Stay on Track During IR

SANS Site Network
- Current Site
- SANS Internet Storm Center
- Other SANS Sites Help
- Graduate Degree Programs
- Security Training
- Security Certification
- Security Awareness Training
- Penetration Testing
- Industrial Control Systems
- Cyber Defense Foundations
- DFIR
- Software Security
- Government OnSite Training

InfoSec Handlers Diary Blog

Stay on Track During IR

Published: 2016-08-24
Last Updated: 2016-08-24 12:23:45 UTC
by Tom Webb (Version: 1)

When responding to incidents, it’s easy to go down a rabbit hole that likely won’t produce results to the questions we are always after: How did the attacker get in? What information is contained on the system? And What information was accessed?

To streamline analysis we need to determine what information is most useful for each incident classifications, this gives more flexibility to SOPs by pulling these into a methodology depending on the investigation. Rather than adding these processes over and over into different procedures documents (which all may not get updated) you can link to one process from the methodology.

Additionally, you can chart out specific items (e.g. determine logged-in username for computer) similar to the SANS forensics poster for where to get specific data for user activity. (P is primary source. S is secondary)

	FW Log	IDS	HID	BRO	DHCP	NAC	Full Packet	SMTP Logs	DNS	AD	DLP
Phish			S	P			P	P	S
Web Shell	S	S	S	P			P
C&C	S	S		P			P		P
Data Exfil	S		P	S			P
Logged-in user			S			P				P

Do anyone else use a similar process or have a better one?Leave a comment.

Tom Webb

@twsecblog

Keywords: incident response

2 comment(s)

Join us at SANS! Attend with Tom Webb in starting

Top of page

Diary Archives