Download After Detection of an Incident

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
Document related concepts

Cracking of wireless networks wikipedia , lookup

Transcript 
Incidence Response & Computer
Forensics, Second Edition
Chris Prosise
Kevin Mandia
Outline

After Detection of an Incident








Overview of the initial response phase
Establishing an incident notification procedure
Recording the details after initial detection
Incident declaration
Assembling the CSIRT
Performing traditional investigative steps
Conducting interviews
Formulating a response strategy
Incident Response methodology
Incident Occurs: Point-In-Time or Ongoing
Investigate the Incident
Pre-Incident
Preparation
Detection
of
Incidents
Initial
Response
Formulate
Response
Strategy
Data
Collection
Resolution
Recovery
Implement Security Measures
Data
Analysis
Reporting
Overview of the initial
response phase
Incident Occurs: Point-In-Time or Ongoing
Incident
Detection
Initial
Notification
of Incident
Record
Details
Incident
Declaration
Assembling
The CSIRT
Escalation
Notification
of Team
Members
Selecting
Team
Members
Recording the details after
initial detection

Initial Response Checklist


First Section of the initial Response
Checklist
Second Section of the Initial Response
Checklist




System details
Incident containment
Preliminary investigation
Case Notes
First Section of the initial Response Checklist











Date the incident was detected or initiated
Contact information of person completing the form
Contact information of the person who detected the incident
The type of incident
The location(s) of the computers affected by the incident
The date the incident was first noticed
A description of the physical security at the location(s)
How the incident was detected
Who accessed or touched the relevant system(s) since the onset
of the incident
Who has had physical access to the affected system(s) since the
onset of the incident
Who current knows about the incident
Second Section of the Initial Response Checklist

System details









Make and model of the relevant system(s)
Operating system
Primary user of the system(s)
System administrator for the system(s)
Network address or IP address of the relevant system(s)
Network name of the system(s)
Whether there is a modem connection to the system(s)
Critical information that may have resided on the system(s)
Incident containment



Whether the incident is in progress or ongoing
Whether network monitor is needed or being conducted
The system is still connected to the Internet/network
Second Section of the Initial Response Checklist





Whether the backup tapes exist for the relevant systems
Whether there is a requirement to keep knowledge of the
incident on a “need-to-know” basis.
Whether any remedial steps have been taken so far
Whether the information collected is being stored in a
protected, tamper-proof manner.
Preliminary investigation



The IP addresses involved in the incident
Whether any investigative steps or actions have already
been taken
Whether a forensic duplication need to be made, or a logical
copy of the relevant system(s) will suffical
Incident Declaration





Was there a scheduled system or network outage that caused
resources to be unavailable during the time the incident was
reported?
Was there an unscheduled and unreported outage of network
service provider that caused resources to be unavailable during
the time the suspected incident was reported?
Was the affected system recently upgraded, patched,
reconfigured, or otherwise modified in such a way as to cause
the suspicious activity that was reported?
Was testing being performed on the network that would lock
out accounts or cause resource to be unavailable?
For inside incidents, are there any justifications for the actions
an employee has taken that remove or lessen the suspicious?
NextTime




Assembling the CSIRT
Performing traditional investigative
steps
Conducting interviews
Formulating a response strategy
Related documents
Self Matters: Confronting Stress and Taking Care of yourself
Self Matters: Confronting Stress and Taking Care of yourself
Practice Based Improvement Log
Practice Based Improvement Log
Comprehensive All-Hazard Emergency Response Plan Overview
Comprehensive All-Hazard Emergency Response Plan Overview
PHYSICAL PLANT Incident Investigation Director’s Checklist
PHYSICAL PLANT Incident Investigation Director’s Checklist
Exposure Report
Exposure Report
EXAMPLES FOR CRITICAL INCIDENT ANALYSIS
EXAMPLES FOR CRITICAL INCIDENT ANALYSIS
Security and Assurance in IT organization
Security and Assurance in IT organization
Incident, injury, trauma and illness record
Incident, injury, trauma and illness record
EMT Well Being - www.pccemt.org
EMT Well Being - www.pccemt.org
kincare mission - My Flex Health
kincare mission - My Flex Health