Professional Documents
Culture Documents
Lec 04 A Gb757incidentresponse 140925201019 Phpapp01
Lec 04 A Gb757incidentresponse 140925201019 Phpapp01
Lec 04 A Gb757incidentresponse 140925201019 Phpapp01
Incident
Response
Michael McDonnell
GIAC Certified Intrusion Analyst
michael@winterstorm.ca
Incident Response Overview
A violation existing
Information security policy
Security Incidents are Common
A violation existing
Information security policy
Incidents are… Viruses
Incidents are… Hackers
Incidents are… Hackers
Incidents are… Vandalism
Incidents are… Theft
Incidents are… Data Loss
Incidents are… “Outages”
Incidents are… Espionage
Incidents are not… Disasters (maybe)
Incidents are… Continuous
Incident Response is a Capability
A Process
that manages risk associated
with information systems
A Capability
of an organization to respond
to continuous security threats
Incidents Response vs Handling
Strategic vs Operational
Continual vs Discreet
Process vs Action
Improvement vs Remediation
Incidents Response is…
Systematic
Consistent
Fast & Efficient
Driver for Improvement
Authoritative/Empowered
Sensitive/Confidential
Documented
Incidents Response Teams
Supported by Management
Cross-functional
Well Trained
Good Communicators
Technical Experts
Well Equipped
Have Broad Access
Incident Response is a Process
1. Preparation 1. Be Prepared
2. Detection and Analysis 2. Be Systematic & Organized
3. Containment/Mitigation 3. Act Quickly
4. Recovery 4. Fix the Problem
5. Post-Incident Analysis 5. Make Improvements
Preparation: Training
Preparation: Communications
Preparation: Hardware & Software
Preparation: Continuous Monitoring
Preparation: Analysis & Migitation
Detection & Analysis
Incident Categories:
1. Denial of Service
2. Malicious Software
3. Unauthorized Access
4. Inappropriate Usage
5. Hybrid
Detection:
How was it detected?
Is it really an incident or an unusual event?
Can it be confirmed?
Analysis:
What is at risk? (“System Profile”)
What is normal for that system?
Correlate events for more information
Carefully record and document data
Detection & Analysis
Detection & Analysis
Diagnosis Matrix
Include:
System events
Telephone conversations
Observed or initiated changes
Note the current status frequently with timestamps.
Email:
michael@winterstorm.ca
Slides:
http://winterstorm.ca/download/