Now that we have covered all the background details from the administrative to the state of the hack, it is time to discuss actual incident response operations.We’ve arrived at the fun part.

By operations, we mean the steps and procedures taken during an incident to resolve the problem, from the moment that it is first detected through the time when it can safely be considered resolved (where its only value is lessons learned and war stories to tell newcomers). We have inhabited this domain for the past several years, while we have earned our keep and been trailblazers in the incident response field by working at and helping establish the Carnegie Mellon CERT Coordination Center (CERT/CC), the U.S. House of Representatives CERT, the InterNIC-CERT, and the Department of Defense CERT, among other commercial incident response consulting and training experiences. In this chapter, we stress on-site operations in which the incident response team leads the hands-on charge to help the customer or client get through an information protection crisis.

Let’s start with an example. In 1999, a company contacted us because they suspected one of their engineers was trafficking in trade secrets -- possibly even selling them to a competitor. The company wanted to catch the engineer in the act and have him prosecuted for his alleged crime, and they needed our assistance. The first thing we did was gather one of our incident response teams into a room equipped ...