sunhux
asked on
enhancing Incident Response to strike a balance between recovery and evidence preservation
We are required to enhance Incident Response playbook to strike a balance between recovery and evidence preservation.
Offhand, I can only think of:
a) for AV, don't delete the malware/IOC file but quarantine it so that it can be analysed later:
doing this for ClamAV (encrypt it to make it harmless) on UNIX servers & on Windows,
only quarantine
b) on an infected PC/workstation, disconnect it from Wifi/LAN but don't power cycle it to
retain as much evidences in it as possible & take an image backup of it (possibly run
one of Fireeye's forensic tool to collect artefacts)
Though Trendmicro's EDR has articles that it helps with evidence collection, I don't
really know how it works with the collection.
will need further inputs ...
Offhand, I can only think of:
a) for AV, don't delete the malware/IOC file but quarantine it so that it can be analysed later:
doing this for ClamAV (encrypt it to make it harmless) on UNIX servers & on Windows,
only quarantine
b) on an infected PC/workstation, disconnect it from Wifi/LAN but don't power cycle it to
retain as much evidences in it as possible & take an image backup of it (possibly run
one of Fireeye's forensic tool to collect artefacts)
Though Trendmicro's EDR has articles that it helps with evidence collection, I don't
really know how it works with the collection.
will need further inputs ...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.