CS计算机代考程序代写 chain The Incident Management Cycle

The Incident Management Cycle
DIGITAL FORENSICS AND INCIDENT RESPONSE

The Incident Management Cycle
Planning and Preparation
A hybrid of NIST SP 800- 61r2 and ISO/IEC 27035
Detection and Analysis
Containment
Lessons Learned
Recovery
Eradication
2

Planning and Preparation
• Development of the Information Security Incident Management Policy
• Updating related Information Security Policies
• Development of the Information Security Incident Management Plan
• Establishing an Incident Response Team
― Technical support
― Support from HR, legal, etc.
• Relationships with other organizations
― E.g. national CIRT/CERT
• Input to Information Security Incident Awareness and Education/Training
• Testing the Incident Management Plan
• Updating plans in the light of Lessons Learned
3

Planning and Preparation
INCIDENT RESPONSE TEAM ROLES
• Junior Security Analyst (Level 1)
― Mixed sysadmin, network and programming skills
― Manages and configures monitoring tools, runs vulnerability scans and reviews vulnerability assessments
― Performs triage and passes non-security events back to IT
• Senior Security Analyst (Level 2)
― Responds to detection events
― Analyses IOC’s, identifies affected systems and scope of attack, performs
forensic investigation on affected systems
• Threat Hunter
― A senior analyst who uses advanced tools to identify previously-undetected threats
• SOC Manager
― Recruits, trains and supervises SOC staff
4

Detection and Analysis
• Human reporting ― Via Help Desk
• Automated detection
― From intrusion detection systems  Signature-based
• Matching known indicators of compromise, which implies known malware, known techniques
 Anomaly-based
• Triggers on exceptions, non-routine behaviour or system events
― From Security Incident and Event Management System  Correlation of individually less-significant events
 Threat Hunting
• Uses machine learning techniques
5

Analysis
• Triage
― Tier 1 analysts review the most critical events and eliminate spurious events before passing the significant events to tier 2 analysts
― Event indicators are correlated with other information in the SIEM and the stage of the kill chain identified
 The later in the kill chain, the higher the severity
 The more sensitive or critical the asset, the higher the severity  Are there compliance & reporting implications
• Escalation to higher-level management: five questions:
― Threat to people?
― Threat to operational infrastructure?
― Potential loss of IT and communications?
― Threat to reputation?
― Situation outside your control?
6

Containment
• Determine the extent of the attack
• Quarantine affected systems
• Trace any lateral movement and identify locations where the attacker may have stored tools in order to persist
7

Eradication
• Removal of the attacker’s tools
• Simplest case – simple malware which antivirus/antimalware identifies and quarantines or removes
• Worst case – indications of extensive and diverse back doors and malware, requiring reimaging/re-installation of operating systems
― Actually, even worse: malware which can persist in BIOS flash ROM or system management processor flash
8

Recovery
• Restoration of business service delivery
• Restoration of confidence
9

Lessons Learned
This closes the loop with a quality improvement step
Lessons Learned
Recovery
Planning and Preparation
Detection and Analysis
Containment
Eradication
10