1. 1. Identification
1.1. This phase is necessary for categorizing and responding
1.2. System and network audit logs
1.3. Differents ways
1.3.1. The alarms of IDS/IPS and Firewalls
1.3.2. Antimalware solution
1.3.3. Audit, System and Security Logs
1.3.4. Unexpected corruption or deletion of data
1.3.5. Unusual system crashes
1.3.6. Unusual or suspicious activities on the computers
1.3.7. Violates the organizations security policy
1.3.8. Receiving phishing mails or defacement
1.4. Involves
1.4.1. Validation an Incident
1.4.2. Indentifying
1.4.2.1. nature of the incident
1.4.2.2. protecting the evidence
1.4.3. Logging and making a report
1.5. Included
1.5.1. Audit log colletion, examination and analysis
1.5.1.1. ej. SIEM or Logger
1.5.2. Incident reporting and assessment
1.5.2.1. ej. Date and time, system information and configuration
1.5.3. Collect protect system information
1.5.3.1. ej. interviews, forensic analysis and reports, bakcups
1.5.4. Incident severity Levels
1.5.4.1. Incident Investigation Coordinator
1.5.5. Other systems analysis
1.5.5.1. Systems with similar
1.5.5.1.1. IP address
1.5.5.1.2. Network Segments
1.5.5.1.3. Network domain
1.5.5.1.4. Other critical systems
1.5.6. Assign members to incident task force
1.5.6.1. ej. Software engineers
1.5.6.2. division mangers
2. 2. Recording
2.1. Accurately storing the details of ocurrence
2.2. Included
3. 3. Initial response
3.1. First step
3.1.1. Discissing
3.1.1.1. System and network administrator
3.1.1.2. Business personnel
3.1.2. Examining
3.1.2.1. reports, logs, architecture, ACLs...
3.1.3. Should
3.1.3.1. Identify incident is true or false
3.1.3.2. Information gathering
3.1.3.3. Record your actions for documenting of the attack
3.2. Involves
3.2.1. Initial Investigation
3.2.2. Storing and details of the incident
3.2.3. Create incident reponse team
3.2.4. Assessing the impact
3.2.5. Notifying individuals
3.3. Purpose
3.3.1. Document steps to be followed in responding and incident
4. 4. Communicating the incident
4.1. Communicate suspect of any security breach
4.2. Discuss the breach with other members of the organization
4.3. Manintain appropriate controls and coordination
4.4. Discuss the incident with representative legal to file lawsuit
4.5. Lessons learnt and media to create awareness
5. 5. Containment
5.1. Techniques
5.1.1. Disabling of specific system services
5.1.2. Changing of passwords and disabling accounts
5.1.3. BackUp of the infected system
5.1.4. Temporary shutdown of the infected system
5.1.5. System Restoration
5.1.6. Maintaining a low profile
5.2. Points to minimizing the risk
5.2.1. Providing security and safety to human
5.2.2. Protecting confidential and sensitive data
5.2.3. Safeguarding business, scientific and managerial information
5.2.4. Portecting HW and SW against future attacks
5.3. goal or aim
5.3.1. Reduce the potential effect or damage of the incident
6. 6. Formulating a Response Strategy
6.1. Depends on the incident situation
6.2. Goal
6.2.1. Examine the most appropiate response procedure
6.3. Factors
6.3.1. Political
6.3.2. Technical
6.3.3. Legal
6.3.4. Business
7. 7. Incident Classification
7.1. Based on their severity and potential targets
7.2. Steps to clasification
7.2.1. 1. Categorization
7.2.2. 2. Priority Level
7.2.2.1. Levels
7.2.2.1.1. High
7.2.2.1.2. Medium
7.2.2.1.3. Low
7.2.3. 3. Resource Allocation
7.3. Factors
7.3.1. Nature of the incident
7.3.2. Criticality of the systems
7.3.3. Number of systems impacted
7.3.4. Legal and regulatory
8. 8. Incident Investigation
8.1. Process for gathering and analysis of the evidence
8.1.1. WH Questions
8.2. Examine
8.2.1. The incident
8.2.2. Time of the incident
8.2.3. Perpetrator
8.2.4. Mitigation steps
8.2.5. Systems and networks
8.3. Two phases
8.3.1. 10. Forensic Analysis
8.3.1.1. Software Analisys, keywords searches, information deleted
8.3.1.2. Determine
8.3.1.2.1. Victims and attackers
8.3.1.2.2. Kind of incident happened
8.3.1.2.3. When and where occurred
8.3.1.2.4. How the events have occurred
8.3.1.3. Photograph the evidence
8.3.1.3.1. Ej. Asset identification, analysis location, arrival time...
8.3.2. 9. Data Collection
8.3.2.1. Gathering known facts and evidences
8.3.2.2. Basic areas of evidence
8.3.2.2.1. 1. Host-based
8.3.2.2.2. 2. Network-based
8.3.2.2.3. 3. Other evidence
9. 11. Evidence Protection
9.1. To take legal actions against the attackers
9.2. A well documented chain of custody
9.3. BackUps should be stored in secure location
9.3.1. WH Questions
9.3.1.1. ej.Who can access the backup
9.4. Verify integrity of the evidence
9.4.1. ej. HASH SHA256, MD5...
9.5. The original HDD can be used as forensic evidence
10. 12. Notify External Agencies
10.1. inlcude
10.1.1. National and local law enforcement
10.2. external security agencies
10.3. Security experts and researchers
10.4. Virus experts Lab
11. 13. Eradication
11.1. It list countermeasures to thwart damage
11.1.1. Countermeasures
11.1.1.1. Using or Update antivirus software
11.1.1.2. Installing latest patches
11.1.1.3. Policy compliance checks
11.1.1.4. Independent security audits
11.1.1.5. Hardening to systems or networks
11.1.1.6. Vulnerability analysis
11.1.1.7. Changing all passwords
11.1.1.8. Restoring, reinstalling and rebuilding systems
11.1.1.9. 17. Review and Update the security policies, plan and procedures
11.1.1.9.1. Discuss with your team members about the incident response and handling steps
11.1.1.9.2. Review steps for prevent future incidents
11.1.1.10. Validating and tracking the all corrective actions
11.1.1.11. Restoring Backup
11.2. remove de root cause of the incident
12. 14. Systems Recovery
12.1. Restored to its normal operations
12.2. depends on the extent of the security breach
12.3. Two important steps
12.3.1. Determine the course of action
12.3.2. Monitor and validate the systems
13. 15. Incident Documentation
13.1. Document all the activities
13.2. Provide
13.2.1. Description of the security breach
13.2.2. Details of action takes place
13.3. should
13.3.1. Organized in a sequencial order
13.3.2. Verified for completeness
13.3.3. Vetted and examined
13.3.4. Concise and clear
13.3.5. Standard Format
13.3.6. Error-Free
14. 16. Incident Damage and Cost Assessment
14.1. Damage includes
14.1.1. The loss of information
14.1.2. Legal costs form investigating
14.1.3. Labor cost to analyze breaches
14.1.4. System downtime cost
14.1.5. Installation cost
14.1.6. Cost for repairing and possibly updating damaged
14.1.7. Reputation or customer trust