CIRT
Ensure the SOC is ready to conduct a structured response to an incident
What is the goal of Preparation?
- Linear approach
- Absence of essential security tools
- Lack of visibility
What are the downsides of PICERL?
Document summarizing the incident and the steps performed to handle the incident.
What is After Action Report?
Get the business back up and running
What is the goal of Recovery?
1. Preparation
2. Detection and Analysis
3. Containment, Eradication, Recovery
4. Post Incident Activity
What is NIST Model of IR?
Summarize incident and develop strategies to prevent reoccurrence
What is the goal of Post incident/Wrap-up/Lessons Learned?
Stop the adversary from continuing to operate in the environment
What is the goal of Containment?
An adverse event in a computing environment
What is an Incident?
The most effective and cost efficient way to preform recovery
What is rebuilding?
Monitor security events in order to detect, alert, and report on the potential security incident
What is the goal of Detection?
1.Preparation
2.Identification
3.Containment
4.Eradication
5.Recovery
6.Lessons Learned
What is SANS model of IR
Verifying you have an incident
What is the first move of Detection?
Undoing the adversary's actions
What is the goal of Eradication?
Enforcing stronger password policies
What is an example of Remediation?
- Isolating Systems
- Patching Systems
- Removing accounts created by Adversary
- Applying filters to firewalls/routers
- Changing entries in DNS
What are examples of Containment?