Join us at the virtual roundtable carried out by GLACY+ Project in cooperation with APWG.EU
We are living in an era, where the volume and sophistication of cyberattacks have increased as a result of overflowing data and increased attack...
Enterprise Forensics Platform
2 min read
Amina Zilic
:
Sep 10, 2021 9:01:19 AM
There can be many kinds of suspicious events generated either by the system or by human watchfulness. Every suspicious event (as described in step 6) needs to be checked before launching a full formal investigation. The following situation can move in two directions:
The purpose of this step is to decide how to react to a suspicious event and to learn when to launch a full formal investigation.
When to launch a full formal investigation?
According to IJDE, once a suspicious event is detected you have to apply a preliminary business impact assessment based on following things:
If the malicious activity that you discover in your network matches most of the above-listed items then you know what to do. If there is any indication of a major business impact the decision to launch a full investigation has to be taken and an investigation team should be gathered in no time.
Just before proceeding with immediate event escalation and reaching out to Computer Security Incident Response Team (CSIRT), IJDE advises to answer the below questions:
These questions need to be answered to assess the impact on the organization of the event response itself.
At this stage of the forensic readiness plan, you are already prepared to answer these questions with ready policies and incident response budget estimations. Refer to the third step of the forensic readiness plan.
Below you can find listed three signs, that security teams are looking for, in evaluating the potential damage and vulnerability of the event:
It is always advised to have a decision-maker who will lead the event analysis prior to possible escalation. If the escalation proceeds to a full formal investigation that person will become the investigation manager and will be responsible to call out the CSIRT and make informed decisions for further business-related steps.
At all times, all parties involved, need to follow a written policy, by the security team, from the first moment. In this way, all involved stakeholders will know what to do without losing time and money on unnecessary meetings and planning.
In the next step, we will cover internal incident response awareness and training.
We are living in an era, where the volume and sophistication of cyberattacks have increased as a result of overflowing data and increased attack...
Binalyze enables enterprises to respond to cyber breaches in real-time which dramatically speeds up investigations and remediation; this funding will...
Binalyze, the World’s leading provider of advanced Enterprise Forensics and Incident Response solutions, today announced it has partnered with...