1. Help you to
1.1. Detect
1.2. Identify
1.3. Respond
1.4. Manage
2. Basic Functions
2.1. 1. Reporting
2.2. 2. Analysis
2.3. 3. Response
3. Is a set of procedures
4. Advantages
4.1. Procedures that can be followed
4.2. Saves time, investment and effort
4.3. Learn lessons and minimize the losses
4.4. Skills and technologies
4.5. Saves legal consequences
4.6. Determine patterns
5. Need for Incident Response
5.1. Required to:
5.1.1. Identify the attacks
5.1.2. Protect System
5.1.3. Protect personnel
5.1.4. Efficiently use the resources
5.1.5. Deal with legal issues
5.2. Purpose
5.2.1. personnel to
5.2.1.1. quicklly
5.2.1.1.1. recover
5.2.1.2. efficiently
5.3. Systematic process
6. Goals
6.1. Examining incident
6.2. Limiting the impact
6.3. Preventing future attacks
6.4. Supporting enhancement of accurate information
6.5. Creating guidelines and control measures
6.6. Safeguarding privacy rights
6.7. Identify illegal activity
6.8. Providing useful recommendations
6.9. Swift detection, reporting, contaimment and recovery
6.10. Limiting the exposure and compromise
6.11. Securing the organization's reputation and assets
7. How to identify an Incident?
7.1. Suspicious log entries
7.2. IDS/IPS generates an alarm
7.3. Suspicious files or unknown file extensions
7.4. Modified files or folders
7.5. Unusual services running or ports opened
7.6. Unusual System behavior
7.7. Icons of drive changed or not accessible
7.8. Number of packets are more
8. The Plan
8.1. Set of instructions to detect and respond to an incident
8.2. Defines responsibilities and procedures
8.3. Covers:
8.3.1. How information is passed
8.3.2. Assessment
8.3.3. Minimizing damage and response strategy
8.3.4. Documentation
8.3.5. Preservation
8.3.6. Reporting of incident
8.3.7. Restoration of system and resource
8.4. Provide details of
8.4.1. Members involved
8.4.2. Roles and responsabilities
8.4.3. Policies and Procedures
8.4.4. Decision making process
8.5. Purpose
8.5.1. Identify the scope and intesity
8.5.2. Safeguard the sensitive information stored
8.5.3. Secure the networks and systems
8.5.4. Recover the systems affected
8.5.5. Gather information
8.5.6. Take legal action against the offenders
8.6. Requirements
8.6.1. Expert teams (CERT or CSIRT)
8.6.2. Legal review and approved strategy
8.6.3. Company financial support
8.6.4. Executive/upper management support
8.6.5. Support from the top management
8.6.6. Corrective action plan
8.6.7. Physical resources
8.6.7.1. Data Storage devices
8.6.7.2. Support systems
8.6.7.3. BackUp Apps
9. Preparation
9.1. Most important aspect to respond
9.2. The success depends the pre-incident preparation
9.3. The strategies include
9.3.1. Examining security measures
9.3.2. Employing IDS/IPS and Firewall
9.3.3. Establishing access controls
9.3.4. Vulnerability assessments
9.3.5. Performing regular backups
9.3.6. Creating access control
9.3.7. Baseline
9.3.8. Updating patches and antimalware solution
9.3.9. Establishing communication plans
9.3.10. Maintaining audit trail
9.4. Team includes
9.4.1. Hardware, SW, FW...
9.4.2. Requirement of documents
9.4.3. Policies and operating procedures for Backup and recovery
9.4.4. Traigning programs
9.4.5. Documents incluiding forms and reports