Professional Documents
Culture Documents
BH Us 04 Mandia PDF
BH Us 04 Mandia PDF
BH Us 04 Mandia PDF
Response
Data Analysis
4. Awareness and Understanding of the Standards,
Legislature, Regulations, and Industry Accepted Practices.
Resolution
Challenges Solutions
1. Defining What an Incident is to Your Pre-Incident Preparation.
Organization. Assess Resources, Match Business
Units with Capabilities, Roles,
Responsibilities.
2. Obtaining High-Level Buy In on Discuss Sustaining Business,
Developing/Improving/Maintaining an Applicable Standards, Legislature, and
Incident Response Capability. Industry Regulations that Compel you
to Maintain IR Capabilities.
3. Performing Asset Classification. Interview Business Line Owners and
Know what Matters To Your Business Top Execs.
Operation before an Incident Occurs.
4. Awareness and Understanding of Pre-Incident Preparation
the Standards, Legislature, Review On-Line Sources. Assign
Regulations, and Industry Accepted General Counsel or Compliance
Practices. Officer.
5. Assessing your Current Incident Pre-Incident Preparation.
Response Capability. Develop a Skills Matrix and Review In-
House Capabilities.
Pre-Incident
Preparation Challenges
Detection of
Incidents
Challenges
Initial Response 6. Determining the Appropriate Bar of Escalation for Your
Organization. What is the Appropriate Trigger Mechanism to
Formulate
Commence your IR Procedures?
Response Strategy 7. Ensuring Timely, Easy Method of Reporting Incidents. Get
the Experts Involved as early as Possible.
Data Collection
Data Analysis
Reporting
Resolution
When do you Initiate your IR Mechanism?
External
IDS
Human
Resources
Challenges Solution
6. Determining the Appropriate Bar Pre-Incident Preparation.
of Escalation for Your Create a Written Policy. Perform
Organization. What is the Continual Review and Update of
Appropriate Trigger Mechanism to the Policy. Ensure Asset Affected
Commence your IR Procedures? Dictates Level of Response.
Data Collection
10. Determining Entities/People that Need to be Involved.
Triage.
Data Analysis
Detection of
Potential Incident Confirmation
Reporting
TIME
Resolution
Challenges Solution
8. Minimizing the Window from Detection of Pre-Incident Preparation.
Incident to Confirmation of the Incident. Training and Pre-Existing or
Pre-Deployed Toolkits.
Initial Response
Challenges
11. Determining Who Should Be Involved with the
Formulate Decision Making Process.
Response Strategy
Data Analysis
Reporting
Resolution
Challenges Solution
11. Determining Who Should Be Pre-Incident
Involved with the Decision Making Preparation.
Process. Create or Revise IR
12. Incident Ownership. Program.
Pre-Incident
Preparation.
Create or Revise
Program
Development.
Pre-Incident
Preparation
Challenges
Detection of
Incidents Challenges
Initial Response 13. Methods to Gather Live Response Data are too Time
Consuming and Operationally Cumbersome. May Even be
Ineffective.
Formulate
Response Strategy 14. Methods to Perform Forensic Duplication of Computer
Systems is Cumbersome.
Data Collection
Reporting
Resolution
Challenges Solution
13. Methods to Gather Live Pre-Incident Preparation.
Response Data are too Time Creation of Live Response Toolkits, Maintenance
Consuming and of Toolkits or Methods to Address Emerging
Operationally Cumbersome. Kernel Level Exploits, Use of Network-Based
May Even be Ineffective. Forensic Tools, and Training.
14. Methods to Perform Pre-Incident Preparation.
Forensic Duplication of Have Techniques to Duplicate Live Systems.
Computer Systems is Training. Perhaps Preservation of Relevant Data
Cumbersome. Rather than All Data (CAUTION).
15. Sophistication of Tools Pre-Incident Preparation.
and Counter Forensic Ability to Acquire and Review System and
Techniques. Process Memory.
Pre-Incident
Preparation
Challenges
Detection of
Incidents Challenges
16. Sophistication of Tools and Counter Forensic
Initial Response Techniques.
Data Collection
• Kernel Level Tools
• Use of Wrappers (Encryption, Compression,
Data Analysis Obfuscation)
• Shiva, Burneye, UPX
Reporting
• Increased Knowledge of Perpetrators
• Increased Understanding of Current Forensic
Resolution Tools and Techniques
Challenges Solution
16. Sophistication of Tools and Counter Ability to Perform Tool
Forensic Techniques. Analysis. Understand How
to Disassemble Tools and
Decipher their Functionality.
Know When to Cut Losses
and Remediate Prior to Full
Comprehension of Tool
17. Must have the Capability to Perform Rapid Functionality (CAUTION).
Pre-Incident Training and
Forensic Analysis – Biggest Bang for the Buck. Technology.
Pre-Incident
Preparation
Challenges
Detection of
Incidents
Initial Response
Challenges
18. Failure to Document Steps Taken in a Timely
Formulate Manner.
Response Strategy
Data Analysis
Reporting
Resolution
Challenges Solution
18. Failure to Document Steps Pre-Incident
Taken in a Timely Manner. Preparation.
Develop Report
19. Inexperienced Personnel. Pre-Incident
Templates.
Preparation Develop
Report Templates.
Pre-Incident
Preparation Challenges
Detection of
Incidents
Challenges
20. Resolution Almost Always Requires more Resources
Initial Response than Expected.
Data Analysis
23. Phased Approach to Recovery Usually Needs to be
Implemented to Protect the Right Assets with the Right
Countermeasures.
Reporting
Resolution
Challenges Solution
20. Resolution Almost Always Requires more Proactive Security Program.
Resources than Expected.