Identification of Threat
- Where is the attack coming from?
- Internal or External?
- Automated or Manual?
- What exactly is this attack doing?
- How is this impacting the victim?
- How far has this attack spread?
- Does it come from a single source or multiple?
Triage – “Stop the Bleeding”
- Modify Firewall Rules
- Modify Intrusion Detection Ruleset
- Modify Access Control Lists
- Servers (Active Directory, LDAP, Novell, etc)
- Remote Connections (VPN, Radius, etc)
- Physical Connections (Router, Switch, etc)
- Contact Up-stream provider
- Physically Disconnect Network (*)
Evidence Identification
- Ongoing malicious Activities
- Packet Captures
- Log Captures
- Historic Evidence
- Log Identification
- Server
- Appliance
- Infrastructure
- Volatile and Non-Volatile Memory
- Determination of Network Topology
Evidence Preservation
- Historic Evidence
- Log Preservation
- Volatile Memory Preservation
- Non-Volatile Memory Preservation
- Log Requests from other sources (Up-stream provider, Out-sourced services, etc)
Prevention of Future Compromises
- Removal of unauthorized accounts
- Modification of Firewall Logs
- Modification of Intrusion Detection Rules
- Patching of Systems
- Modification of Public Facing Applications
- Update of Virus Definition Files
- Installation of Early Detection Devices
