TryHackMe Incident Handling with Splunk
443 بار بازدید -
12 ماه پیش
-
The Incident Handling process is
The Incident Handling process is divided into four different phases:
1. Preparation
The preparation phase covers the readiness of an organization against an attack. That means documenting the requirements, defining the policies, incorporating the security controls to monitor like EDR / SIEM / IDS / IPS, etc
2. Detection and Analysis
The detection phase covers everything related to detecting and analyzing an incident. This phase covers getting alerts from the security controls like SIEM/EDR, and investigating the alert to find the root cause.
3. Containment, Eradication, and Recovery
This phase covers the actions needed to prevent the incident from spreading and securing the network. It involves steps taken to avoid an attack from spreading into the network, isolating the infected host, clearing the network from the infection traces, and gaining control back from the attack.
4. Post-Incident Activity / Lessons Learnt
This phase includes identifying the loopholes in the organization's security posture, which led to an intrusion, and improving so that the attack does not happen next time. The steps involve identifying weaknesses that led to the attack, adding detection rules so that similar breach does not happen again, and most importantly, training the staff if required.
1. Preparation
The preparation phase covers the readiness of an organization against an attack. That means documenting the requirements, defining the policies, incorporating the security controls to monitor like EDR / SIEM / IDS / IPS, etc
2. Detection and Analysis
The detection phase covers everything related to detecting and analyzing an incident. This phase covers getting alerts from the security controls like SIEM/EDR, and investigating the alert to find the root cause.
3. Containment, Eradication, and Recovery
This phase covers the actions needed to prevent the incident from spreading and securing the network. It involves steps taken to avoid an attack from spreading into the network, isolating the infected host, clearing the network from the infection traces, and gaining control back from the attack.
4. Post-Incident Activity / Lessons Learnt
This phase includes identifying the loopholes in the organization's security posture, which led to an intrusion, and improving so that the attack does not happen next time. The steps involve identifying weaknesses that led to the attack, adding detection rules so that similar breach does not happen again, and most importantly, training the staff if required.
12 ماه پیش
در تاریخ 1402/05/09 منتشر شده
است.
443
بـار بازدید شده