Day 5 - Identification: Events versus Incidents
Last Updated: 2008-10-14 15:04:43 UTC
by Stephen Hall (Version: 1)
Welcome to day 5 of the Cyber Security Awareness Month and the first day of what is the second half of the steady state that incident handling teams work in. When everything in the Incident Handling world is good, handlers rotate around the step Preparation and Identification. But what triggers the move to step 3, containment?
This is why today we discuss Events versus Incidents.
An event is the name given to the pieces of information which flow into you incident handling process.
An incident is the event which triggers when you determine that an event is malicious.
So, how does your incident team perform this crucial task so you know you've not missed anything? What hints and tips can you give your fellow incident handlers to improve their detect rate, or to make the job easier?
What questions do you ask of the event reporter which improves your decision making? How do you gather this information?
Drop me a note during today, and I'll update the diary with your advice!
Janantha wrote in saying:
I assume that in the preparation you have compiled a list of Windows Event Id's that are related to popular incidents. Also if your in Linux you know the Regex to parse through the log files.
1. Make a habit to review the log files daily or regularly! Also keep in mind of attack patterns so you recognize attacks just by browsing through the event log!
2. Look for critical event id's that may have indicate irregular behavior. You can do this by using tools like Event log explorer which is free of charge as it provides powerful interface to sort your events and go through them in a proper manner.
3.Cross reference multiple logs (firewall logs) to verify if the event is actually an event that is worth taking any action!.