Incident Response Procedure Flashcards
A set of procedure that an investigator follows when examining a
computer security incident
Incident Response
Program consisting of the monitoring and detection of security events on
a computer network and the execution of proper response to those
security events
* Preparation
* Identification
* Containment
* Eradication
* Recovery
* Lesson Learned
Incident Management Program
Process of recognizing whether an event that occurs should be classified
as an incident
Identification
Focused on data restoration, system repair, and re-enabling any server or
networks taken offline during the incident response
Recovery
Signal that are sent between two parties or two device that are sent via
a path or method different from that of the primary communication
between the two parties or devices
Out of Band Communication
Executives and managers who are responsible for business operations
and functional areas
Senior Leadership
Governmental organizations that oversee the compliance with specific
regulations and law
Regulatory Bodies
The business or organizations legal council is responsible for mitigating
risk from civil lawsuits
Legal
Used to ensure no breaches of the employment law or employee
contract is made during an incident response
Human Resources (HR)
Three variations of ____ which all permit the logging of data from
different types of systems in a central repository
syslog/rsyslog/syslog-ng
A Linux command line utility used for querying and displaying logs from
journald, the systemd logging service on Linux
jornalctl
A multi-platform log management tool that helps to easily identify
security risks, policy breaches or analyze operational problems in server
logs, operation system logs and application logs
nxlog
A network protocol system created by Cisco that collects active IP
network traffic as it flows in or out of an interface, including its point of
origin, destination, volume and paths on the network
netflow
Short for “sampled flow”, it provides a means for exporting truncated
packets, together with interface counters for the purpose of network
monitoring
sflow
A universal standard of export for Internet Protocol flow information
from routers, probes and other devices that are used by mediation
systems, accounting/billing systems and network management systems
to facilitate services such as measurement, accounting and billing by
defining how IP flow information is to be formatted and transferred from
an exporter to a collector
Internet PRotocol Flow Information Export (IPfix)
Data that describes other data by providing an underlying definition or
description by summarizing basic information about data that makes
finding and working with particular instances of data easier
Metadata
Written procedures ensure that personnel handle forensics properly, effectively,
and in compliance with required regulations
Forensic Procedures
Ensure the scene is safe, secure the scene to prevent evidence
contamination, and identify the scope of evidence to be collected
Identification
Ensure authorization to collect evidence is obtained, and then document
and prove the integrity of evidence as it is collected
Collection
Create a copy of evidence for analysis and use repeatable methods and
tools during analysis
Analysis
Create a report of the methods and tools used in the investigation and
present detailed findings and conclusions based on the analysis
Reporting
A process designed to preserve all relevant information when litigation is
reasonably expected to occur
Legal Hold
A tool that shows the sequence of file system events within a source
image in a graphical format
Timeline
The method and tools used to create a forensically sound copy of data
from a source device, such as system memory or a hard disk
Data Acquistion
