2. Description
Isolation & Mitigation
Letter of Preservation
Additional Monitoring
External Notifications
Restoring the Systems
Securing the Systems
Summary Meeting
3. The goal of this phase is to respond to the
data and conclusions drawn in the
assessment phase
This includes:
Isolating compromised systems
Acquisition of systems
Increased logging and monitoring
Restoring systems
Increasing security
4. This phase restores the system/s to a known
and trusted state
The secondary goal of this phase is securing
similar hosts to prevent additional attacks or
at least increase monitoring to identify future
attacks
The lessons learned will be shared so that
future incidents are more successful
5. The goal of acquisition is to save the state of
the system
Document everything (even mistakes)
Trust nothing on the suspect system
Suspect systems should be modified as little
as possible
Chain of Custody must be kept for all
potential court evidence
6. Systems that have been identified as compromised
must be isolated to prevent damage to other
systems and further damage to it
When possible, unplug from the network and plug
into an empty hub or switch (to prevent network
unreachable errors)
If it must be kept online, restrict access to and from
it using ACLs on routers and switches
Apply network monitoring to those systems that are
not removed from the network
7. When external systems are identified, a Letter of
Preservation should be issued
Carries legal weight in the US
It requests that logs and other data be preserved and not
deleted
Additional legal procedures are typically required before the
data is actually transferred
The letter must specify a given host or person to save data
about
An example can be found in the EnCase Legal Journal
8. Additional network monitoring devices may need to
be deployed to:
Detect and observe future attacks
Collect additional evidence of an ongoing attack
Provide data to help identify the incident scope
These devices can be built during the Readiness
Phase
Logging levels on firewalls, IDS, and servers may
need to be increased
Some monitoring may not be allowed depending on
User Privacy Policies
12. FBI
Local Police Force
FIRST (www.first.org)
incidents.org (SANS)
incidents@securityfocus.com
Any public postings must be from a generic
email account (watch out for X-headers with
free HTML-email)
13. It is important to not restore data that has
trojans or backdoors
If a backup is known to not be compromised,
it can be used
Otherwise, start with a new install
Ensure that the system has all patches
installed
14. If the method of attack is known, secure the
compromised host from it first
After, secure hosts with the same vulnerability
If the exact method is not known yet, ensure that
monitoring is in place to detect future attacks
After a forensic analysis is performed, secure any
vulnerabilities that were found
Additional filters may be applied to the recovered
host to detect future attempts
15. Each person involved with the incident should
attend a summary meeting
This will cover what worked and what did not
work
Policies and procedures should be modified
appropriately
Any ‘tricks’ that were discovered should be
documented to help future responders
16. This phase performs actions based on data
found in the Assessment Phase
Additional monitoring and logging can be
used to collect more data and ensure that
new attacks are detected
External organizations may provide support
or assistance
Ensure security holes are plugged and risks
mitigated