basics

of

incident

handling

Josh Rickard

 

 

helpdesk

system support

system administration

incident response

product management

 

 

equifax

failing to prepare . . .

. . . prepare to fail"

preparation

acceptable use policy

  • loss of network access
  • suspension from work
  • possible loss of employment
  • legal action and/or prosecution by the authorities

data classification system

where is your most important data?

cyber insurance

critical

security

incident

response

plan

CSIRP

definitions/keywords

roles & responsibilities

methodologies

incident response phases

engaging stakeholders

documentation standards

escalation

critical

security

incident

response

team

Title Text

typical organization

csirt organization

incident

response

documentation

must

  • incoming evidence form
  • chain of custody form
  • evidence retention
  • evidence disposal form
  • forensic lab assurance
  • forensics processes
  • forensics technical manual

nice-to-have

  • forensic report template
  • unique data acquisition processes
  • forensics training manual
  • checklists
    • windows
    • mac
    • nix
    • aws/azure/google

chain of custody

https://www.joshmoulin.com/digital-forensics-incident-response-forms-policies-and-procedures/

digital forensics report

https://www.joshmoulin.com/digital-forensics-incident-response-forms-policies-and-procedures/

digital forensics report

https://www.joshmoulin.com/digital-forensics-incident-response-forms-policies-and-procedures/

forensics checklist

ensures nothing was missed

 

https://www.joshmoulin.com/digital-forensics-incident-response-forms-policies-and-procedures/

training manual 

skill set has been defined

skill set integrity

prevents legal questioning

detection

validation

  • is this really an incident?
  • what is the scope?
  • what is the impact?

active or not

containment

prevent lateral movement

 

people's safety first 

stay hidden (if you can)

segment & control access

determine how this happened

preserve evidence

 

most volatile first

memory

network

disk

 

 

investigation

laboratory

forensic hardware

forensic software

forms

 

additional items

  • lots of extra hard drives

  • fire safe for physical evidence

  • faraday cage

 

SIFT

SANS Investigative Forensic Toolkit

memory forensics

commercial tools

timeline analysis

https://digital-forensics.sans.org/blog/2013/02/16/idx-sample-file-malware

artifact analysis

remediation

assurance

 

ensure containment worked

 

restore

improve defenses

add preventative measures

logging

patch

etc.

recovery

back online

continue monitoring

retrospective

went well

lessons learned

 

after action meeting

update documentation

modify/add processes

feedback loop

 

preparation

detection

containment

investigation

remediation

recovery

retrospective

thank you

contact me

email:    rickardja@live.com

blog:      https://msadministrator.com

twitter: @MS_dministrator

github:  https://github.com/MSAdministrator

 

slides: 

https://msadministrator.github.io/presentations/basics-of-incident-handling.html