Actual Data Sharing!
Cruising through my blogroll this morning over the morning coffee, I came across an article from BeyondSecurity [link to http://www.beyondsecurity.com/besirt/advisories/team-evil-incident.pdf no longer works], which walks through a forensics analysis of an on going security incident. This is a good read and it’s great to see folks in the industry talking about what they actually do and how they do it.
Thanks to TaoSecurity, who originally pointed me to the article. Check out Richard’s analysis of the actually incident response techniques. I’m with Richard, why didn’t they just disable the switch port?
[Edit: Link to TaoSecurity fixed. Thanks Nitpicker.]