Estimate of Incident Cost

This incident was investigated by a team of two people. Their years of experience is outlined in Table 5. Assuming an hourly wage of $33.65 ($70,000/yr) for both investigators, Table 4 shows the cost calculations. The total incident cost amounts to $2132.07.

Table 4. Incident Costs

 HoursCostTotal+15%-15%
Bo Adler35.433.65$1,191.21$1,369.89$1,012.53
Brad Threatt14.133.65$474.47$545.64$403.30
      
Subtotal  $1665.68$1915.53$1415.83
Benefits (28%)  $466.39$536.35$396.43
      
Total  $2132.07$2451.88$1812.26

Table 5. Experience Table

InvestigatorFieldYearsComments
Bo AdlerProgramming9 years out of collegeThis was a difficult question, because I've been programming since childhood and it wasn't clear at what point it counts as "real". The first time I programmed in something besides BASIC or 6502 Assembly was 1984.
System Administration13"On the job training."
Security4I've been dealing with attacks and intrusions since 1990, but it's been sporadic and somewhat informal. More recently, I've taken it up as a hobby and worked on a few security related projects.
Brad ThreattProgramming10 years since collegeLike Bo, I have a lot of childhood programming experience, mostly BASIC and 6502 and Z80 machine coding. I didn't get out of that ghetto until 1989, and since then I've mostly walked from C to C++ to Java.
System Administration10 yearsMost of my sysadmin experience has been in managing my own box and a few larger test networks.
Security4 yearsPreviously, most of my interest had been in cryptographic tools, but these days I'm developing an interest in forensics.

Table 6. Timecard for Bo Adler

TimeDescription
3.5 hrsPreparation pre-May 6th. Setup skeleton SGML file for response, created build system and timestamping script, and administrative email with team.
3.6 hrsInvestigation into Q1.
2.5 hrsEditing of analysis for Q1.
8.25 hrsWorked on improving decompilation output from REC. Created sendraw.c to generate packets.
8.5 hrsFurther worked on improving decompilation output from REC. Developed sendcmd.c and sniffer.
9 hrsFinal push to write up answers, and edit all files for improved clarity (hopefully!).

Table 7. Timecard for Brad Threatt

TimeDescription
4 hours 30 minutesResearch on decompilation, attempts at using dcc to decompile single functions in Linux.
90 minutesObtaining a suitable libc, installing and running fenris's dress.
30 minutesWriting up REC use, research and write-up on similar exploits. Writing up the use of fenris.
2 hours 24 minutesCreating the advisory and a first attempt at the executive summary
5 hours 12 minutesAttempts to interpret the assembly code in the switch statement.