Firstly automated systems such as IDS, Firewall logs, Tivoli triggers, or other alarms that notify security operations of an event. Some are false positive, some are real. Review of ALL events needs to occur for the process to improve.
Secondly, manual review of systems such as IDS or firewall logs can be a better method of detecting unusual results or activities. Not all signatures or anomalies can be detected by programmed systems. Human eyes on the perimeter is mandatory. Continued analysis of these systems will also aid in the streamlining and efficiency that is required to triage actual security events.
Finally, the last detection method is the most severe. External party; beit Internet Service Provider, security researcher, or law enforcement. Usually at this point, much research has already been done and the security event vetted many times.
Step 2: Identification -- manual analysis required. Once an event has been detected, you need to identify not only what the event is, where it occurred, what business line it affected, but why it happened and if it is a real security threat. If the event is, for example, a Zbot detection then other than re-imaging the affected devices and having passwords reset, you need to determine why the event occurred in the first place. Is there a website that is considered normally safe, infected? Does it need to be blocked by proxies? Did someone take the computer home, get infected and bring it into the office? Is the detection really Zbot? Or is it something else that LOOKS like Zbot?
Step 3: Confirmation -- Once a security incident has been identified, you need to determine through analysis that a breach has actually occurred or the devices have been infected. If we are confirming a virus, look up what the particular virus does? Does it modify registry settings? Does it rename files? Then look for these markers on your device. If you can confirm these markers or indicators of compromise, you can provide these details for either forensic analysis or to support the remediation process.
Step 4: Analysis -- This can take on many forms.
This blog nicely explain all aspects of incident response process. Thanks for sharing
ReplyDelete