Response Process

Response Process

Stage

Description

Verify

Verify: Determine an alert needs to be validated.

Scoping

Review suspect data to determine if this is a false positive and scope of the event.

Reputation

Determine if the reputation of attributes are an issue.

Content Review

Retrieve artifacts for validation. This can be accomplished through tools like Solara, NetWitness, and EnCase.

Validate

Evaluate collected artifacts to determine if they are malicious. Extract attributes of the artifact in order to prepare for response.

Recover

Get the asset operational again.

Respond

Enforcement of security controls to prevent further escalation.

Getting to Response and Recovery

Moving from Data to Response & Recovery

Indications of Compromise (IoC)

The term Indications of Compromise (IoC) relates to the set of attributes that infected systems of certain type of attack share. Most commonly, it is a list of:

  • File Hashes (MD5 of SHA256)

  • Bad IP Addresses

  • Bad Host Names

  • Signatures (or Alerts) directly related to the event

While the term IoC relates to compromised systems, the term is used to also include attributes associated with the attacking.

The process of collecting the list of attributes is called Scoping.