1. Chapter 2 Incident Response Management Handbook Spring 2016 - Incident Response & Computer Forensics

2. What is a Computer Security Incident?  An event  Intended for causing harm  Performed by a person (i.e., not due to factors beyond one’s control)  Involves a computing resource Examples  Data theft  Theft of funds  Extortion  Unauthorized access  Presence of malware  Possession of illegal or unauthorized materials

3. Goals of Incident Response  Remove threats  Minimize damages  Restore normal operations quickly

4. Who is Involved in IR Process?  HR  IT  Legal  Business line managers  Network infrastructure  Compliance  Core investigative team

5. IR Process  Initial Response  Investigation  Remediation

6. Initial Response  Assemble the response team  Review readily available data  Determine the type of incident  Assess the potential impact

7. Investigation  What? How? Who? etc.  Start with initial leads  Identify systems of interest  Preserve evidence  Live response  Memory collection  Forensic disk image  Analyze data  Malware analysis  Live response analysis  Forensic examination

8. Remediation  Consider all aspects  Legal, business, political, technical, etc.  Time is critical  Too soon - may fail to discover some important information  Too late – may increase the damage

9. Reporting  Very important step  From legal and other viewpoints  Also help stay focused and perform quality investigations