Crazy thought I know but it isn’t hard not to get caught up in that mentality. I was trying to think of a way to tell the story of resources/logs needed to be able to be able to identify sources of badness in incident response of one flavor or another. Visually I was drawing that out somewhat like IP ~ Computer Name ~ User Name all at the top level and branching under that you have various logs like DNS, DHCP, asset management, authentication, etc. All of which play a part in being able to answer questions related to what computers are infected and which users are doing ‘bad things.’ Anyway, it wasn’t until I put that down on the whiteboard that the thought hit me in that IP addresses are a supporting factor in identifying a particular computer and not equal to it. Funny what tool limitations will do to your thinking.
If none of that makes sense to anyone other than me I blame the Nyquil.
Friday, February 17, 2012
Wednesday, February 1, 2012
The unrecognized APT story....
2 hobbits sneaking into Mordor.
Somehow I don't see me using that analogy in the executive boardroom though.
Somehow I don't see me using that analogy in the executive boardroom though.
Subscribe to:
Posts (Atom)