Section 24: Incident Response

incident response 7-phase model

1. preparation

2. detection

3. analysis

4. containment

5. eradicaton

6. recovery

7. post-incident activity/lessons learned

root cause analysis

identifies the incident’s source and how to prevent it in the future

after-action report

collects formalized info about what occurred

advisories and bulletins

published by vendors and security researchers when new TTPs and vulnerabilities are discovered

intelligence fusion and threat data

use SIEM and analysis platforms to spot concerns in the logs and real-world security threats

digital forensic

investigating and analyzing digital devices and data to uncover evidence for legal purposes

4 phases of digital forensics

1. identification—document the scene and preserve evidence

2. collection—gathering, preserve, document evidence. order of volatility

3. chain of custody—documented and verifiable record that tracks handling/transfer/preservation of evidence

4. evidence collecting—disk imaging and file carving

order of volatility

dictates the sequence in which data sources should be collected and preserved bassed on their susceptibility to modificaiton or loss

disk imaging

creating a bit-by-bit or logical copy of a storage device, preserving its entire content, including deleted files and unallocated space

file carving

extracting files and data fragments from storage media without relying on the file system

legal hold

formal notification that instructs employees to preserve all potentially relevant electronic data, documents, and records

electronic discovery (e-discovery)

identifying, collecting, and presenting electronically stored information for potential legal proceedings

data acquisition

the method and tools used to create a forensically sound copy of data from a source device, such as system memory or a hard disk