版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
TLP:WHITE
TLP:WHITE
CISA|CybersecurityandInfrastructureSecurityAgency2
CONTENTS
Introduction 3
Overview 3
Scope 3
Audience 4
IncidentResponsePlaybook 5
IncidentResponseProcess 5
PreparationPhase 6
Detection&Analysis 10
Containment 14
Eradication&Recovery 15
Post-IncidentActivities 16
Coordination 17
VulnerabilityResponsePlaybook 21
Preparation 21
VulnerabilityResponseProcess 22
Identification 22
Evaluation 23
Remediation 24
ReportingandNotification 24
AppendixA:KeyTerms 25
AppendixB:IncidentResponseChecklist 27
AppendixC:IncidentResponsePreparationChecklist 35
AppendixE:VulnerabilityandIncidentCategories 38
AppendixF:SourceText 39
AppendixG:Whole-of-GovernmentRolesandResponsibilities 41
TLP:WHITE
TLP:WHITE
CISA|CybersecurityandInfrastructureSecurityAgency3
INTRODUCTION
TheCybersecurityandInfrastructureSecurityAgency(CISA)iscommittedtoleadingtheresponsetocybersecurityincidentsandvulnerabilitiestosafeguardthenation'scriticalassets.Section6ofExecutiveOrder14028directedDHS,viaCISA,to“developastandardsetofoperationalprocedures(playbook)tobeusedinplanningandconductingcybersecurityvulnerabilityandincidentresponseactivityrespectingFederalCivilianExecutiveBranch(FCEB)InformationSystems.”
1
Overview
Thisdocumentpresentstwoplaybooks:oneforincidentresponseandoneforvulnerabilityresponse.TheseplaybooksprovideFCEBagencieswithastandardsetofprocedurestoidentify,coordinate,remediate,recover,andtracksuccessfulmitigationsfromincidentsandvulnerabilitiesaffectingFCEBsystems,data,andnetworks.Inaddition,futureiterationsoftheseplaybooksmaybeusefulfororganizationsoutsideoftheFCEBtostandardizeincidentresponsepractices.Workingtogetheracrossallfederalgovernmentorganizationshasproventobeaneffectivemodelforaddressingvulnerabilitiesandincidents.Buildingonlessonslearnedfrompreviousincidentsandincorporatingindustrybestpractices,CISAintendsfortheseplaybookstoevolvethefederalgovernment’spracticesforcybersecurityresponsethroughstandardizingsharedpracticesthatbringtogetherthebestpeopleandprocessestodrivecoordinatedactions.
Thestandardizedprocessesandproceduresdescribedintheseplaybooks:
•Facilitatebettercoordinationandeffectiveresponseamongaffectedorganizations,
•Enabletrackingofcross-organizationalsuccessfulactions,
•Allowforcatalogingofincidentstobettermanagefutureevents,and
•Guideanalysisanddiscovery.
Agenciesshouldusetheseplaybookstohelpshapeoveralldefensivecyberoperationstoensureconsistentandeffectiveresponseandcoordinatedcommunicationofresponseactivities
Scope
TheseplaybooksareforFCEBentitiestofocusoncriteriaforresponseandthresholdsforcoordinationandreporting.TheyincludecommunicationsbetweenFCEBentitiesandCISA;theconnectivecoordinationbetweenincidentandvulnerabilityresponseactivities;andcommondefinitionsforkeycybersecuritytermsandaspectsoftheresponseprocess.Responseactivitiesinscopeofthisplaybookincludethose:
•InitiatedbyanFCEBagency(e.g.,alocaldetectionofmaliciousactivityordiscoveryofavulnerability)
•InitiatedbyCISA(e.g.,aCISAalertordirective)orotherthirdparties,includinglawenforcement,intelligenceagencies,orcommercialorganizations,contractors,andserviceproviders
TheIncidentResponsePlaybookappliestoincidentsthatinvolveconfirmedmaliciouscyberactivityandforwhichamajorincident(asdefinedbytheOfficeofManagementandBudget[OMB]in
1
ExecutiveOrder(EO)14028:ImprovingtheNation'sCybersecurity
TLP:WHITE
TLP:WHITE
CISA|CybersecurityandInfrastructureSecurityAgency4
MemorandumM-20-04
2
orsuccessormemorandum)hasbeendeclaredornotyetbeenreasonablyruledout.TheVulnerabilityResponsePlaybookappliestovulnerabilitiesbeingactivelyexploitedinthewild.AsrequiredbyEO14028,theDirectorofOMBwillissueguidanceonFCEBagencyuseoftheseplaybooks.
