Preparation
ID: RS0001
Get prepared for a security incident.
Response Actions
| ID | Name | Description |
|---|---|---|
| RA1001 | Practice | Practice in the real environment. Sharpen Response Actions within your organization |
| RA1002 | Take trainings | Take training courses to gain relevant knowledge |
| RA1003 | Raise personnel awareness | Raise personnel awareness regarding phishing, ransomware, social engineering, and other attacks that involve user interaction |
| RA1004 | Make personnel report suspicious activity | Make sure that personnel will report suspicious activity i.e. suspicious emails, links, files, activity on their computers, etc |
| RA1005 | Set up relevant data collection | Usually, data collection is managed by Log Management/Security Monitoring/Threat Detection teams. You need to provide them with a list of data that is critically important for IR process. Most of the time, data like DNS and DHCP logs are not being collected, as their value for detection is relatively low. You can refer to the existing Response Actions (Preparation stage) to develop the list |
| RA1006 | Set up a centralized long-term log storage | Set up a centralized long-term log storage. This is one of the most critical problems companies have nowadays. Even if there is such a system, in most of the cases it stores irrelevant data or has too small retention period |
| RA1007 | Develop communication map | Develop a communication map for both internal (C-level, managers and technical specialists from the other departments, that could be involved in IR process) and external communications (law enforcement, national CERTs, subject matter experts that you have lack of, etc) |
| RA1008 | Make sure there are backups | Make sure there are both online and offline backups. Make sure they are fully operational. In the case of a successful ransomware worm attack, thats the only thing that will help you to safe your critically important data |
| RA1009 | Get network architecture map | Get network architecture map. Usually, its managed by the Network security team. It will help you to choose the containment strategy, such as isolating specific network segments |
| RA1010 | Get access control matrix | Get Access Control Matrix. Usually, its managed by the Network security team. It will help you to identify adversary opportunities, such as laterally movement and so on |
| RA1011 | Develop assets knowledge base | Develop assets knowledge base. It will help you to compare observed activity with a normal activity profile for a specific host, user or network segment |
| RA1012 | Check analysis toolset | Make sure your toolset for analysis and management is updated and fully operational. Make sure that all the required permissions have been granted as well |
| RA1013 | Access vulnerability management system logs | Access vulnerability management system logs. It will help to identify the vulnerabilities a specific host had at a specific time in the past |
| RA1014 | Connect with trusted communities | Connect with trusted communities for information exchange |
| RA1101 | Access external network flow logs | Make sure you have access to external communication Network Flow logs |
| RA1102 | Access internal network flow logs | Make sure you have access to internal communication Network Flow logs |
| RA1103 | Access internal HTTP logs | Make sure you have access to internal communication HTTP logs |
| RA1104 | Access external HTTP logs | Make sure you have access to external communication HTTP logs |
| RA1105 | Access internal DNS logs | Make sure you have access to internal communication DNS logs |
| RA1106 | Access external DNS logs | Make sure you have access to external communication DNS logs |
| RA1107 | Access VPN logs | Make sure you have access to VPN logs |
| RA1108 | Access DHCP logs | Make sure you have access to DHCP logs |
| RA1109 | Access internal packet capture data | Make sure you have access to internal communication Packet Capture data |
| RA1110 | Access external packet capture data | Make sure you have access to external communication Packet Capture data |
| RA1111 | Get ability to block external IP address | Make sure you have the ability to block an external IP address from being accessed by corporate assets |
| RA1112 | Get ability to block internal IP address | Make sure you can block an internal IP address from being accessed by corporate assets |
| RA1113 | Get ability to block external domain | Make sure you have the ability to block an external domain name from being accessed by corporate assets |
| RA1114 | Get ability to block internal domain | Make sure you can block an internal domain name from being accessed by corporate assets |
| RA1115 | Get ability to block external URL | Make sure you have the ability to block an external URL from being accessed by corporate assets |
| RA1116 | Get ability to block internal URL | Make sure you can block an internal URL from being accessed by corporate assets |
| RA1117 | Get ability to block port external communication | Make sure you can block a network port for external communications |
| RA1118 | Get ability to block port internal communication | Make sure you can block a network port for internal communications |
