Infrastructure admin

Ibrahim Kasabri

<div>
<div class="content wysiwyg-content">
We are required to enhance Incident Response playbook to strike a balance between recovery and evidence preservation.<br />
<br />
Offhand, I can only think of:<br />
a) for AV, don't delete the malware/IOC file but quarantine it so that it can be analysed later:<br />
&nbsp; &nbsp; doing this for ClamAV (encrypt it to make it harmless) on UNIX servers &amp;&nbsp;on Windows,<br />
&nbsp; &nbsp; only quarantine<br />
b) on an infected PC/workstation, disconnect it from Wifi/LAN but don't power cycle it to<br />
&nbsp; &nbsp; &nbsp;retain as much evidences in it as possible &amp;&nbsp;take an image backup of it (possibly run<br />
&nbsp; &nbsp; &nbsp;one of Fireeye's forensic tool to collect artefacts)<br />
<br />
Though Trendmicro's EDR has articles that it helps with evidence collection, I don't <br />
really know how it works with the collection.<br />
<br />
&nbsp; will need further inputs ...
</div>
</div>


We are required to enhance Incident Response playbook to strike a balance between recovery and evidence preservation.

Offhand, I can only think of:
a) for AV, don't delete the malware/IOC file but quarantine it so that it can be analysed later:
    doing this for ClamAV (encrypt it to make it harmless) on UNIX servers & on Windows,
    only quarantine
b) on an infected PC/workstation, disconnect it from Wifi/LAN but don't power cycle it to
     retain as much evidences in it as possible & take an image backup of it (possibly run
     one of Fireeye's forensic tool to collect artefacts)

Though Trendmicro's EDR has articles that it helps with evidence collection, I don't 
really know how it works with the collection.

  will need further inputs ...

enhancing Incident Response to strike a balance between recovery and evidence preservation

A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness, known as the attack surface. Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Other vulnerabilities include security risks, security defects and constructs in programming languages that are difficult to use properly.

Vulnerabilities

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.

OS Security

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.