9. Definition
• Event - Activity that we monitor (Log)
• Incident - the damage event.
• Incident Response(IR) - Actions taken
subsequent to an incident to understand the
incident and take remedial action
10. Top Priority for IR.
• Identify the problems
• Fix the problems.
• Recovery system back to normal.
11. Step of IR.
Source:: http://www.emrisk.com/sites/default/files/images/newsletters/Incident%20Response%20Cycle.png
12. Step of IR.
• Preparation
• Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc.
• Detection(Identification) & Analysis
• From Best Practise, Researching and Lesson Learned
• Containment
• Eradication
• Remediation
• Post-Incident Activities(Lesson Learned)
• What are they doing
• Where are they doing
• What backdoor have they left
• Develop Attack Signatures.
13. Step of IR.
• Preparation
• Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc.
• Detection(Identification) & Analysis
• From Best Practise, Researching and Lesson Learned
• Containment
• Eradication
• Remediation
• Post-Incident Activities(Lesson Learned)
• What are they doing
• Where are they doing
• What backdoor have they left
• Develop Attack Signatures.
14. Step of IR.
• Preparation
• Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc.
• Detection(Identification) & Analysis
• From Best Practise, Researching and Lesson Learned
• Containment
• Eradication
• Remediation
• Post-Incident Activities(Lesson Learned)
• What are they doing
• Where are they doing
• What backdoor have they left
• Develop Attack Signatures.
15. Step of IR.
• Preparation
• Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc.
• Detection(Identification) & Analysis
• From Best Practise, Researching and Lesson Learned
• Containment
• Eradication
• Remediation
• Post-Incident Activities(Lesson Learned)
• What are they doing
• Where are they doing
• What backdoor have they left
• Develop Attack Signatures.
16. Step of IR.
• Preparation
• Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc.
• Detection(Identification) & Analysis
• From Best Practise, Researching and Lesson Learned
• Containment
• Eradication
• Remediation
• Post-Incident Activities(Lesson Learned)
• What are they doing
• Where are they doing
• What backdoor have they left
• Develop Attack Signatures.
17. Step of IR.
• Preparation
• Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc.
• Detection(Identification) & Analysis
• From Best Practise, Researching and Lesson Learned
• Containment
• Eradication
• Remediation
• Post-Incident Activities(Lesson Learned)
• What are they doing
• Where are they doing
• What backdoor have they left
• Develop Attack Signatures.
18. What to look for
• Look for abnormalities
• Performance issues, off peak activity
• Redirect some client.
• Example Indicators
• new accounts, new directories, new file in website, file system changes, crashes, unusual
system usage patterns
• Example Sources
• Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic
• Potential Issue
• File/ Folder Encryption
• BIOS Password Protection
• Whole Disk Encryption/ Risk
19. What to look for
• Look for abnormalities
• Performance issues, off peak activity
• Redirect some client.
• Example Indicators
• new accounts, new directories, new file in website, file system changes, crashes, unusual
system usage patterns
• Example Sources
• Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic
• Potential Issue
• File/ Folder Encryption
• BIOS Password Protection
• Whole Disk Encryption/ Risk
20. What to look for
• Look for abnormalities
• Performance issues, off peak activity
• Redirect some client.
• Example Indicators
• new accounts, new directories, new file in website, file system changes, crashes, unusual
system usage patterns
• Example Sources
• Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic
• Potential Issue
• File/ Folder Encryption
• BIOS Password Protection
• Whole Disk Encryption/ Risk
21. What to look for
• Look for abnormalities
• Performance issues, off peak activity
• Redirect some client.
• Example Indicators
• new accounts, new directories, new file in website, file system changes, crashes, unusual
system usage patterns
• Example Sources
• Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic
• Potential Issue
• File/ Folder Encryption
• BIOS Password Protection
• Whole Disk Encryption/ Risk
40. Forensic
• Containment
• Ensure that the system(s) and network are protected from further risk.
• Isolate the compromised system(s)
• Eradication
• How they got in
• Where they went
• What they did
• The removal of malware
• Patching Vulnerability
• Identifying vulnerability
• Improve network and system countermeasures
41. Forensic
• Containment
• Ensure that the system(s) and network are protected from further risk.
• Isolate the compromised system(s)
• Eradication
• How they got in
• Where they went
• What they did
• The removal of malware
• Patching Vulnerability
• Identifying vulnerability
• Improve network and system countermeasures
42. Recovery(Restore/Rebuild)
• Restore status of service to normal
• System owners decide based on advice from
incident handling team - Business Decision.
• Monitor the service after recovery
• Performance
• Anomalies
43. Lesson Learned
• Detail of incident report
• Communicate to others on the team
• Apply fixes in environment
• Conduct a performance analysis of the overall incident and improve operations
• “Not!!!!” Blaming people
• Review/Rewrite Policy
• Determines cost of incident
• Apply lesson learned to the entire entity
• Budget for, install, and maintain protection software