Monday, July 7, 2008

Incident Response & Forensics & Intrusion Detection

I've been way under the weather the last couple of days. The only good thing is I've had the opportunity to finish reading "Network Intrusion Detection", third edition, by Stephen Northcutt and Judy Novak. I'll post a review soon, probably when the meds are done. The book was great, and it has prompted me to start working with NIDS in order to understand them better; while gaining some insight as to what is traversing the network.

However, as I was resting, I got to thinking. I really enjoy the incident response work. However, when read various security books (or take classes) I notice that there is much crossover between the incident response, intrusion detection and forensics disciplines. I think you can definitely make a career in just one of the disciplines. But, in my opinion, a good incident handler is made better if there is a packet capture available (and can be read and understood by the handler.) Also, forensic analysis may need to be performed once an incident has been declared. Similarly, an intrusion analyst is aided if they are familiar with attack signatures and patterns. Finally, forensic analysts may have to capture the data, which draws on the IR discipline.

This is nothing earth shattering, and is probably a common testament. However, after reading the book, and in the field, the revelation sort of hit me.

No comments:

Post a Comment