Professional Documents
Culture Documents
Standard Operating Procedure
Standard Operating Procedure
Standard Operating Procedure
Case Study
Standard Operating Procedure
Preparation
Reflection /
Identification
Lesson Learned
Recovery Containment
Eradication
Preparation
Identification
Identification involves validating, identifying and reporting the incident
Determining the symptoms given in ‘how to identify an incident’
Identifying nature of the incident
Identifying events
Protecting evidence
Reporting events
Containment
Containment limits the extent and intensity of an incident
It avoids logging as root on the compromised system
Avoid conventional methods to trace back as this may alert the attackers
Prepare complete backups of infected systems
Change the passwords of all unaffected systems in the LAN
Eradication
Look into additional information along with the information gathered in the 3rd
(Containment) phase to find out reasons for the particular incident
Use standard anti-virus tools to remove virus/worms from storage medias
Improve security measures by enabling firewalls, router filters or assigning new
IP address
Perform vulnerability analysis
Recovery
Determine the course of actions
Monitor and validate systems
Determine integrity of the backup itself by making an attempt to read its data
Verify success of operation and normal condition of system
Monitor the system by network loggers, system log files and potential back doors
Q&A
Cloud Forensics
Thank You