Chapter 22: Security Incidents Flashcards
MOM
motive, opportunity, means
evidence preservation
maintain chain of custody and cryptographic hashes of all digital evidence and controlling access to the evidence
four phases of evidence handling
identification, collection, acquisition, and preservation
runbook
collection of procedures which the IR team follows for specific types of incidents
incident classification criteria
prioritize IR assets and consider the impact and type of incident, urgency with which the response must be started
seven phases of incident management
detection, response, mitigation, reporting, recovery, remediation, and lessons learned
containment during the response phase
to prevent or reduce any further damage from the incident
remediation phase of incident management
security controls are deployed or changed to prevent the incident from recurring; changes to firewall or IDS/IPS rules, identification of IOAs and IOCs
IOA
indicators of attack; to detect an attack in real time
IOC
indicator of compromise, which tell when an attack has been successful and security has been compromised
characteristic of admissible evidence
relevant to the case, reliable (must be consistent with fact and must not be based on opinion or be circumstantial), and legally obtained