Note:theseplaybooksdonotcoverresponseactivitiesthatinvolvethreatstoclassifiedinformationorNationalSecuritySystems(NSS)asdefinedby44U.S.C.3552(b)(6).SeeCNSSI1010
3
forcoordination/reportingguidanceforincidentsspecifictoNSSorsystemsthatprocessclassifiedinformation.
Audience
TheseplaybooksapplytoallFCEBagencies,informationsystemsusedoroperatedbyanagency,acontractorofanagency,oranotherorganizationonbehalfofanagency.Itisthepolicyofthefederalgovernmentthatinformationandcommunicationstechnology(ICT)serviceproviderswhohavecontractedwithFCEBagenciesmustpromptlyreportincidentstosuchagenciesandtoCISA.
4
2
OfficeofManagementandBudget(OMB)MemorandumM-20-04:FiscalYear2019-2020GuidanceonFederalInformation
SecurityandPrivacyManagementRequirements
3
CommitteeonNationalSecuritySystems
4
EO14028,Sec.2.RemovingBarrierstoSharingThreatInformation
TLP:WHITE
CISA|CybersecurityandInfrastructureSecurityAgency5
INCIDENTRESPONSEPLAYBOOK
Whentousethisplaybook
Usethisplaybookforincidentsthatinvolveconfirmedmaliciouscyberactivityforwhichamajorincidenthasbeendeclaredornotyetbeenreasonablyruledout.
Forexample:
•Incidentsinvolvinglateralmovement,credentialaccess,exfiltrationofdata
•Networkintrusionsinvolvingmorethanoneuserorsystem
•Compromisedadministratoraccounts
Thisplaybookdoesnotapplytoactivitythatdoesnotappeartohavesuchmajorincidentpotential,suchas:
•“Spills”ofclassifiedinformationorotherincidentsthatarebelievedtoresultfromunintentionalbehavioronly
•Usersclickingonphishingemailswhennocompromiseresults
•Commoditymalwareonasinglemachineorlosthardwarethat,ineithercase,isnotlikelytoresultindemonstrableharmtothenationalsecurityinterests,foreignrelations,oreconomyoftheUnitedStatesortothepublicconfidence,civilliberties,orpublichealthandsafetyoftheAmericanpeople.
Thisplaybookprovidesastandardizedresponse
processforcybersecurityincidentsanddescribes
theprocessandcompletionthroughtheincident
responsephasesasdefinedinNationalInstituteof
StandardsandTechnology(NIST)Special
Publication(SP)800-61Rev.2,
5
including
preparation,detectionandanalysis,containment,
eradicationandrecovery,andpost-incident
activities.Thisplaybookdescribestheprocess
FCEBagenciesshouldfollowforconfirmed
maliciouscyberactivityforwhichamajorincident
hasbeendeclaredornotyetbeenreasonablyruled
out.
•Incidentresponsecanbeinitiatedbyseveraltypesofevents,includingbutnotlimitedto:
•Automateddetectionsystemsorsensoralerts
•Agencyuserreport
•Contractororthird-partyICTserviceproviderreport
•Internalorexternalorganizationalcomponentincidentreportorsituationalawarenessupdate
•Third-partyreportingofnetworkactivitytoknowncompromisedinfrastructure,detectionofmaliciouscode,lossofservices,etc.
