Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
For a college class in Network Security Monitoring at CCSF.
Instructor: Sam Bowne
Course website: https://samsclass.info/50/50_F17.shtml
Based on "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" by Richard Bejtlich, No Starch Press; 1 edition (July 26, 2013), ASIN: B00E5REN34
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryInfocyte
Join Infocyte co-founder and Chief Product Officer, Chris Gerritz, for a two-hour digital forensics and incident response (DFIR) training session.
During this month's session, Chris will lead training focused on artifact triage during IR investigations—reviewing shimcache, amcache, and process event logs.
Though this DFIR training session and examples are aligned with Infocyte's agentless detection and response platform, the topics, techniques, and principles covered can be carried over for use within your endpoint security solution—given it has similar capabilities as Infocyte.
To learn more about Infocyte, request a cybersecurity compromise assessment, or learn about our managed security services (supported by a global network of partners) like incident response and managed detection and response (MDR) services, please visit our website.
The development of intelligent network forensic tools to focus on specific type of network traffic analysis is a challenge in terms of future perspective.
This will reduce time delays, less computational resources requirement; minimize attacks, providing reliable and secured evidences, and efficient investigation with minimum efforts
It tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.
Using Machine Learning in Networks Intrusion Detection SystemsOmar Shaya
The internet and different computing devices from desktop computers to smartphones have raised many security and privacy concerns, and the need to automate systems that detect attacks on these networks has emerged in order to be able to protect these networks with scale. And while traditional intrusion detection methods may be able to detect previously known attacks, the issue of dealing with new unknown attacks arises and that brings machine learning as a strong candidate to solve these challenges.
In this report, we investigate the use of machine learning in detecting network attacks, intrusion detection, by looking at work that has been done in this field. Particularly we look at the work that has been done by Pasocal et al.
CNIT 152: 6 Scoping & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryInfocyte
Join Infocyte co-founder and Chief Product Officer, Chris Gerritz, for a two-hour digital forensics and incident response (DFIR) training session.
During this month's session, Chris will lead training focused on artifact triage during IR investigations—reviewing shimcache, amcache, and process event logs.
Though this DFIR training session and examples are aligned with Infocyte's agentless detection and response platform, the topics, techniques, and principles covered can be carried over for use within your endpoint security solution—given it has similar capabilities as Infocyte.
To learn more about Infocyte, request a cybersecurity compromise assessment, or learn about our managed security services (supported by a global network of partners) like incident response and managed detection and response (MDR) services, please visit our website.
The development of intelligent network forensic tools to focus on specific type of network traffic analysis is a challenge in terms of future perspective.
This will reduce time delays, less computational resources requirement; minimize attacks, providing reliable and secured evidences, and efficient investigation with minimum efforts
It tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.
Using Machine Learning in Networks Intrusion Detection SystemsOmar Shaya
The internet and different computing devices from desktop computers to smartphones have raised many security and privacy concerns, and the need to automate systems that detect attacks on these networks has emerged in order to be able to protect these networks with scale. And while traditional intrusion detection methods may be able to detect previously known attacks, the issue of dealing with new unknown attacks arises and that brings machine learning as a strong candidate to solve these challenges.
In this report, we investigate the use of machine learning in detecting network attacks, intrusion detection, by looking at work that has been done in this field. Particularly we look at the work that has been done by Pasocal et al.
A presentation I gave to the July 2015 NED Forum on Managing Insider Risk using the Critical Pathway to Insider Risk. I've removed a product specific slide for public release.
A short introductory presentation I gave at the 2015 Fund Management Summit in London on the 8th October. This was simplified and much material was discussed rather than on the slides.
Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docxsmile790243
Lecture 09 - Memory Forensics.pdf
L E C T U R E 9
B Y : D R . I B R A H I M B A G G I L I
Memory Forensic Analysis
P A R T 1
RAM overview
Volatility overview
http://www.bsatroop780.org/skills/images/ComputerMemory.gif
Understanding RAM
• Two main types of RAM
– Static
• Not refreshed
• Is still volatile
– Dynamic
• Modern computers
• Made up of a collection of cells
• Each cell contains a transistor and a capacitor
• Capacitors charge and discharge (1 and zeros)
• Periodically refreshed
RAM logical organization
• Programs run on computers
• Programs are made up of processes
– Processes are a set of resources used when executing an
instance of a program
– Processes do not generally access the physical memory directly
– Each process has a �virtual memory space�
• Allows operating system to stay in control of allocating memory
– Virtual memory space is made up of
• Pages (default size 4K)
• References (used to map virtual address to physical address)
• May also have a reference to data on the disk (Page file) – used to
free up RAM memory
RAM logical organization
! Each process is represented by an EPROCESS Block:
Normal memory
• Each process is represented by an _EPROCESS block.
• Contained within each _EPROCESS block is both a pointer to the next process
(fLink – Forward Link) and a pointer to the previous process (bLink – Back Link).
• When OS is operating, the _EPROCESS blocks and their pointers come
together to resemble a chain, which is known as a doubly-linked list.
• Chain is stored in kernel memory and is updated every time a process is
launched or terminated.
