are also necessary
for incident response.”

Hope this helps,
Cutaway

I hope this helps anybody trying to justify their incident response toolkit, “jump bag,” or work area.

Go forth and do good things,
Cutaway

Security Ripcord, Ed Skoudis, incident response, disaster recovery

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.