•Analyticsorhuntteamsthatidentifypotentiallymaliciousorotherwiseunauthorizedactivity
IncidentResponseProcess
Theincidentresponseprocessstartswiththedeclarationoftheincident,asshowninFigure1.Inthiscontext,“declaration”referstotheidentificationofanincidentandcommunicationtoCISAandagencynetworkdefendersratherthanformaldeclarationofamajorincidentasdefinedinapplicablelawandpolicy.Succeedingsections,whichareorganizedbyphasesoftheIRlifecycle,describeeachstepinmoredetail.Manyactivitiesareiterativeandmaycontinuouslyoccurandevolveuntiltheincidentisclosedout.Figure1illustratesincidentresponseactivitiesintermsofthesephases,andAppendixBprovidesacompanionchecklisttotrackactivitiestocompletion.
5
NISTSpecialPublication(SP)800-61Rev.2:ComputerSecurityIncidentHandlingGuide
TLP:WHITE
TLP:WHITE
CISA|CybersecurityandInfrastructureSecurityAgency6
Figure1:IncidentResponseProcess
PreparationPhase
Prepareformajorincidentsbeforetheyoccurtomitigateanyimpactontheorganization.Preparationactivitiesinclude:
•Documentingandunderstandingpoliciesandproceduresforincidentresponse
•Instrumentingtheenvironmenttodetectsuspiciousandmaliciousactivity
•Establishingstaffingplans
•Educatingusersoncyberthreatsandnotificationprocedures
•Leveragingcyberthreatintelligence(CTI)toproactivelyidentifypotentialmaliciousactivity
Definebaselinesystemsandnetworksbeforeanincidentoccurstounderstandthebasicsof“normal”activity.Establishingbaselinesenablesdefenderstoidentifydeviations.Preparationalsoincludes
•Havinginfrastructureinplacetohandlecomplexincidents,includingclassifiedandout-of-bandcommunications
•Developingandtestingcoursesofaction(COAs)forcontainmentanderadication
•Establishingmeansforcollectingdigitalforensicsandotherdataorevidence
Thegoaloftheseitemsistoensureresilientarchitecturesandsystemstomaintaincriticaloperationsinacompromisedstate.Activedefensemeasuresthatemploymethodssuchasredirectionandmonitoringofadversaryactivitiesmayalsoplayaroleindevelopingarobustincidentresponse.
6
6Forexample,“Deception:Mislead,confuse,hidecriticalassetsfrom,orexposecovertlytaintedassetstotheadversary,”asdefinedin
NISTSP800-160Vol.2:DevelopingCyberResilientSystems:ASystemsSecurityEngineeringApproach
.
TLP:WHITE
TLP:WHITE
CISA|CybersecurityandInfrastructureSecurityAgency7
PreparationActivities
PoliciesandProcedures
Documentincidentresponseplans,includingprocessesandproceduresfordesignatingacoordinationlead(incidentmanager).Putpoliciesandproceduresinplacetoescalateandreportmajorincidentsandthosewithimpactontheagency’smission.Documentcontingencyplansforadditionalresourcingand“surgesupport”withassignedrolesandresponsibilities.Policiesandplansshouldaddressnotification,interaction,andevidencesharingwithlawenforcement.
Instrumentation
Developandmaintainanaccuratepictureofinfrastructure(systems,networks,cloudplatforms,andcontractor-hostednetworks)bywidelyimplementingtelemetrytosupportsystemandsensor-baseddetectionandmonitoringcapabilitiessuchasantivirus(AV)software;endpointdetectionandresponse(EDR)solutions;
7
datalossprevention(DLP)capabilities;intrusiondetectionandpreventionsystems(IDPS);authorization,host,applicationandcloudlogs;
8
networkflows,packetcapture(PCAP);andsecurityinformationandeventmanagement(SIEM)systems.MonitorforalertsgeneratedbyCISA'sEINSTEINintrusiondetectionsystemandContinuousDiagnosticsandMitigation(CDM)programtodetectchangesincyberposture.Implementadditionalrequirementsforlogging,logretention,andlogmanagementbasedonExecutiveOrder14028,Sec.8.ImprovingtheFederalGovernment'sInvestigativeandRemediationCapabilities,
9
andensurethoselogsarecollectedcentrally.