• Windows API walks this list from head to tail when enumerating processes via
Task Manager, for example.
Not so normal
• Hides processes from windows API
• Known as Direct Kernel Object Manipulation (DKOM)
• Involves manipulating the list of _EPROCESS blocks to �unlink� a
given process from the list
• By changing the forward link of process 1 to point to the third process,
and changing the �bLink� of process 3 to point to process 1, the
attacker�s process is no longer part of the list of _EPROCESS blocks.
• Since the Windows API uses this list to enumerate processes, the
malicious process will be hidden from the user but still able to operate
normally.
P A R T 2
Introduction to Memory
forensics
Before & Now
! Traditionally
! We have always been told to �pull the plug� on a live system
! This is done so that the reliability of the digital evidence is not
questioned
! Now
! People are considering live memory forensics
" Data relevant to the investigation may lie in memory
" Whole Disk Encryption….
Challenges in traditional method
• High volume of data (Aldestein, 2006)
– Increases the time in an investigation
– Increases storage capacity needed for forensic images
– Number of machines that could be included in th ...
Big Data Security Analytic Solution using SplunkIJERA Editor
Over the past decade, usage of online applications is experiencing remarkable growth. One of the main reasons for the success of web application is its “Ease of Access” and availability on internet. The simplicity of the HTTP protocol makes it easy to steal and spoof identity. The business liability associated with protecting online information has increased significantly and this is an issue that must be addressed. According to SANSTop20, 2013 list the number one targeted server side vulnerability are Web Applications. So, this has made detecting and preventing attacks on web applications a top priority for IT companies. In this paper, a rational solution is brought to detect events on web application and provides Security intelligence, log management and extensible reporting by analyzing web server logs.
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
Join Infocyte co-founder and Chief Product Officer, Chris Gerritz, for a two-hour digital forensics and incident response (DFIR) training session.
During this presentation, Chris shows participants how to set up Infocyte's managed detection and response (MDR) platform and how to leverage Infocyte to detect, investigate, isolate, and eliminate sophisticated cyber threats. Additionally, Infocyte helps enterprise cyber security teams eliminate hidden IT risks, improve security hygiene, maintain compliance, and streamline security operations—including improving the capabilities of existing endpoint security tools.
Using Infocyte's new extensions, participants are encouraged to custom create their own collection (detection and analysis) and action (incident response) extensions.
The objective of this assignment is to learnabout the IDS.Write .pdfamitpalkar82
The objective of this assignment is to learnabout the IDS.
Write a complete report on Intrusion DetectionSystems elaborating its components and types.
The objective of this assignment is to learnabout the IDS.
Write a complete report on Intrusion DetectionSystems elaborating its components and types.
Solution
Intrusion detection system is designed to detect unwantedattempts at accessing of computer
systems, mostly through anetwork, such as the Internet. This also includes unauthorizedlogins
and access to sensitive files.
Components:
Central Engine records eventslogged by the sensors in a database and uses a system of rules
togenerate alerts from security events received.
Protocol-based intrusion detectionsystem monitors and analyzes the communicationprotocol
between a connected device and the server.
Application protocol-based intrusion detectionsystem monitors and analyzes the communication
onapplication specific protocols.
Host-based intrusion detection systemidentifies intrusions by analyzing system calls, application
logs,file-system modifications and other host activities and state.Example: OSSEC.
Hybrid intrusion detection systemcombines two or more approaches. Host agent data is
combined withnetwork information to form a comprehensive view of the network.Example:
Prelude..
The presentation is all about computer forensics. the process , the tools and its features and some example scenarios.. It will give you a great insight into the computer forensics
Logs for Information Assurance and Forensics @ USMAAnton Chuvakin
This is my presentation on "Logs for Information Assurance and Forensics", which was given to 2 of the USMA @ West Point, NY classes in April 2006. It sure was fun! Now I know where all the smart college students are :-)
Presentation by Deepen Chapagain, CEO, NepWays, on "Power of Logs: Practices for network security" at "Braindigit 9th National ICT Conference 2013" organized by Information Technology Society, Nepal at Alpha House, Kathmandu, Nepal on 26th January, 2013
Tools and Mechanisms for Network Security in an Organization.
Physical Security, Administrative Security and Technical Security measures have been described.
Security Testing Tools are Nessus, THC Hydra, Kismet, Nikto, WireShark and NMAP.
Similar to First Responders Course - Session 4 - Forensic Readiness [2004] (20)
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
2. The goals of Forensic Readiness are to decrease the time and cost of
ForensicAnalysis (and ScopeAssessment) while increasing the
effectiveness.
The main idea in Forensic Readiness is to build an infrastructure that
supports the needs (data) of an investigation
The main areas include:
Logging and monitoring
Build Management & Inventory
User Policies
Reporting forms
3. Data is critical to Forensic Analysis
If the needed data is not being recorded, then
it can not be used in the investigation.