| RA1119 | Get ability to block user external communication | Make sure you can block a user for external communications |
| RA1120 | Get ability to block user internal communication | Make sure you can block a user for internal communications |
| RA1121 | Get ability to find data transferred by content pattern | Make sure you have the ability to find data transferred at a particular time in the past by its content pattern (i.e. specific string, keyword, binary pattern etc) |
| RA1122 | Get ability to block data transferring by content pattern | Make sure you have the ability to block data transferring by its content pattern (i.e. specific string, keyword, binary pattern etc) |
| RA1123 | Get ability to list data transferred | Make sure you have the ability to list the data that is being transferred at the moment or at a particular time in the past |
| RA1124 | Get ability to collect transferred data | Make sure you have the ability to collect the data that is being transferred at the moment or at a particular time in the past |
| RA1125 | Get ability to identify transferred data | Make sure you have the ability to identify the data that is being transferred at the moment or at a particular time in the past (i.e. its content, value) |
| RA1126 | Find data transferred by content pattern | Make sure you have the ability to find the data that is being transferred at the moment or at a particular time in the past by its content pattern |
| RA1127 | Get ability to analyse user-agent | Make sure you have the ability to analyse an User-Agent request header |
| RA1128 | Get ability to list Firewall rules | Make sure you have the ability to list firewall rules |
| RA1201 | Get ability to list users opened email message | Make sure you have the ability to list users who opened a particular email message |
| RA1202 | Get ability to list email message receivers | Make sure you have the ability to list receivers of a particular email message |
| RA1203 | Get ability to block email domain | Make sure you have the ability to block an email domain |
| RA1204 | Get ability to block email sender | Make sure you have the ability to block an email sender |
| RA1205 | Get ability to delete email message | Make sure you have the ability to delete an email message |
| RA1206 | Get ability to quarantine email message | Make sure you have the ability to quarantine an email message |
| RA1207 | Get ability to collect email message | Make sure you have the ability to collect an email message |
| RA1208 | Get ability to analyse email address | Make sure you have the ability to analyse an email address |
| RA1301 | Get ability to list files created | Make sure you have the ability to list files that have been created at a particular time in the past |
| RA1302 | Get ability to list files modified | Make sure you have the ability to list files that have been modified at a particular time in the past |
| RA1303 | Get ability to list files deleted | Make sure you have the ability to list files that have been deleted at a particular time in the past |
| RA1304 | Get ability to list files downloaded | Make sure you have the ability to list files that have been downloaded from the internet at a particular time in the past |
| RA1305 | Get ability to list files with tampered timestamps | Make sure you have the ability to list files with a tampered timestamp |
| RA1306 | Get ability to find file by path | Make sure you have the ability to find a file by its path (including its name) |
| RA1307 | Get ability to find file by metadata | Make sure you have the ability to find file by its metadata (i.e. signature, permissions, MAC times) |
| RA1308 | Get ability to find file by hash | Make sure you have the ability to find a file by its hash |
| RA1309 | Get ability to find file by format | Make sure you have the ability to find a file by its format |
| RA1310 | Get ability to find file by content pattern | Make sure you have the ability to find a file by its content pattern (i.e. specific string, keyword, binary pattern etc) |
| RA1311 | Get ability to collect file | Make sure you have the ability to collect a specific file from a (remote) host or a system |
| RA1312 | Get ability to quarantine file by path | Make sure you have the ability to block a file from being accessed by its path (including its name) |
| RA1313 | Get ability to quarantine file by hash | Make sure you have the ability to block a file from being accessed by its hash |
| RA1314 | Get ability to quarantine file by format | Make sure you have the ability to block a file from being accessed by its format |
| RA1315 | Get ability to quarantine file by content pattern | Make sure you have the ability to block a file from being accessed by its content pattern (i.e. specific string, keyword, binary pattern etc) |
| RA1316 | Get ability to remove file | Make sure you have the ability to remove a specific file from a (remote) host or a system |
| RA1317 | Get ability to analyse file hash | Make sure you have the ability to analyse a file hash |
