- Incident Response is the set pf processes and procedures that are initiated once a security incident has been declared.
-
Incident response processes are an integral component of being able to react quickly in the event of an incident, determine a nonincident, operate efficient.
-
Pre-Incident Processes
- Leverage existing processes for dealing with events
- Define an incident
-
Incident Processes:
- Define an incident manager
- Define internal communications
- Define external communications
- Determine key goals
- High-level technology processes
- Plan for the long haul
-
Post-Incident Processes:
- Hold a lessons-learned session
- Allows for feedback regarding what worked well and what worked less well.
- Allows you the chance to update processes, determine training requirements, change infrastructure, and generally improve based on what you learned from the incident
- Update documentation, policies, procedures, and standards => Update tabletops and drills
- Hold a lessons-learned session
- Log Analysis
- Disk and File analysis
- Memory Analysis
- PCAP Analysis
- All in one