Incidence Response & Computer Forensics, Second Edition Chris Prosise Kevin Mandia.

Slides:



Advertisements
Similar presentations
Identifying and Responding to Security Incidents in the Law Firm
Advertisements

Software Quality Assurance Plan
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Hazard Prevention Program
Computer & Network Forensics Introduction Xinwen Fu.
Identity, Governance and Administration as forefront of IT Security model: European and North American Experience Vladislav Shapiro Director of Identity.
Computer & Network Forensics
SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Incidence Response & Computer Forensics, Second Edition
Computer Security: Principles and Practice
Concepts of Database Management Seventh Edition
Stephen S. Yau CSE , Fall Security Strategies.
Management Responsibility Procedure Tutorial. Introduction to Management Responsibility In this presentation we will discuss how to write a procedure.
WHS Management Plans.
Photocopies Occasionally need uncontrolled copies
By Drudeisha Madhub Data Protection Commissioner Date:
Unit Introduction and Overview
Professional Development Programs
Implementing ISO 9001 Our project plan Copyright ©2008 The 9000 Store.
Concepts of Database Management Sixth Edition
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
INFSO-RI Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
15 Maintaining a Web Site Section 15.1 Identify Webmastering tasks Identify Web server maintenance techniques Describe the importance of backups Section.
Chapter 16 Designing Effective Output. E – 2 Before H000 Produce Hardware Investment Report HI000 Produce Hardware Investment Lines H100 Read Hardware.
Concepts of Database Management Eighth Edition
Unit 5.6 Evidence and Sampling.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Appendix C: Designing an Operations Framework to Manage Security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Audit Planning Process
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—1-1 Planning Routing Services Creating an Implementation Plan and Documenting the Implementation.
Grid Operations Centre LCG SLAs and Site Audits Trevor Daniels, John Gordon GDB 8 Mar 2004.
January 28, 2008 DEWG DEWG Discussion Questions ERCOT.
Incident Response November 2015 Navigating a Cybersecurity Incident.
& Selected Topics: Digital Forensics Part I: Computer Forensics Chapter 2 Understanding Computer Investigation Xinwen Fu.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
MANAGEMENT REVIEWS AND AUDITING IN SOCIAL INSURANCE INSTITUTIONS by: Jean-Victor Gruat, EUSE, Business Processes MANAGEMENT REVIEW AND AUDITING.
First Level Investigation Introduction Donna Dark.
Monitoring Afghanistan, 2015 Food Security and Agriculture Working Group – 9 December 2015.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
Ombudsman Western Australia Serving Parliament – Serving Western Australians Evaluation in the Western Australian Ombudsman’s Office Kim Lazenby & Jane.
Introduction to ITIL and ITIS. CONFIDENTIAL Agenda ITIL Introduction  What is ITIL?  ITIL History  ITIL Phases  ITIL Certification Introduction to.
26/01/2007Riccardo Brunetti OSCT Meeting1 Security at The IT-ROC Status and Plans.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
MANAGING INCIDENT RESPONSE By: Ben Holmquist. 2 Outline Key Terms and Understanding Personnel and Plan Preparation Incident Detection Incident Response.
Gaspar Modelo-Howard NEEScomm Cybersecurity Software Engineer Saurabh Bagchi NEEScomm Cybersecurity Officer.
CERN - IT Department CH-1211 Genève 23 Switzerland t Service Level & Responsibilities Dirk Düllmann LCG 3D Database Workshop September,
Software Engineering Process - II 7.1 Unit 7: Quality Management Software Engineering Process - II.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
District Validation Review (DVR) Nonpublic School Preparation Information Division of Special Education.
Incident Reporting And Investigation Program
MANAGEMENT of INFORMATION SECURITY, Fifth Edition
Rethinking Institution Security Approach
Accident and Incident Investigation
Electronic Records Management Program
ServiceNow Implementation Knowledge Management
Management Responsibility
CIS 359 Possible Is Everything/snaptutorial.com
CIS 359 Education for Service-- snaptutorial.com.
CIS 359 Teaching Effectively-- snaptutorial.com
Incident response and intrusion detection
BUSINESS CONTINUITY PLAN
BUSINESS CONTINUITY PROGRAM
SaaS DISASTER RECOVERY PLAN
Sam elkholy Director, systems engineering
BUSINESS CONTINUITY PLAN
Presentation transcript:

Incidence Response & Computer Forensics, Second Edition Chris Prosise Kevin Mandia

Outline After Detection of an Incident Overview of the initial response phase Establishing an incident notification procedure Recording the details after initial detection Incident declaration Assembling the CSIRT Performing traditional investigative steps Conducting interviews Formulating a response strategy

Incident Response methodology Pre-Incident Preparation Initial Response Formulate Response Strategy Detection of Incidents Investigate the Incident Data Collection Data Analysis Reporting Resolution Recovery Implement Security Measures Incident Occurs: Point-In-Time or Ongoing

Overview of the initial response phase Incident Detection Initial Notification of Incident Record Details Incident Declaration Assembling The CSIRT Escalation Notification of Team Members Selecting Team Members Incident Occurs: Point-In-Time or Ongoing

Recording the details after initial detection Initial Response Checklist First Section of the initial Response Checklist Second Section of the Initial Response Checklist System details Incident containment Preliminary investigation Case Notes

First Section of the initial Response Checklist Date the incident was detected or initiated Contact information of person completing the form Contact information of the person who detected the incident The type of incident The location(s) of the computers affected by the incident The date the incident was first noticed A description of the physical security at the location(s) How the incident was detected Who accessed or touched the relevant system(s) since the onset of the incident Who has had physical access to the affected system(s) since the onset of the incident Who current knows about the incident

Second Section of the Initial Response Checklist System details Make and model of the relevant system(s) Operating system Primary user of the system(s) System administrator for the system(s) Network address or IP address of the relevant system(s) Network name of the system(s) Whether there is a modem connection to the system(s) Critical information that may have resided on the system(s) Incident containment Whether the incident is in progress or ongoing Whether network monitor is needed or being conducted The system is still connected to the Internet/network

Second Section of the Initial Response Checklist Whether the backup tapes exist for the relevant systems Whether there is a requirement to keep knowledge of the incident on a “ need-to-know ” basis. Whether any remedial steps have been taken so far Whether the information collected is being stored in a protected, tamper-proof manner. Preliminary investigation The IP addresses involved in the incident Whether any investigative steps or actions have already been taken Whether a forensic duplication need to be made, or a logical copy of the relevant system(s) will suffical

Incident Declaration Was there a scheduled system or network outage that caused resources to be unavailable during the time the incident was reported? Was there an unscheduled and unreported outage of network service provider that caused resources to be unavailable during the time the suspected incident was reported? Was the affected system recently upgraded, patched, reconfigured, or otherwise modified in such a way as to cause the suspicious activity that was reported? Was testing being performed on the network that would lock out accounts or cause resource to be unavailable? For inside incidents, are there any justifications for the actions an employee has taken that remove or lessen the suspicious?

NextTime Assembling the CSIRT Performing traditional investigative steps Conducting interviews Formulating a response strategy

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.