Digital Forensics and Incident Response (DFIR) is massive field, this field is belong a blue team mean Defensive field not a offensive so let's begin-
Digital forensics
Digital forensics is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
Incident Response
Incident response is a series of structured steps that describe the actions to take in the face of a security breach.
According to NIST, organizations should build an incident response capacity. This involves the following:
Creating a policy and plans
Drawing up incident management procedures and reports
Establishing communication channels with the internal and external parties involved.
Creating a structure and work team
Training the members of those teams
Events and Incidents
Event is a part of the organization’s systems operation, such as login to the network or access a resource.
A security incident is when unusual behavior is identified or in clear violation of an acceptable security or use policy.
Digital evidence and forensics artifacts
Digital evidence is information that could be stored or transmitted to other devices.
A digital forensic artifact is an object for storing pieces of data or information; for example, the OSes and applications store essential information to work. If you install an application in the Windows OS, this application could create databases and configuration files, or keep crucial data in the system's registry keys.
Different knowledge bases contain information about forensic artifacts that can be very useful as a digital forensics artifact repository:
IoCs versus IoAs
The IoCs allow the identification of the traces left behind by the attackers at the time of the attack.
IoAs are especially useful in a more proactive approach, such as threat hunting, to identify the threat actors' behavior.
An excellent way to identify IoAs is by using the MITRE ATT&CK framework. This framework describes Tactics, Techniques, and Procedures (TTP) that an attacker might follow when performing a malicious operation. You can find details of this framework on the MITRE ATT&CK official website:
Incident response standards and framework
One of the main problems facing organizations as regards cybersecurity incidents is the lack of plans and procedures available to face the organization's threats because every cyber-attack has specific characteristics.
NIST Computer Security Incident Handling Guide This is a practical guide for handling incidents effectively and efficiently, supplying the guidelines to mitigate cybersecurity incidents. This document focuses on these steps:
Preparation
Detection and analysis
Containment, eradication, and recovery
Post-incident activity
The document also includes guidelines and recommendations for developing an incident response capacity to create an incident response team, as well as develop policies, plans, and procedures, and the steps for communicating with third parties for coordination and sharing information with third parties:
SANS incident response process The SANS Institute has published its document, a handbook that defines six structured steps to respond to cybersecurity incidents:
Preparation
Identification/Scoping
Containment/Intelligence Development
Eradication/Remediation
Recovery
Lessons Learned
Comments