Chill, I’m Sending The Wolf

Date August 10, 2008

pic09 Every now and then I get sent out on incident response engagements.  On Wednesday the phone rang; a client had contacted us with a big ongoing incident and needed some help.  I was on the next plane out (red-eye - I hate those things!).

While onsite with the client we went to a users desktop and was doing some things when the user popped back and was watching us work.  He was fine with it and all - a good communication had gone out around the company explaining what was going on, the systems that were being shut down, and allowing us access to whatever we needed (I can’t tell you how rare that is - many companies continue to try and operate as “business as usual”, but this one really did come to terms quickly and take the appropriate action - kudos to them for that).  However, in introducing me to the user the client IT person simply said “this is Mr. Wolf - he solves problems”.

The quote obviously is from Pulp Fiction, and got me thinking on how apt that introduction was.  When on incident response engagements it’s rare that when I, or one of the other Foundstone guys, get called in we have specific skills that the client’s IT staff do not have - after all, they are the ones that look after the systems day in, day out, during normal usage.  What we do bring though is a cool head, an assessment of the situation from previous experience which leads to a plan, very good general knowledge about all the systems/technology/thing going on and how they affect the current environment/situation, and most importantly contacts.

The cool head is important - often the local guys may be very stressed out (it’s their systems under attack after all) and oftentimes have been working long hours trying to address the problem before they have called us and we are onsite.  The plan is equally important because otherwise people are running around doing “things” which may not be productive at this very moment and there’s no idea of progress.  But the key is access to contact that are very highly specialized in particular areas.

It would be really nice to be an expert in everything, but with today’s computing technologies there’s just far to much for any one person to know.  I may be an expert in the web and web application software, and it’s useful for me to be put on those kinds of IR engagements where possible.  I can also reverse engineer viruses, look at SQL databases, understand WireShark traces, look at Solaris boxes, etc, if necessary, but I’m not as good as people who do this every day and have labs setup to work any issues in these environments (on site it’s usually me, a laptop, and sometimes some additional hard-disks or other “gear” to capture what is going to be useful later).

So I thought that was a really insightful analogy (and thanks to that person - you know who you are).  Mr Wolf doesn’t necessarily have any skills that Jules and Vincent don’t have, and the actions he gets them to do are nothing that they couldn’t have done (or thought of) themselves if they were level-headed.  The single thing that he did have that they probably didn’t is the contact at Monster Joe’s Truck and Tow.

The Foundstone guys already have a new nickname for me, and a little skit [warning, some language in the link some may not appreciate].

And no I don’t dispose of body parts.

Category Posted in Musings, Trip Report


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>