1. 6. Formulating a Response Strategy
1.1. Depends on the incident situation
1.2. Goal
1.2.1. Examine the most appropiate response procedure
1.3. Factors
1.3.1. Political
1.3.2. Technical
1.3.3. Legal
1.3.4. Business
2. 7. Incident Classification
2.1. Based on their severity and potential targets
2.2. Steps to clasification
2.2.1. 1. Categorization
2.2.2. 2. Priority Level
2.2.2.1. Levels
2.2.2.1.1. High
2.2.2.1.2. Medium
2.2.2.1.3. Low
2.2.3. 3. Resource Allocation
2.3. Factors
2.3.1. Nature of the incident
2.3.2. Criticality of the systems
2.3.3. Number of systems impacted
2.3.4. Legal and regulatory
3. 8. Incident Investigation
3.1. Process for gathering and analysis of the evidence
3.1.1. WH Questions
3.2. Examine
3.2.1. The incident
3.2.2. Time of the incident
3.2.3. Perpetrator
3.2.4. Mitigation steps
3.2.5. Systems and networks
3.3. Two phases
3.3.1. 10. Forensic Analysis
3.3.1.1. Software Analisys, keywords searches, information deleted
3.3.1.2. Determine
3.3.1.2.1. Victims and attackers
3.3.1.2.2. Kind of incident happened
3.3.1.2.3. When and where occurred
3.3.1.2.4. How the events have occurred
3.3.1.3. Photograph the evidence
3.3.1.3.1. Ej. Asset identification, analysis location, arrival time...
3.3.2. 9. Data Collection
3.3.2.1. Gathering known facts and evidences
3.3.2.2. Basic areas of evidence
3.3.2.2.1. 1. Host-based
3.3.2.2.2. 2. Network-based
3.3.2.2.3. 3. Other evidence
4. 11. Evidence Protection
4.1. To take legal actions against the attackers
4.2. A well documented chain of custody
4.3. BackUps should be stored in secure location
4.3.1. WH Questions
4.3.1.1. ej.Who can access the backup
4.4. Verify integrity of the evidence
4.4.1. ej. HASH SHA256, MD5...
4.5. The original HDD can be used as forensic evidence
5. 12. Notify External Agencies
5.1. inlcude
5.1.1. National and local law enforcement
5.2. external security agencies
5.3. Security experts and researchers
5.4. Virus experts Lab
6. 13. Eradication
6.1. It list countermeasures to thwart damage
6.1.1. Countermeasures
6.1.1.1. Using or Update antivirus software
6.1.1.2. Installing latest patches
6.1.1.3. Policy compliance checks
6.1.1.4. Independent security audits
6.1.1.5. Hardening to systems or networks
6.1.1.6. Vulnerability analysis
6.1.1.7. Changing all passwords
6.1.1.8. Restoring, reinstalling and rebuilding systems
6.1.1.9. 17. Review and Update the security policies, plan and procedures
6.1.1.9.1. Discuss with your team members about the incident response and handling steps
6.1.1.9.2. Review steps for prevent future incidents
6.1.1.10. Validating and tracking the all corrective actions
6.1.1.11. Restoring Backup
6.2. remove de root cause of the incident
7. 14. Systems Recovery
7.1. Restored to its normal operations
7.2. depends on the extent of the security breach
7.3. Two important steps
7.3.1. Determine the course of action
7.3.2. Monitor and validate the systems
8. 1. Identification
8.1. This phase is necessary for categorizing and responding
8.2. System and network audit logs
8.3. Differents ways
8.3.1. The alarms of IDS/IPS and Firewalls
8.3.2. Antimalware solution
8.3.3. Audit, System and Security Logs
8.3.4. Unexpected corruption or deletion of data
8.3.5. Unusual system crashes
8.3.6. Unusual or suspicious activities on the computers
8.3.7. Violates the organizations security policy
8.3.8. Receiving phishing mails or defacement
8.4. Involves
8.4.1. Validation an Incident
8.4.2. Indentifying
8.4.2.1. nature of the incident
8.4.2.2. protecting the evidence
8.4.3. Logging and making a report
8.5. Included
8.5.1. Audit log colletion, examination and analysis
8.5.1.1. ej. SIEM or Logger
8.5.2. Incident reporting and assessment
8.5.2.1. ej. Date and time, system information and configuration
8.5.3. Collect protect system information
8.5.3.1. ej. interviews, forensic analysis and reports, bakcups
8.5.4. Incident severity Levels
8.5.4.1. Incident Investigation Coordinator
8.5.5. Other systems analysis
8.5.5.1. Systems with similar
8.5.5.1.1. IP address
8.5.5.1.2. Network Segments
8.5.5.1.3. Network domain
8.5.5.1.4. Other critical systems
8.5.6. Assign members to incident task force
8.5.6.1. ej. Software engineers
8.5.6.2. division mangers
9. 2. Recording
9.1. Accurately storing the details of ocurrence
9.2. Included
10. 3. Initial response
10.1. First step
10.1.1. Discissing
10.1.1.1. System and network administrator
10.1.1.2. Business personnel
10.1.2. Examining
10.1.2.1. reports, logs, architecture, ACLs...
10.1.3. Should
10.1.3.1. Identify incident is true or false
10.1.3.2. Information gathering
10.1.3.3. Record your actions for documenting of the attack
10.2. Involves
10.2.1. Initial Investigation
10.2.2. Storing and details of the incident
10.2.3. Create incident reponse team
10.2.4. Assessing the impact
10.2.5. Notifying individuals
10.3. Purpose
10.3.1. Document steps to be followed in responding and incident
11. 4. Communicating the incident
11.1. Communicate suspect of any security breach
11.2. Discuss the breach with other members of the organization
11.3. Manintain appropriate controls and coordination
11.4. Discuss the incident with representative legal to file lawsuit
11.5. Lessons learnt and media to create awareness
12. 5. Containment
12.1. Techniques
12.1.1. Disabling of specific system services
12.1.2. Changing of passwords and disabling accounts
12.1.3. BackUp of the infected system
12.1.4. Temporary shutdown of the infected system
12.1.5. System Restoration
12.1.6. Maintaining a low profile
12.2. Points to minimizing the risk
12.2.1. Providing security and safety to human
12.2.2. Protecting confidential and sensitive data
12.2.3. Safeguarding business, scientific and managerial information
12.2.4. Portecting HW and SW against future attacks
12.3. goal or aim
12.3.1. Reduce the potential effect or damage of the incident
13. 15. Incident Documentation
13.1. Document all the activities
13.2. Provide
13.2.1. Description of the security breach
13.2.2. Details of action takes place
13.3. should
13.3.1. Organized in a sequencial order
13.3.2. Verified for completeness
13.3.3. Vetted and examined
13.3.4. Concise and clear
13.3.5. Standard Format
13.3.6. Error-Free
14. 16. Incident Damage and Cost Assessment
14.1. Damage includes
14.1.1. The loss of information
14.1.2. Legal costs form investigating
14.1.3. Labor cost to analyze breaches
14.1.4. System downtime cost
14.1.5. Installation cost
14.1.6. Cost for repairing and possibly updating damaged
14.1.7. Reputation or customer trust