Professional Documents
Culture Documents
Chapter 3 DF
Chapter 3 DF
Chapter 3 DF
Pre-Incident Preparation :
3.1 Introduction.
2. Preparing the computer security incident response team: During the pre-incident
3.2 People Involved in Incident preparation
phase, the CSIRT is defined. Your organization needs to assemble a team of experts to
Response Process.
handle any
3.3 Incident Response Process. incidents that occur. Preparing the CSIRT includes:
(a) To investigate computer security incidents, hardware is needed.
3.4 Incident Response
(b) To investigate computer security incidents, software is needed.
Methodology. (c) To investigate computer security incidents, documentation (forms and reports) are
needed.
3.5 Activities in Initial
(d) To implement your response strategies, there should be appropriate policies and
Response. operating
procedures.
3.6 Phases after Detection of an
e) To perform incident response in such a manner that it promotes successful forensics,
Incident. investigations,
and remediation; train your staff or employees.
Incident Response Methodology :
Detection of Incident :
3.1 Introduction. It cannot be successful in response to
incidents if an organization cannot notice or
3.2 People Involved in Incident
sense incidents successfully.
Response Process. Therefore, one of the most important
features of incident response is the detection
3.3 Incident Response Process.
of incident’s phase
3.4 Incident Response It is also one of the most disjointed phases,
in which incident response proficiency has
Methodology.
only slight
3.5 Activities in Initial control.
Response.
3.6 Phases after Detection of an
Incident.
Incident Response Methodology :
Initial Response :
3.1 Introduction. Initial response
phase involves:
3.2 People Involved in Incident 1. Interviewing system administrators of an incident who might have an understanding of
Response Process. the technical
details.
3.3 Incident Response Process. 2. Interviewing business unit human resource that may provide a context for the incident,
3.4 Incident Response which might
have an understanding into the business events.
Methodology. 3. To identify data-reviewing intrusion detection reports and network-based logs of the
3.5 Activities in Initial incident that
would support that an incident has occurred.
Response. 4. To determine if any avenues of attack can be ruled out, review the network topology and
3.6 Phases after Detection of an access control
lists of an incident.
Incident.
Incident Response Methodology :
3.1 Introduction.
Investigate the Incident :
3.2 People Involved in Incident 1. Data collection : The accumulation of
Response Process. facts and clues that should be considered
during your forensic analysis is data
3.3 Incident Response Process. collection.
3.4 Incident Response The basis of your conclusions is the data
you collect.
Methodology. 2. Forensic analysis : Forensic analysis
3.5 Activities in Initial consists of reviewing all the data collected.
It also includes reviewing log files, system
Response. configuration files, trust relations, web
3.6 Phases after Detection of an browser history records, electronic mail
messages and their attachments,
Incident. installed applications, and graphic files.
Incident Response Methodology :