It is my humble opinion that START can be applied easily to Computer Security Incidents; Those of both the mass casualty and triage center variety. In a Mass Casualty Incident you are typically confronted by several potential issues ranging from sensitivity of data to criticality of the resource and the threat posed by the compromise. These casualties come from all sides of the organization. The same holds true when you have an influx of dissimilar incidents and you need to prioritize them - think the ER at a major hospital on a warm Friday or Saturday night.
That said I humbly present my adapted START methodology.
Stage 1 TriageStage 1 triage is completed on a live system. This stage requires a network connection.
Conduct Rapid Triage
- Collect Volatile Data
- PII search non system created directories
- Limited malware scan
- FLS & MACTIME
Conduct Rapid Assessment
- Preliminary memory analysis
- Review PII tool logs
- Review Antimalware logs
- Review FLS & MACtime logs
- Establish Time of Compromise
Influential factors in Stage 1
MADtime
- MAD time is the Maximum Allowable Downtime an organization can withstand the loss of a resource. Or more the point…the time it takes for someone to get pissed off(MAD).
- Is it known
- Identify any knowns
- Is it attacking other systems
- Is it spreading
- Sensitive Data presence
- System Profile
Stage 2 triage is completed on a disk image either after Stage 1 has been completed, or in place of Stage 1 in the case of a physical drive being delivered or acquired from an unpowered system.
Conduct Rapid Triage
- PII search disk image
- Data point collection
- Network Logs
- Prefetch
- Registry
- Browser History
- MACtime data
- Malware scan
- Event Logs
- Application Logs
This sure looks like a case for F-response especially if you combine Stage 1 and Stage 2 triage...I'm not saying I built this around it or anything...I'm just saying.
0 comments:
Post a Comment