©2013 Maze & Assoc ia tes

Incident Response

©2013 Maze & Assoc ia tes

Computer Security Incident Handling Guide

Computer Security Incident Handling GuideRecommendations of the National Institute of Standards and Technology (NIST)NIST SP 800-61 Revision 2 August 2012

©2013 Maze & Assoc ia tes

Incident Response Process

©2013 Maze & Assoc ia tes

Preparation “An ounce of preparation is worth a bound of cure”

“The more you sweat in training the less you bleed in battle.”

You can’t plan for everything, but you can have a strategy to cover just about anything

©2013 Maze & Assoc ia tes

Preparation Understand the need and requirements Creating Incident Response Policy, Plan, and Procedures

Forming Incident Response Team Training, CIRT – End Users Preventing Incidents – Controls Asset Inventory

©2013 Maze & Assoc ia tes

Detection and Analysis Signs of an Incident Precursors and Indicators Attack Vectors Incident Analysis Incident Documentation Incident Prioritization Notification – Call Tree and Assistance

©2013 Maze & Assoc ia tes

Containment, Eradication, and Recovery Recovery and Preservation of Evidence Containment Strategy Evidence gathering and handling Identification of source Eradication Recovery Testing

©2013 Maze & Assoc ia tes

Post-Incident Activities After Action Report Evaluating Evidence – Root Cause Analysis Control Evaluation Evidence Retention Notification – affected parties

©2013 Maze & Assoc ia tes

Communications with Outside Parties

©2013 Maze & Assoc ia tes

External Assistance