TrainedResponsePersonnel
Ensurepersonnelaretrained,exercised,andreadytorespondtocybersecurityincidents.Train
allstaffingresourcesthatmaydrawfromin-housecapabilities,availablecapabilitiesataparentagency/department,third-partyorganization,oracombinationthereof.Conductregularrecoveryexercisestotestfullorganizationalcontinuityofoperationsplan(COOP)andfailover/backup/recoverysystemstobesuretheseworkasplanned.
CyberThreatIntelligence
Activelymonitorintelligencefeedsforthreatorvulnerabilityadvisoriesfromgovernment,trustedpartners,opensources,andcommercialentities.Cyberthreatintelligencecanincludethreatlandscapereporting,threatactorprofilesandintents,organizationaltargetsandcampaigns,aswellasmorespecificthreatindicatorsandcoursesofaction.IngestcyberthreatindicatorsandintegratedthreatfeedsintoaSIEM,anduseotherdefensivecapabilitiestoidentifyandblockknownmaliciousbehavior.Threatindicatorscaninclude:
•Atomicindicators,suchasdomainsandIPaddresses,thatcandetectadversaryinfrastructureandtools
•Computedindicators,suchasYararulesandregularexpressions,thatdetectknownmaliciousartifactsorsignsofactivity
•Patternsandbehaviors,suchasanalyticsthatdetectadversarytactics,techniques,andprocedures(TTPs)
Atomicindicatorscaninitiallybevaluabletodetectsignsofaknowncampaign.However,becauseadversariesoftenchangetheirinfrastructure(e.g.,wateringholes,botnets,C2servers)betweencampaigns,the“shelf-life”ofatomicindicatorstodetectnewadversaryactivityislimited.Inaddition,advancedthreatactors
7
EO14028,Sec.7.ImprovingDetectionofCybersecurityVulnerabilitiesandIncidentsonFederalGovernmentNetworks
8
NISTSP800-92:GuidetoComputerSecurityLogManagement
9
E014028,Sec.8.ImprovingtheFederalGovernment'sInvestigativeandRemediationCapabilities
TLP:WHITE
TLP:WHITE
CISA|CybersecurityandInfrastructureSecurityAgency8
mightleveragedifferentinfrastructureagainstdifferenttargetsorswitchtonewinfrastructureduringacampaignwhentheiractivitiesaredetected.Finally,adversariesoftenhideintheirtargetedenvironments,usingnativeoperatingsystemutilitiesandotherresourcestoachievetheirgoals.Forthesereasons,agenciesshouldusepatternsandbehaviors,oradversaryTTPs,toidentifymaliciousactivitywhenpossible.Althoughmoredifficulttoapplydetectionmethodsandverifyapplication,TTPsprovidemoreusefulandsustainablecontextaboutthreatactors,theirintentions,andtheirmethodsthanatomicindicatorsalone.
TheMITREATT&CK®
framework
documentsandexplainsadversaryTTPsindetailmakingitavaluableresourcefornetworkdefenders.
10
Sharingcyberthreatintelligenceisacriticalelementofpreparation.FCEBagenciesarestronglyencouragedtocontinuouslysharecyberthreatintelligence—includingadversaryindicators,TTPs,andassociateddefensivemeasures(alsoknownas“countermeasures”)—withCISAandotherpartners.Theprimarymethodforsharingcyberthreatinformation,indicators,andassociateddefensivemeasureswithCISAisviatheAutomatedIndicatorSharing(AIS)program.
11
FCEBagenciesshouldbeenrolledinAIS.IftheagencyisnotenrolledinAIS,contactCISAformoreinformation.
12
AgenciesshouldusetheCyberThreatIndicatorandDefensiveMeasuresSubmissionSystem—asecure,web-enabledmethod—tosharewithCISAcyberthreatindicatorsanddefensivemeasuresthatarenotapplicableorappropriatetoshareviaAIS.
