tag:blogger.com,1999:blog-7652481.post2985725561960282139..comments2010-01-15T12:54:50.168-05:00David Biancohttp://www.blogger.com/profile/09760835714791462863noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-7652481.post-69059363006500384732010-01-15T12:54:50.168-05:002010-01-15T12:54:50.168-05:00Glad to see you found your pen David. Nice breakdown and very insightful. Good find. FYI...The name for 2010 is already taken however...2010-Revenge of the pw3nd!Ken Bradleyhttp://www.blogger.com/profile/02333524184482740445noreply@blogger.comtag:blogger.com,1999:blog-7652481.post-32922251756273011852010-01-05T17:54:58.634-05:002010-01-05T17:54:58.634-05:00very good article! thanks!aexhttp://www.blogger.com/profile/06950249166550195738noreply@blogger.comtag:blogger.com,1999:blog-7652481.post-54500804624983528412010-01-03T08:14:20.211-05:002010-01-03T08:14:20.211-05:00Agreed 110%!! One way to learn is to fail, and then figure out why/how you failed. Take malware for example...an IR process may be sufficient to catch malware that installs itself as it&#39;s own EXE or Windows Service, but what about when it installs as a DLL under SvcHost (i.e., Conficker) or without any Registry artifacts at all (i.e., Virut)?<br /><br />There&#39;s not going to be any one &quot;best practice&quot; process that fits every infrastructure perfectly...but what we can do, as a community, is come together and share our successes and failures.Keydet89http://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-7652481.post-62912068654880648642010-01-01T16:51:28.087-05:002010-01-01T16:51:28.087-05:00This is the most introspective and insightful thing I&#39;ve read in, well like a year... <br /><br />If you&#39;ve been saving up 12 months for stuff like this I can now almost excuse you;) Seriously, as someone that does IR as essentially a one person CIRT this is truly paradigm changing stuff.JohnQPublichttp://www.blogger.com/profile/16864008598676484053noreply@blogger.com