8

I copied this question verbatim from a tweet by Dave Hull.
CIRT = Computer Incident Response Team

AviD
  • 73,317
  • 24
  • 140
  • 221
Tate Hansen
  • 13,804
  • 3
  • 42
  • 84
  • Kind of vague, but given that it was from a tweet...

    It would depend on the team. Depends on the nature of the attack. Are we talking DoS or break in to obtain secrets? Are these secrets government/military or just propriatary data like product designs?

     – Steve Feb 20 '11 at 22:07
  • @SteveSyfuhs I'd be happy see any good responses from pro CIRT teams regardless of attack type or other scope limiting – Tate Hansen Feb 21 '11 at 01:36
  • How certain are you about your premise? Gathering intel on attackers is often very challenging. Sometimes, in the case of a particular incident, there may be some steps that can be taken, but in the general case, it is not easy. – D.W. Feb 21 '11 at 02:24
  • @D.W. It was not my premise, but I believe it's solid from my listening to the likes of Richard Bejtlich, Mandiant, and other security IR pros willing to share details. – Tate Hansen Feb 21 '11 at 03:11

2 Answers2

1

Then: Time Well Spent

I used to run an IRT back in 2000-2002 and at the time, the (perceived) greatest threat came from local script kiddies.

We used whiteboards and raw RDBMs (with no GUI or application on top) to track individuals, their nicknames, known successful attacks, group affiliations, internal rivalry, etc.

We knew a lot more about these people and what they'd done, than we would ever be able to prove in court - but they didn't know that, so it was helpful to sometimes participate in various IRC channels. We estimated that we spent less time tracking and "reminding" them of our existence than we would have spent cleaning up after them.

Now: Consult your risk assessments

While I prefer regular sleep over IR these days, I suspect it makes much less financial sense for mature, corporate IR teams to track attackers today. Many attackers are criminal gangs or intelligence outfits located far away. The time required to research individuals and liase with appropriate LE would be counted in weeks or months instead of hours or days.

So, I don't think corporate IRTs gather intel on their attackers and if they did, I'd probably challenge their risk assessment. I have a hard time imagining a scenario where a corporation would be the least bit interested in spending money on knowing who is trying to attack them.

The cost/benefit analysis is obviously very different for commercial/for-hire IR shops, LE and intelligence agencies but none of those fit the term 'mature CIRT' in my book.

Alex Holst
  • 777
  • 4
  • 12
1

I am not a member of an IRT, but did speak to a few folks who were while I was out at BSides/RSA and certainly the groups who are most concerned about APT (folks such as Beijtlich, Power companies etc) seem to spend an enormous amount of resource on the research side.

Some differing viewpoints - the security professionals who specifically aim to protect against APT treat it as war, and intelligence is gained from any source, including espionage, by the sounds of things (although they were at great pains to point out that they wouldn't stoop to the levels some foreign powers might)

For the power companies and critical national infrastructure the focus was more on trying to get an indication whether an attack was expected in the near future - so more paying attention to IRC type chat.

Rory Alsop
  • 61,507
  • 12
  • 118
  • 322