13
10See
BestPracticesforMITREATT&CK®Mapping
FrameworkforguidanceonusingATT&CKtoanalyzeandreportoncybersecuritythreats.
11
CISAAutomatedIndicatorSharing
12
CISAAutomatedIndicatorSharing
ActiveDefense
FCEBagencieswithadvanceddefensivecapabilitiesandstaffmightestablishactivedefensecapabilities—suchastheabilitytoredirectanadversarytoasandboxorhoneynetsystemforadditionalstudy,or“darknets”—todelaytheabilityofanadversarytodiscovertheagency’slegitimateinfrastructure.Networkdefenderscanimplementhoneytokens(fictitiousdataobjects)andfakeaccountstoactascanariesformaliciousactivity.Thesecapabilitiesenabledefenderstostudytheadversary’sbehaviorandTTPsandtherebybuildafullpictureofadversarycapabilities.
CommunicationsandLogistics
Establishlocalandcross-agencycommunicationproceduresandmechanismsforcoordinatingmajorincidentswithCISAandothersharingpartnersanddeterminetheinformationsharingprotocolstouse(i.e.,agreed-uponstandards).Definemethodsforhandlingclassifiedinformationanddata,ifrequired.Establishcommunicationchannels(chatrooms,phonebridges)andmethodforout-of-bandcoordination.
14
OperationalSecurity(OPSEC)
TakestepstoensurethatIRanddefensivesystemsandprocesseswillbeoperationalduringanattack,particularlyintheeventofpervasivecompromises—suchasaransomwareattackoroneinvolvinganaggressiveattackerthatmayattempttounderminedefensivemeasuresanddistractormisleaddefenders.Thesemeasuresinclude:
•SegmentingandmanagingSOCsystemsseparatelyfromthebroaderenterpriseITsystems,
13
DHSCISACyberThreatIndicatorandDefensiveMeasure
SubmissionSystem
14
NISTSP800-47Rev.1:ManagingtheSecurityof
InformationExchanges
TLP:WHITE
TLP:WHITE
CISA|CybersecurityandInfrastructureSecurityAgency9
•Managingsensorsandsecuritydevicesviaout-of-bandmeans,
•Notifyingusersofcompromisedsystemsviaphoneratherthanemail,
•Usinghardenedworkstationstoconductmonitoringandresponseactivities,and
•Ensuringthatdefensivesystemshaverobustbackupandrecoveryprocesses.
Avoid“tippingoff”anattackerbyhavingprocessesandsystemstoreducethelikelihoodofdetectionofIRactivities(e.g.,donotsubmitmalwaresamplestoapublicanalysisserviceornotifyusersofpotentiallycomprisedmachinesviaemail).
TechnicalInfrastructure
Implementcapabilitiestocontain,replicate,analyze,reconstitute,anddocumentcompromisedhosts;implementthecapabilitytocollectdigitalforensicsandotherdata.Establishsecurestorage(i.e.,onlyaccessiblebyincidentresponders)forincidentdataandreporting.Providemeansforcollectingforensicevidence,suchasdiskandactivememoryimaging,andmeansforsafelyhandlingmalware.Obtain
analysistoolsandsandboxsoftwareforanalyzingmalware.Implementaticketingorcasemanagementsystemthatcapturespertinentdetailsof:
•Anomalousorsuspiciousactivity,suchasaffectedsystems,applications,andusers;
•Activitytype;
•Specificthreatgroup(s);
•Adversarytactics,techniques,andprocedures(TTPs)employed;and
•Impact.
DetectActivity
Leveragethreatintelligencetocreaterulesandsignaturestoidentifytheactivityassociatedwiththeincidentandtoscopeitsreach.Configuretoolsandanalyzelogsandalerts.Lookforsignsofincidentactivityandpotentiallyrelatedinformationtodeterminethetypeofincident,e.g.,malwareattack,systemcompromise,sessionhijack,datacorruption,dataexfiltration,etc.
SeeAppendixCforachecklistforpreparationactivities.
