CyberGuardians

After leaving a cold and rainy 50 degrees and arriving in Orlando to a warm, sunny 80 degrees, I was immediately in a better mood. The Royal Pacific venue is awesome. It's located at Universal Studios, has nice rooms and great restaurants. Registration was quick and painless with no long DefCon style lines. I was surprised a bit though that 1100 people were here as I thought the con would be a little smaller. However it doesn't feel as crowded as some others I've been to. They did mention that the amount of attendees has doubled since 2009. I first attended an Encase Forensic v7 Preview workshop to outline what is being released in June. They have FINALLY added true multi-core, multi-threading to take advantage of good hardware. Some highlights include all modules like the ProTools Suite are now included in the base product and more noteworthy native processing for iOS, RIM, Android, and WinPhone6. There is also a new evidence format (EX01) and shiny new frontend for openin

One of the key metrics Computer Incident Response Teams (CIRTs) often measure is time to containment. This is often seen as a way to guage the performance of the team as it tracks how long it takes to contain a compromised or infected computer from the time of reporting or detection. This number varies widely accross the companies and many simply do not have the capability or desire to record this information. I think this metric often indicates how well the CIRT team knows their environment and the maturity of their processes. So I highly recommend it be a key performance indicator in your CIRT program. Today however I would like to specifically talk about an appropriate goal for this metric in relation to compromise by advanced external threats. So I will be excluding non-targeted malware and insider scenarios. I believe on one end of the spectrum you have teams that like to contain as soon as possible to limit any possible impact, whereas on the opposite end you have teams that like