| RA1318 | Get ability to analyse Windows PE | Make sure you have the ability to analyse a Windows Portable Executable file |
| RA1319 | Get ability to analyse macos macho | Make sure you have the ability to analyse a macOS Mach-O file |
| RA1320 | Get ability to analyse Unix ELF | Make sure you have the ability to analyse a UNIX ELF file |
| RA1321 | Get ability to analyse MS office file | Make sure you have the ability to analyse a Microsoft Office file |
| RA1322 | Get ability to analyse PDF file | Make sure you have the ability to analyse a PDF file |
| RA1323 | Get ability to analyse script | Make sure you have the ability to analyse a script file (i.e. Python, PowerShell, Bash scripts etc) |
| RA1324 | Get ability to analyse jar | Make sure you have the ability to analyse JAR file |
| RA1325 | Get ability to analyse filename | Make sure you have the ability to analyse a filename |
| RA1401 | Get ability to list processes executed | Make sure you have the ability to list processes being executed at the moment or at a particular time in the past |
| RA1402 | Get ability to find process by executable path | Make sure you have the ability to find process executed at a particular time in the past by its executable path (including its name) |
| RA1403 | Get ability to find process by executable metadata | Make sure you have the ability to find process executed at a particular time in the past by its executable metadata (i.e. signature, permissions, MAC times) |
| RA1404 | Get ability to find process by executable hash | Make sure you have the ability to find process executed at a particular time in the past by its executable hash |
| RA1405 | Get ability to find process by executable format | Make sure you have the ability to find process executed at a particular time in the past by its executable format |
| RA1406 | Get ability to find process by executable content pattern | Make sure you have the ability to find process executed at a particular time in the past by its executable content pattern (i.e. specific string, keyword, binary pattern etc) |
| RA1407 | Get ability to block process by executable path | Make sure you have the ability to block process by its executable path (including its name) |
| RA1408 | Get ability to block process by executable metadata | Make sure you have the ability to block process by its executable metadata (i.e. signature, permissions, MAC times) |
| RA1409 | Get ability to block process by executable hash | Make sure you have the ability to block process by its executable hash |
| RA1410 | Get ability to block process by executable format | Make sure you have the ability to block process by its executable format |
| RA1411 | Get ability to block process by executable content pattern | Make sure you have the ability to block process by its executable content pattern (i.e. specific string, keyword, binary pattern etc) |
| RA1501 | Manage remote computer management system policies | Make sure you can manage Remote Computer Management system policies |
| RA1502 | Get ability to list registry keys modified | Make sure you have the ability to list registry keys modified at a particular time in the past |
| RA1503 | Get ability to list registry keys deleted | Make sure you have the ability to list registry keys deleted at a particular time in the past |
| RA1504 | Get ability to list registry keys accessed | Make sure you have the ability to list registry keys accessed at a particular time in the past |
| RA1505 | Get ability to list registry keys created | Make sure you have the ability to list registry keys created at a particular time in the past |
| RA1506 | Get ability to list services created | Make sure you have the ability to list services that have created at a particular time in the past |
| RA1507 | Get ability to list services modified | Make sure you have the ability to list services that have been modified at a particular time in the past |
| RA1508 | Get ability to list services deleted | Make sure you have the ability to list services that have been deleted at a particular time in the past |
| RA1509 | Get ability to remove registry key | Make sure you have the ability to remove a registry key |
| RA1510 | Get ability to remove service | Make sure you have the ability to remove a service |
| RA1511 | Get ability to analyse registry key | Make sure you have the ability to analyse a registry key |
| RA1601 | Manage identity management system | Make sure you can manage Identity Management System, i.e. remove/block users, revoke credentials, and execute other Response Actions |
| RA1602 | Get ability to lock user account | Make sure you have the ability to lock user account from being used |
| RA1603 | Get ability to list users authenticated | Make sure you have the ability to list users authenticated at a particular time in the past on a particular system |
| RA1604 | Get ability to revoke authentication credentials | Make sure you have the ability to revoke authentication credentials |
| RA1605 | Get ability to remove user account | Make sure you have the ability to remove a user account |
| RA1606 | Get ability to list user accounts | Make sure you have the ability to list user accounts on a particular system |