TLP:WHITE
TLP:WHITE
CISA|CybersecurityandInfrastructureSecurityAgency10
Detection&Analysis
Themostchallengingaspectoftheincidentresponseprocessisoftenaccuratelydetectingandassessingcybersecurityincidents:determiningwhetheranincidenthasoccurredand,ifso,thetype,extent,andmagnitudeofthecompromisewithincloud,operationaltechnology(OT),hybrid,host,andnetworksystems.Todetectandanalyzeevents,implementdefinedprocesses,appropriatetechnology,and
sufficientbaselineinformationtomonitor,detect,andalertonanomalousandsuspiciousactivity.Ensurethereareprocedurestodeconflictpotentialincidentswithauthorizedactivity(e.g.,confirmthatasuspectedincidentisnotsimplyanetworkadministratorusingremoteadmintoolstoperformsoftwareupdates).AstheU.S.government’sleadforassetresponse,CISAwillpartnerwithaffectedagenciesinallaspectsofthedetectionandanalysisprocess.
Detection&AnalysisActivities
DeclareIncident
DeclareanincidentbyreportingittoCISAat
/
andalertingagencyITleadershiptotheneedforinvestigationandresponse.CISAcanassistindeterminingtheseverityoftheincidentandwhetheritshouldbedeclaredamajorincident.Note:FCEBagenciesmustpromptlyreportallcybersecurityincidents,regardlessofseverity,toCISA
DetermineInvestigationScope
Useavailabledatatoidentifythetypeofaccess,theextenttowhichassetshavebeenaffected,thelevelofprivilegeattainedbytheadversary,andtheoperationalorinformationalimpact.Discoverassociatedmaliciousactivitybyfollowingthetrailofnetworkdata;discoverassociatedhost-basedartifactsbyexamininghost,firewall,andproxylogsalongwithothernetworkdata,suchasroutertraffic.Initialscopingofanincidenttodetermineadversarialactivitymayincludeanalyzingresultsfrom:
•Anautomateddetectionsystemorsensor;
•Areportfromauser,contractor,orthird-partyinformationandcommunicationtechnologies(ICT)serviceprovider;or
•Anincidentreportorsituationalawarenessupdatefromotherinternalorexternalorganizationalcomponents.
15
NISTSP800-61Rev.2:ComputerSecurityIncident
HandlingGuide
CollectandPreserveData
Collectandpreservedataforincidentverification,categorization,prioritization,mitigation,reporting,andattribution.Whennecessaryandpossible,suchinformationshouldbepreservedandsafeguardedasbestevidenceforuseinanypotentiallawenforcementinvestigation.Collectdatafromtheperimeter,theinternalnetwork,andtheendpoint(serverandhost).Collectaudit,transaction,intrusion,connection,systemperformance,anduseractivitylogs.Whenanendpointrequiresforensicanalysis,captureamemoryanddiskimageforevidencepreservation.Collectevidence,includingforensicdata,accordingtoproceduresthatmeetallapplicablepoliciesandstandardsandaccountforitinadetailedlogthatiskeptforallevidence.Formoreinformation,seeNISTComputerSecurityIncidentHandlingGuide,SP800-61r2.
15
Extractallrelevantthreatinformation(atomic,computed,andbehavioralindicatorsandcountermeasures)tosharewithIRteamsandwithCISA.
PerformTechnicalAnalysis
Developatechnicalandcontextualunderstandingoftheincident.Correlateinformation,assessanomalousactivityagainstaknownbaselinetodeterminerootcause,anddocumentadversaryTTPstoenableprioritizationofthesubsequent
TLP:WHITE
TLP:WHITE
CISA|CybersecurityandInfrastructureSecurityAgency11
responseactivities.Thegoalofthisanalysisistoexaminethebreadthofdatasourcesthroughouttheenvironmenttodiscoveratleastsomepartofanattackchain,ifnotallofit.Asinformationevolvesandtheinvestigationprogresses,updatethescopetoincorporatenewinformation.
