SlideShare una empresa de Scribd logo

Incident response before:after breach

Sumedt Jitpukdebodin
Sumedt Jitpukdebodin

Describe what is required for incident response in company

Tecnología
1 de 44
Descargar para leer sin conexión
Incident Response Operation Before/After Hacked Sumedt Jitpukdebodin Senior Security Researcher @ I-SECURE Co. Ltd. LPIC-1, NCLA, C|EHv6, eCPPT, eWPT, CompTIA Security+, IWSS, CPTE
# whoami • Name: Sumedt Jitpukdebodin • Jobs: Security Consultant, Senior Security Researcher @ I- SECURE • Website: www.r00tsec.com, www.techsuii.com • Admin: @2600thailand, @OWASPThailand • Book: Network Security Book • Hobby: Writing, Hacking, Researching, Gaming, etc. • My article: please search google with my name.
Hacker
SOC(Security Operation Center)
Attacker And Defender Catch me if you can
# id • Hack is easy, defend is so f*cking hard. • Surfaces • 0day • Social Engineering • Etc.
Incident Response
# man ir
Definition • Event - Activity that we monitor (Log) • Incident - the damage event. • Incident Response(IR) - Actions taken subsequent to an incident to understand the incident and take remedial action
Top Priority for IR. • Identify the problems • Fix the problems. • Recovery system back to normal.
Step of IR. Source:: http://www.emrisk.com/sites/default/files/images/newsletters/Incident%20Response%20Cycle.png
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
Before Breach Source:: http://jokideo.com/wp-content/uploads/2013/03/Funny-cat-Come-on-birdy.jpg
Centralized Log Diagram Source:: http://www.sysadmin.in.th/course/LogFiles/Centralized_Logs_Server_by_SysAdmin.jpg
# whereis logs • Device Log • Server Log • Application Log
# ls /var/log/ • web_server/{access.log,error.log} • audit/audit.log • syslog • openvpn.log
# cat /var/log/apache2/access.log
# cat /var/log/syslog
Devices • Firewall • IDS/IPS • Next Generation Firewall • Mail Gateway • Etc.
Centralized Log • Syslog-ng(rsyslog) • Splunk • Graylog2 • logstrash • Scribe
Example of Splunk
SIEM(“Security Information and Event Management") • Arcsight • Log Correlation Engine By Tenable • Splunk • OSSIM ** • Alienvault ** • LOGalyze ** • Etc.
Log Correlation Engine By Tenable Source:: http://www.tenable.com/blog/log-correlation-engine-36-now-with-its-own-gui
Arcsight Source:: http://blog.rootshell.be/2013/06/26/out-of-the-box-siem-never/
Arcsight Dashboard Source:: http://www.observeit.com/images/content/features_siem14.jpg
False Positive
SQL Injection Case • Alert: SQL Injection • Attacker: China • Log From: Web Application Firewall
SQL Injection Case
After Breach Source:: http://www.dumpaday.com/wp-content/uploads/2013/01/funny- cat-bath.jpg
Forensic
Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
Recovery(Restore/Rebuild) • Restore status of service to normal • System owners decide based on advice from incident handling team - Business Decision. • Monitor the service after recovery • Performance • Anomalies
Lesson Learned • Detail of incident report • Communicate to others on the team • Apply fixes in environment • Conduct a performance analysis of the overall incident and improve operations • “Not!!!!” Blaming people • Review/Rewrite Policy • Determines cost of incident • Apply lesson learned to the entire entity • Budget for, install, and maintain protection software
Incident response before:after breach

Recomendados

Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.finalahmad abdelhafeez
 
Incident Response
Incident ResponseIncident Response
Incident ResponseMichaelRodriguesdosS1
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardeninganupriti
 

Recomendados

Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.finalahmad abdelhafeez
 
Incident Response
Incident ResponseIncident Response
Incident ResponseMichaelRodriguesdosS1
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
 
Operating System Forensics
Operating System ForensicsOperating System Forensics
Operating System ForensicsArunJS5
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardeninganupriti
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
Incident response process
Incident response processIncident response process
Incident response processBhupeshkumar Nanhe
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor AuthenticationRonnie Isherwood
 
Siem ppt
Siem pptSiem ppt
Siem pptkmehul
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Huntingn|u - The Open Security Community
 
Disk forensics
Disk forensicsDisk forensics
Disk forensicsChiawei Wang
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Lumension
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systemsBen Rothke
 

Más contenido relacionado

La actualidad más candente

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor AuthenticationRonnie Isherwood
 
Siem ppt
Siem pptSiem ppt
Siem pptkmehul
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)hardik soni
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensicssdavis532
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 

La actualidad más candente (20)

Network forensic
Network forensicNetwork forensic
Network forensic
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Incident response
Incident responseIncident response
Incident response
 
Incident response process
Incident response processIncident response process
Incident response process
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
Multifactor Authentication
Multifactor AuthenticationMultifactor Authentication
Multifactor Authentication
 
Siem ppt
Siem pptSiem ppt
Siem ppt
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
Disk forensics
Disk forensicsDisk forensics
Disk forensics
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Cloud Forensics
Cloud ForensicsCloud Forensics
Cloud Forensics
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 

Destacado

Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Lumension
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systemsBen Rothke
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinAnton Chuvakin
 
