Wednesday, June 17, 2009

START methodology

START is a methodology applied to Mass Casualty Incidents or triage centers and frequently it is applied to battlefield medicine. START stands for Simple Triage and Rapid Treatment. I will focus primarily on Mass Casualty Incidents and triage centers. This methodology has a direct tie to The Golden Hour.

It is my humble opinion that START can be applied easily to Computer Security Incidents; Those of both the mass casualty and triage center variety. In a Mass Casualty Incident you are typically confronted by several potential issues ranging from sensitivity of data to criticality of the resource and the threat posed by the compromise. These casualties come from all sides of the organization. The same holds true when you have an influx of dissimilar incidents and you need to prioritize them - think the ER at a major hospital on a warm Friday or Saturday night.

That said I humbly present my adapted START methodology.

Stage 1 Triage
Stage 1 triage is completed on a live system. This stage requires a network connection.

Conduct Rapid Triage
  • Collect Volatile Data
  • PII search non system created directories
  • Limited malware scan

Conduct Rapid Assessment
  • Preliminary memory analysis
  • Review PII tool logs
  • Review Antimalware logs
  • Review FLS & MACtime logs
  • Establish Time of Compromise

Influential factors in Stage 1

  • MAD time is the Maximum Allowable Downtime an organization can withstand the loss of a resource. Or more the point…the time it takes for someone to get pissed off(MAD).
Initial Threat assessment
  • Is it known
  • Identify any knowns
  • Is it attacking other systems
  • Is it spreading
Initial Risk assessment
  • Sensitive Data presence
  • System Profile
Stage 2 Triage

Stage 2 triage is completed on a disk image either after Stage 1 has been completed, or in place of Stage 1 in the case of a physical drive being delivered or acquired from an unpowered system.

Conduct Rapid Triage
  • PII search disk image
  • Data point collection
  1. Network Logs
  2. Prefetch
  3. Registry
  4. Browser History
  5. MACtime data
  6. Malware scan
  7. Event Logs
  8. Application Logs
Log the case and turn it over for analysis. The combination of the above data points is more than enough to get an examiner started.

This sure looks like a case for F-response especially if you combine Stage 1 and Stage 2 triage...I'm not saying I built this around it or anything...I'm just saying.