| |
| |
| |
| An Introduction to Incident Response | |
| |
| |
| What Is Incident Response? | |
| |
| |
| The Rationale for Incident Response | |
| |
| |
| Overview of Incident Response | |
| |
| |
| Summary | |
| |
| |
| |
| Risk Analysis | |
| |
| |
| About Risk Analysis | |
| |
| |
| Types of Security-Related Risks | |
| |
| |
| Obtaining Data About Security-Related Incidents | |
| |
| |
| The Importance of Risk Analysis in Incident Response | |
| |
| |
| Summary | |
| |
| |
| |
| A Methodology for Incident Response | |
| |
| |
| Rationale for Using an Incident Response Methodology | |
| |
| |
| A Six-Stage Methodology for Incident Response | |
| |
| |
| Caveats | |
| |
| |
| Summary | |
| |
| |
| |
| Forming and Managing an Incident Response Team | |
| |
| |
| What Is an Incident Response Team? | |
| |
| |
| Why Form an Incident Response Team? | |
| |
| |
| Issues in Forming a Response Team | |
| |
| |
| About Managing an Incident Response Effort | |
| |
| |
| Summary | |
| |
| |
| |
| Organizing for Incident Response | |
| |
| |
| Virtual Teams--Ensuring Availability | |
| |
| |
| Training the Team | |
| |
| |
| Testing the Team | |
| |
| |
| Barriers to Success | |
| |
| |
| External Coordination | |
| |
| |
| Managing Incidents | |
| |
| |
| Summary | |
| |
| |
| |
| Tracing Network Attacks | |
| |
| |
| What Does Tracing Network Attacks Mean? | |
| |
| |
| Putting Attack Tracing in Context | |
| |
| |
| Tracing Methods | |
| |
| |
| Next Steps | |
| |
| |
| Constructing an "Attack Path" | |
| |
| |
| Final Caveats | |
| |
| |
| Summary | |
| |
| |
| |
| Legal Issues | |
| |
| |
| U.S. Computer Crime Statutes | |
| |
| |
| International Statutes | |
| |
| |
| Search, Seizure, and Monitoring | |
| |
| |
| Policies | |
| |
| |
| Liability | |
| |
| |
| To Prosecute or Not? | |
| |
| |
| Conclusion | |
| |
| |
| |
| Forensics I | |
| |
| |
| Guiding Principles | |
| |
| |
| Forensics Hardware | |
| |
| |
| Forensics Software | |
| |
| |
| Acquiring Evidence | |
| |
| |
| Examination of the Evidence | |
| |
| |
| Conclusions | |
| |
| |
| |
| Forensics II | |
| |
| |
| Covert Searches | |
| |
| |
| Advanced Searches | |
| |
| |
| Encryption | |
| |
| |
| Home Use Systems | |
| |
| |
| UNIX and Server Forensics | |
| |
| |
| Conclusions | |
| |
| |
| |
| Responding to Insider Attacks | |
| |
| |
| Types of Insiders | |
| |
| |
| Types of Attacks | |
| |
| |
| Preparing for Insider Attacks | |
| |
| |
| Detecting Insider Attacks | |
| |
| |
| Responding to Insider Attacks | |
| |
| |
| Special Considerations | |
| |
| |
| Special Situations | |
| |
| |
| Legal Issues | |
| |
| |
| Conclusion | |
| |
| |
| |
| The Human Side of Incident Response | |
| |
| |
| Integration of the Social Sciences into Incident Response | |
| |
| |
| |
| Cybercrime Profiling | |
| |
| |
| |
| Insider Attacks | |
| |
| |
| |
| Incident Victims | |
| |
| |
| |
| Human Side of Incident Response | |
| |
| |
| Summary | |
| |
| |
| |
| Traps and Deceptive Measures | |
| |
| |
| About Traps and Deceptive Measures | |
| |
| |
| Advantages and Limitations of Traps and Deceptive Measures | |
| |
| |
| Focus: Honeypots | |
| |
| |
| Integrating Traps and Deceptive Measures into Incident Response | |
| |
| |
| Summary | |
| |
| |
| |
| Future Directions in Incident Response | |
| |
| |
| Technical Advances | |
| |
| |
| Social Advances | |
| |
| |
| The Progress of the Profession | |
| |
| |
| The Nature of Incidents | |
| |
| |
| Conclusion | |
| |
| |
| |
| RFC-2196 | |
| |
| |
| Site Security Handbook | |
| |
| |
| |
| Incident Response and Reporting Checklist | |