April 25, 2020

Incident Response : Line of investigation

By venkat

A typical incident could have multiple lines of investigation to get a clear understanding and scope of the attack. It is important to capture each of these train of thoughts or hypothesis.

Zero day attacks are typical scenarios where multiple approaches with independent short teams need to be run in parallel.

Standardized processes are not enough for responding to every security alert. Apart from running automated actions, attack investigations usually require additional real-time tasks such as pivoting from one suspicious indicator to another to gather critical evidence, drawing relations between incidents, and finalizing resolution. Running these commands traps analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end. In a cloud-first world that’s driven by agility, these lost seconds are precious.

References

[1] Mediterranean Shipping Co (MSC)