4.8 Security Operations

Preparation

First phase of the incident response process that involves building and training and incident response team, conducting exercises, documenting how to response, and acquiring, configuring, and operating security tools and incident response capabilities

Detection

The second phase of the incident response process that involves reviewing indicators of compromise, using log analysis and security monitoring capabilities, and having a comprehensive awareness and reporting program for the staff

Analysis

The third phase of the incident response process that involves identifying other related events and what the target or impact of the incident is or was

Containment

The fourth phase of the incident response phase that involves placing the system or device in an isolated network zone or removing it from the network to ensure it cannot impact other devices

Eradication

The fifth phase of the incident response process that involves removing the artifacts associated with the incident, as well as rebuilding or removing systems and applications from backups rather than simply removing tools from a system

Recovery

The last phase of the incident response process that involves bringing systems or services back online and implementing fixes to ensure that whatever security weakness, flaw, or action that allow the incident to occur has been remediated

Lessons Learned

An additional step in the incident response process that involve a session to ensure that organizations improve and do not make the same mistakes again

Tabletop Exercises

Team members are given a scenario and are asked questions about how they would respond, what issues might arise, and what they would need to do to accomplish the tasks they are assigned in the IR plan, allowing the team members to think through a scenario and document improvements in their response and the overall IR plan

Simulations

Exercises that can be done at full scale, involving the entire organization, or only specific parts, ensuring that all participants know that they are engaged in an exercise so that no actions are taken outside of the exercise environment

Root Cause Analysis (RCA)

Identifying the underlying cause for an issue or compromise, identifying how to fix the problems that allowed the event or incident to occur, and ensuring that any systemic issues that led to the problem are also addressed

Threat Hunting

An assessment technique that makes an assumption of compromise and then searches the organization for indicators of compromise that confirms the assumption

Legal Hold

A notices that informs and organization that they must preserve data and records that might be destroyed or modified in the course of their normal operations

Chain of Custody

Documentation that shows each time the drive, device, or artifact is accessed so that the forensic data could be used in a legal case

Acquisition

The process of acquiring forensic data thorugh disks, systems, or networks, and involves creating a forensic copy, which is a bit-for-bit copy of the system or disk under question, and using a write blocker to interact with it, though for networks, investigators often use packet analyzers

Reporting

The use of a formal document that includes the summary of the forensic investigation and findings, an outline of the forensic process that includes the tools used, and a series of sections detailing the findings for each device or drive

Preservation

Following chain of custofy processes as well as forethought about the use of write blockers to prevent modifying forensic data, and creating and validating forensic copies

E-Discovery

The process of identifying, collecting, and producing electronically stored information in response to a request for production in a lawsuit or investigation, often involving electronic evidence