Welcome to day 5 of the Cyber Security Awareness Month and the first day of what is the second half of the steady state that incident handling teams work in. When everything in the Incident Handling world is good, handlers rotate around the step Preparation and Identification. But what triggers the move to step 3, containment?
This is why today we discuss Events versus Incidents.
An event is the name given to the pieces of information which flow into you incident handling process.
An incident is the event which triggers when you determine that an event is malicious.
So, how does your incident team perform this crucial task so you know you've not missed anything? What hints and tips can you give your fellow incident handlers to improve their detect rate, or to make the job easier?
What questions do you ask of the event reporter which improves your decision making? How do you gather this information?
Drop me a note during today, and I'll update the diary with your advice!
Janantha wrote in saying:
I assume that in the preparation you have compiled a list of Windows Event Id's that are related to popular incidents. Also if your in Linux you know the Regex to parse through the log files.
Oct 5th 2008
Oct 5th 2008
1 decade ago