Incident response
- steps:
- preparation
- detection
- analysis
- containment
- eradication
- recovery
- post-incident activity
- must be developed in collaboration with lawyers
- list of external contacts
- call-tree for internal contacts
- responsibilities map
- actions to preserve evidence
- what should be included into report
- external world interaction plan (e.g. media, authorities)
- CERT (computer emergency response team): informational security groups
ISO 27035
- incident response process management
- phases
- plan & prepare:
- form IR team
- update policies
- test IR plan
- training
- detection & reporting:
- detect, collect and report events and vulnerabilities
- assessment & decision:
- process collected info, gather additional information
- preserve evidence
- risk analysis
- responses
- follow DRP
- begin postmortem
- lessons learned
- plan & prepare:
NIST
SP 800-61
- incident handling
SP 800-81
- secure DNS deployment
FIRST
- forum of incident response and security teams
- SIG: special interest group
Containment
- do not power off, log out
- record all actions
- disconnect from network:
- physically
- shielded container: requires battery because network search consumer energy
- airplane mode
- FW rules may not be enough