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds
 
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin
 
Server Management
Server ManagementServer Management
Server ManagementDell World
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Auditkeyuradmin
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration TestingChirag Jain
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...Amazon Web Services
 
Water conservation ppt
Water conservation pptWater conservation ppt
Water conservation pptbinnyaji
 

Destacado (15)

Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
 
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
 
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion Investigation
 
Server Management
Server ManagementServer Management
Server Management
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Audit
 
Wsus best practices
Wsus best practicesWsus best practices
Wsus best practices
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration Testing
 
Save water
Save waterSave water
Save water
 
Save water Save Life!
Save water Save Life!Save water Save Life!
Save water Save Life!
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
 
Water conservation ppt
Water conservation pptWater conservation ppt
Water conservation ppt
 

Similar a Incident response before:after breach

2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slidesWallarm
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
SECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptxSECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptxFarzanMansoor1
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?Perforce
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Paul Haskell-Dowland
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within AgileNetlight Consulting
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 

Similar a Incident response before:after breach (20)

2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slides
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
SECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptxSECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptx
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active Defense
 
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within Agile
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 

Más de Sumedt Jitpukdebodin

How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environmentSumedt Jitpukdebodin
 
Web architecture mechanism and threats
Web architecture mechanism and threatsWeb architecture mechanism and threats
Web architecture mechanism and threatsSumedt Jitpukdebodin
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?Sumedt Jitpukdebodin
 
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsSumedt Jitpukdebodin
 

Más de Sumedt Jitpukdebodin (14)

How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environment
 
Phishing
PhishingPhishing
Phishing
 
Which side are you
Which side are youWhich side are you
Which side are you
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
 
Antivirus is hopeless
Antivirus is hopelessAntivirus is hopeless
Antivirus is hopeless
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
 
R u hacked
R u hackedR u hacked
R u hacked
 
Web architecture mechanism and threats
Web architecture mechanism and threatsWeb architecture mechanism and threats
Web architecture mechanism and threats
 
Fundamental of malware analysis
Fundamental of malware analysisFundamental of malware analysis
Fundamental of malware analysis
 
Security awareness training
Security awareness trainingSecurity awareness training
Security awareness training
 
Hacking with paper
Hacking with paperHacking with paper
Hacking with paper
 
DDoS handlering
DDoS handleringDDoS handlering
DDoS handlering
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and Threats
 

Último

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Último (20)

Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Incident response before:after breach

  • 1. Incident Response Operation Before/After Hacked Sumedt Jitpukdebodin Senior Security Researcher @ I-SECURE Co. Ltd. LPIC-1, NCLA, C|EHv6, eCPPT, eWPT, CompTIA Security+, IWSS, CPTE
  • 2. # whoami • Name: Sumedt Jitpukdebodin • Jobs: Security Consultant, Senior Security Researcher @ I- SECURE • Website: www.r00tsec.com, www.techsuii.com • Admin: @2600thailand, @OWASPThailand • Book: Network Security Book • Hobby: Writing, Hacking, Researching, Gaming, etc. • My article: please search google with my name.
  • 6. # id • Hack is easy, defend is so f*cking hard. • Surfaces • 0day • Social Engineering • Etc.
  • 9. Definition • Event - Activity that we monitor (Log) • Incident - the damage event. • Incident Response(IR) - Actions taken subsequent to an incident to understand the incident and take remedial action
  • 10. Top Priority for IR. • Identify the problems • Fix the problems. • Recovery system back to normal.
  • 11. Step of IR. Source:: http://www.emrisk.com/sites/default/files/images/newsletters/Incident%20Response%20Cycle.png
  • 12. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 13. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 14. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 15. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 16. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 17. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 18. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 19. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 20. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 21. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 23. Centralized Log Diagram Source:: http://www.sysadmin.in.th/course/LogFiles/Centralized_Logs_Server_by_SysAdmin.jpg
  • 24. # whereis logs • Device Log • Server Log • Application Log
  • 25. # ls /var/log/ • web_server/{access.log,error.log} • audit/audit.log • syslog • openvpn.log
  • 28. Devices • Firewall • IDS/IPS • Next Generation Firewall • Mail Gateway • Etc.
  • 29. Centralized Log • Syslog-ng(rsyslog) • Splunk • Graylog2 • logstrash • Scribe
  • 31. SIEM(“Security Information and Event Management") • Arcsight • Log Correlation Engine By Tenable • Splunk • OSSIM ** • Alienvault ** • LOGalyze ** • Etc.
  • 32. Log Correlation Engine By Tenable Source:: http://www.tenable.com/blog/log-correlation-engine-36-now-with-its-own-gui
  • 36. SQL Injection Case • Alert: SQL Injection • Attacker: China • Log From: Web Application Firewall
  • 40. Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
  • 41. Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
  • 42. Recovery(Restore/Rebuild) • Restore status of service to normal • System owners decide based on advice from incident handling team - Business Decision. • Monitor the service after recovery • Performance • Anomalies
  • 43. Lesson Learned • Detail of incident report • Communicate to others on the team • Apply fixes in environment • Conduct a performance analysis of the overall incident and improve operations • “Not!!!!” Blaming people • Review/Rewrite Policy • Determines cost of incident • Apply lesson learned to the entire entity • Budget for, install, and maintain protection software