Professional Documents
Culture Documents
Lec 04 D Auscert2016 160526020037
Lec 04 D Auscert2016 160526020037
Lec 04 D Auscert2016 160526020037
Incident Response
ASHLEY DEUBLE
Why?
Recovery Identification
Eradication Containment
Stage 1 - Preparation
Documentation Training
Stage 1 – Preparation cont..
Jump Bag
Journal (bound with page numbers)
Call tree / Contact list
Bootable USB or Live CD (up to date tools, anti malware, static linked binaries)
Laptop with forensic tools (EnCase/FTK), anti malware utilities, internet access
Computer and network toolkits (components, network cables, network
switches, network hubs, network taps, hard drives etc.)
Drive duplicators with write blocking (for forensically sound images)
Stage 2 – Identification
Incident Definition
An incident is the act of violating an explicit or implied security policy
(NIST SP800-61)
If it is an incident
Start documenting all activities!
Document “who, what, where, when, how” in case it is needed to be provided
to the law enforcement / courts etc.
If possible have at least two incident handlers – one to identify and assess, and
another to collect evidence
Establish chain of custody for all evidence collected
Once the full scope of the incident has been determined, the incident team
can move on to the containment phase
Stage 3 - Containment
Ensure that proper measures have been taken to remove malicious content
from the affected systems (residue may be left in obscure locations that
are difficult to locate)
Complete any documentation that was not done during the incident, as
well as any other documentation that may help in future incidents
Create a formal written report that covers the entire incident
Cover the Who, What, Where, When and How of the incident
Stage 6 – Lessons Learned cont…