Incident Response Lifecycle

NIST SP 800-61

• Preparation
• Detection
• Containment
• Eradication
• Recovery
• Lessons Learned

Preparation

• Getting ready for an incident
• Incident Response Plan
• Communication Matrix

Detection

• Alets → validated incidents (outside threat)
• Using logs to determine unauthorized connections
• Windows Event IDs
  • 4624 - successful login
  • 4225 - Failed login attempt
• Firewall ACL Logs

Containment

• Quarantine infected systems
• Blocking malicious hashes, IPs, ports