Forensic Readiness assesses what network
and system information should be recorded
every day and what should be recorded
during an incident
4. Goal:To create data entry forms that will contain the information that
needs to be gathered during an incident
Every action performed during an incident should be documented
Forms help to ensure that the proper data is recorded
Examples:
Chain of Custody: Records who has control of the data at a given time
SystemAcquisition Form:When the response team takes a system from its
owner, this records the system description and owner signature
Hard Disk Form: Records the history of each drive used during the
incident, including serial numbers and what systems it was installed in
Investigator Log: Allows the responder to document their actions
Form templates are included in your course handbook and will be
included on the course cd-rom.
5.
6.
7.
8.
9. Log data can be crucial to the investigation
There are two major issues with logging and
forensics:
1.Many incidents involve someone having
unauthorized privileged user access and most logs
can be modified or deleted by such a user.
2.Not all systems are logging the needed
information that is useful to an investigation
10. All servers send a copy of their log data to a
dedicated log server
Server can be on the normal network or a dedicated
network
Server is secured to only allow log data (syslog) and
SSH access and is considered a critical asset when
patching systems
Syslog Example:
UNIX servers are configured to redirect syslog output
Windows servers use 3rd party tools to send event logs to
server
11. All logs can be analyzed on a periodic basis to detect
anomalies
Makes it more difficult for attacker to modify the logs
It is important to correlate events from multiple sources, so
we can compare the locally stored logs and the remotely
stored logs
This server will be the target of many attacks, which may
alert one to other attacks if it is watched closely
12. Windows stores logs in event files
3rd party programs run on a scheduler and send new event
entries to the syslog server:
Event Reporter (www.eventreporter.com)
NT Syslog (www.ntsyslog.sourceforge.net)
evlogsys.pl (perl script)
Back Log (NT-Only)
There is a slight window of opportunity with this model for
the attacker to delete the logs before the collection tool runs
13. Goal:To ensure that the proper data is logged and that it is stored
in a method that can be used during forensics
Send logs to central server to secure them during an attack
Ensure log files have strict permissions so only a privileged user
can write to them.
If possible, only allow the log to be appended to and deny all read
access
Identify what OS events should be logged:
User Logins
System Reboots
As much as possible, based on space requirements
Process logging can require large amounts of storage
14. Identify which application events should be logged:
As much as possible, based on space requirements
Log all network devices:
Firewalls
VPNs
Routers
Dialups
Servers
Use NetworkTime Protocol (NTP) to make log processing across
multiple machines easier
Log by IP, do not resolve hostname
15. Log Integrity
Generate MD5 sums of log files when they are
saved and rolled over
Use a secure (crypto-based) logging system:
Core SDI
syslog-ng
IETF Secure Syslog
16. Goal:To record needed network traffic to provide new evidence and
correlate activity. This is from the investigation perspective, not
detection.
An IDS system can be used to record all events, but not generate
alerts
A general sniffer can record all raw data
tcpdump
Ethereal
Protocol analyzers can process raw output of tcpdump
NetWitness
Ethereal
17. Available storage will be the only limitation of
how much data can be stored
Specialized hardware or a SAN could be
worthwhile
If monitoring is not always on, a dedicated
system should exist that can start monitoring
when an incident occurs
18. Goal:To record host activity, not already being logged, which
will assist in a forensic investigation.
This level of recording is needed for only the most sensitive
systems
Keystroke recorders can be either:
software: Run as services and can hide data in an encrypted file or will
email them to a remote location
hardware: Device that the keyboard plugs into and saves the
keystrokes in hardware (does not record the window title)
19. Goal:To document a system’s state
A common task in forensics is to identify which binaries were
replaced with a trojan version
Change management identifies which patch-level the
systems should be
MD5 checksums can be calculated for each machine and
stored off-line (similar toTripwire)
Configurations are recorded to identify which services are
supposed to be running and which are backdoors
20. Goal:To document ownership of hardware
and addresses
This is most useful with internal
investigations
Allows one to identify the system with a
given MAC address (from DHCP logs)
Allows one to identify who has a given
hostname (which is found in system logs)
21. Goal:To set users expectation of privacy
appropriately
An investigation may need access to a users
mailbox or other “private” data
Identifying how much privacy users have should
be discussed before an incident occurs
Data Protection Act requires users to be notified
and to accept any monitoring and for monitoring
to be a normal administration task. Suddenly
increasing monitoring is not acceptable under
the DPA.
22. Goal:To build the infrastructure needed for an in-house
forensics lab (if one does not outsource it)
The forensics lab has unique requirements from other
technology labs because of its legal requirements
Location:
Little traffic
Secured by key badge or other auditable mechanism
Camera surveillance
Separate computer network
A safe for long-term data storage (with sign-out sheets)
23. Contents will vary depending on supported platforms
At least one system of each supported platform
Linux can mount most file system images and tools exist for
more advanced analysis (The Sleuth Kit)
Windows does not have many tools native to it, but
specialized tools exist for analysis of windows systems
(EnCase etc.)
Binary analysis capabilities
Malicious code monitoring capabilities
24. Many proactive steps can be performed to
effectively handle incidents
Readiness forces an organization to consider
how to handle an incident before it occurs
The amount of documentation required will
depend on the organization