CorrelateEventsandDocumentTimeline
Acquire,store,andanalyzelogstocorrelateadversarialactivity.Table1presentsanexampleoflogsandeventdatathatarecommonlyemployedtodetectandanalyzeattackeractivities.
16
,
17
Asimpleknowledgebaseshouldbeestablishedforreferenceduringresponsetotheincident.Thoroughlydocumenteverysteptakenduringthisandsubsequentphases.Createatimelineofallrelevantfindings.Thetimelinewillallowtheteamtoaccountforalladversaryactivityonthenetworkandwillassistincreatingthefindingsreportattheconclusionoftheresponse.
IdentifyAnomalousActivity
Assessandprofileaffectedsystemsandnetworksforsubtleactivitythatmightbeadversarybehavior.Adversarieswilloftenuselegitimate,nativeoperatingsystemutilitiesandscriptinglanguagesoncetheygainafootholdinanenvironmenttoavoiddetection.Thisprocesswillenabletheteamtoidentifydeviationsfromtheestablishedbaselineactivityandcanbeparticularlyimportantinidentifyingactivitiessuchasattemptstoleveragelegitimatecredentialsandnativecapabilitiesintheenvironment.
IdentifyRootCauseandEnablingConditions
Attempttoidentifytherootcauseoftheincidentandcollectthreatinformationthatcanbeusedinfurthersearchesandtoinformsubsequentresponseefforts.Identifytheconditionsthatenabledtheadversarytoaccessandoperate
16Derivedfromthe
MITREATT&CK®
Framework.Note:thistableisarepresentativesamplingofcommontactics,techniques,andrelatedlogs,andisnotintendedtobecomplete.
withintheenvironment.Theseconditionswillinformtriageandpost-incidentactivity.Assessnetworksandsystemsforchangesthatmayhavebeenmadetoeitherevadedefensesorfacilitatepersistentaccess.
GatherIncidentIndicators
Identifyanddocumentindicatorsthatcanbeusedforcorrelativeanalysisonthenetwork.Indicatorscanprovideinsightintotheadversary’scapabilitiesandinfrastructure.Indicatorsasstandaloneartifactsarevaluableintheearlystagesofincidentresponse.
AnalyzeforCommonAdversaryTTPs
CompareTTPstoadversaryTTPsdocumentedinATT&CKandanalyzehowtheTTPsfitintotheattacklifecycle.TTPsdescribe“why,”“what,”and“how.”Tacticsdescribethetechnicalobjectiveanadversaryistryingtoachieve(“why”),techniquesaredifferentmechanismstheyusetoachieveit(“what”),andproceduresareexactlyhowtheadversaryachievesaspecificresult(“how”).RespondingtoTTPsenablesdefendersto
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 半导体辅料制备工岗位成果转化考核试卷含答案
- 密码技术应用员岗中质量控制考核试卷含答案
- 25.古人谈读书教案
- 传统工艺点翠介绍
- 高校防艾教育:知识、态度与行为的多维度解析与成效评估
- 高校美术教学专用教室设计:功能、空间与创新的融合
- 高校校园建筑色彩系统:构建与意义探究
- 高校思政课视角下大学生德育社会化的省思与重构
- 高校学子的心灵密码:人格特征与压力应对方式的深度解析
- 高校国防教育价值取向与实现路径的深度剖析与实践探索
- 水利工程安全生产保证措施方案
- 《塑料材质食品相关产品质量安全风险管控清单》
- 官方兽医题库及答案(更新版)
- 嵌甲性甲沟炎的外科治疗
- DZ∕T 0270-2014 地下水监测井建设规范(正式版)
- 园林绿化景观工程报价
- (高清版)WST 442-2024 临床实验室生物安全指南
- 办理退休委托书
- 企业安全防汛知识培训
- 08S523 建筑小区塑料排水检查井
- GB/T 8923.1-2011涂覆涂料前钢材表面处理表面清洁度的目视评定第1部分:未涂覆过的钢材表面和全面清除原有涂层后的钢材表面的锈蚀等级和处理等级
评论
0/150
提交评论