当前的时代是我们口袋里的超级计算机。然而,尽管使用了最好的安全工具,犯罪分子仍继续攻击在线资源。这篇文章将向您介绍事件响应 (IR)(Incident Response (IR)),解释 IR 的不同阶段,然后列出三个有助于 IR 的免费开源软件。
什么是事件响应
什么是事件(Incident)?它可能是网络犯罪分子或任何恶意软件接管您的计算机。你不应该忽视 IR,因为它可能发生在任何人身上。如果你认为你不会受到影响,那你可能是对的。但不会持续太久,因为无法保证任何东西都连接到互联网(Internet)。那里的任何工件都可能流氓并安装一些恶意软件或允许网络犯罪分子直接访问您的数据。
您应该有一个事件响应模板(Incident Response Template),以便在发生攻击时做出响应。换句话说,IR不是关于IF,而是与信息科学的WHEN和HOW相关。(HOW)
事件响应(Incident Response)也适用于自然灾害。你知道,当任何灾难发生时,所有政府和人民都做好了准备。他们无法想象他们总是安全的。在这样的自然事件中,政府、军队和大量的非政府组织 ( NGO(NGOs) )。同样(Likewise),您也不能忽视IT 中的事件响应(Incident Response)(IR)。
基本上,IR 意味着为网络攻击做好准备,并在它造成任何伤害之前阻止它。
事件响应——六个阶段
大多数IT 专家声称(IT Gurus)事件响应(Incident Response)有六个阶段。其他一些人将其保持在 5。但是六个很好,因为它们更容易解释。以下是在规划事件响应(Incident Response)模板时应重点关注的 IR 阶段。
- 准备
- 鉴别
- 遏制
- 根除
- 恢复,和
- 得到教训
1] 事件响应 - 准备(1] Incident Response – Preparation)
您需要准备好检测和处理任何网络攻击。这意味着你应该有一个计划。它还应该包括具有某些技能的人。如果您的公司缺乏人才,它可能包括来自外部组织的人员。最好有一个 IR 模板来说明在发生网络攻击时该怎么做。您可以自己创建一个或从Internet下载一个。Internet上有许多可用的事件响应(Incident Response)模板。但最好让您的 IT 团队使用该模板,因为他们更了解您的网络状况。
2] IR – 识别(2] IR – Identification)
这是指识别您的业务网络流量是否存在任何违规行为。如果您发现任何异常情况,请按照您的 IR 计划开始行动。您可能已经安装了安全设备和软件以防止攻击。
3] IR – 遏制(3] IR – Containment)
第三个过程的主要目的是控制攻击影响。在这里,遏制意味着减少影响并在网络攻击造成任何损害之前阻止它。
事件响应(Incident Response)的遏制表示短期和长期计划(假设您有应对事件的模板或计划)。
4] IR – 根除(4] IR – Eradication)
在事件响应的六个阶段中,根除意味着恢复受攻击影响的网络。它可以像存储在未连接到任何网络或Internet的单独服务器上的网络图像一样简单。它可以用来恢复网络。
5] IR – 恢复(5] IR – Recovery)
事件响应(Incident Response)的第五阶段是清理网络,以清除根除后可能留下的任何东西。它还指使网络恢复生机。此时,您仍将监视网络上的任何异常活动。
6] 事件响应 – 经验教训(6] Incident Response – Lessons Learned)
事件响应六个阶段的最后一个阶段是调查事件并记下错误之处。人们经常错过这个阶段,但有必要了解哪里出了问题以及将来如何避免它。
(Open Source Software)用于管理事件响应的(Incident Response)开源软件
1] CimSweep是一套无代理工具,可帮助您进行事件响应(Incident Response)。如果您不能在发生的地方出现,您也可以远程进行。该套件包含用于识别威胁和远程响应的工具。它还提供取证工具,帮助您检查事件日志、服务和活动进程等。更多详细信息请点击此处(More details here)。
2] GRR 快速响应工具(2] GRR Rapid Response Tool)在GitHub 上可用(GitHub),可帮助您对网络(家庭(Home)或办公室(Office))执行不同的检查,以查看是否存在任何漏洞。它具有实时内存分析、注册表搜索等工具。它是用Python构建的,因此与所有Windows 操作系统 - XP(Windows OS – XP)和更高版本兼容,包括 Windows 10。在 Github 上查看(Check it out on Github)。
3] TheHive是另一个开源的免费事件响应(Incident Response)工具。它允许与团队合作。团队合作使应对网络攻击变得更容易,因为工作(职责)被减轻给不同的有才华的人。因此,它有助于实时监控 IR。该工具提供了一个可供 IT 团队使用的 API。当与其他软件一起使用时,TheHive 一次(TheHive)可以监控多达一百个变量 - 以便立即检测到任何攻击,并快速开始事件响应(Incident Response)。更多信息在这里(More information here)。
以上简要解释了事件响应,检查了事件响应的六个阶段,并列举了三个有助于处理事件的工具。如果您有什么要补充的,请在下面的评论部分中进行。(The above explains Incident Response in brief, checks out the six stages of Incident Response, and names three tools for help in dealing with Incidents. If you have anything to add, please do so in the comments section below.)
Incident Response Explained: Stages and Open Source software
The current age is of supercomрuterѕ in our pockets. However, despite using the best security tools, criminals keep on attacking online resоurces. Τhis post is to introduce you to Incident Response (IR), explain the different stages of IR, and then lists three free open source software that helps with IR.
What is Incident Response
What is an Incident? It could be a cybercriminal or any malware taking over your computer. You should not ignore IR because it can happen to anyone. If you think you won’t be affected, you may be right. But not for long because there is no guarantee of anything connected to the Internet as such. Any artifact there, may go rogue and install some malware or allow a cybercriminal to directly access your data.
You should have an Incident Response Template so that you can respond in case of an attack. In other words, IR is not about IF, but it is concerned with WHEN and HOW of the information science.
Incident Response also applies to natural disasters. You know that all governments and people are prepared when any disaster strikes. They can’t afford to imagine that they are always safe. In such a natural incident, government, army, and plenty of non-government organizations (NGOs). Likewise, you too cannot afford to overlook Incident Response (IR) in IT.
Basically, IR means being ready for a cyber attack and stop it before it does any harm.
Incident Response – Six Stages
Most IT Gurus claim that there are six stages of Incident Response. Some others keep it at 5. But six are good as they are easier to explain. Here are the IR stages that should be kept in focus while planning an Incident Response Template.
- Preparation
- Identification
- Containment
- Eradication
- Recovery, and
- Lessons Learned
1] Incident Response – Preparation
You need to be prepared to detect and deal with any cyberattack. That means you should have a plan. It should also include people with certain skills. It may include people from external organizations if you fall short of talent in your company. It is better to have an IR template that spells out what to do in case of a cyber attack attack. You can create one yourself or download one from the Internet. There are many Incident Response templates available on the Internet. But it is better to engage your IT team with the template as they know better about the conditions of your network.
2] IR – Identification
This refers to identifying your business network traffic for any irregularities. If you find any anomalies, start acting per your IR plan. You might have already placed security equipment and software in place to keep attacks away.
3] IR – Containment
The main aim of the third process is to contain the attack impact. Here, containing means reducing the impact and prevent the cyberattack before it can damage anything.
Containment of Incident Response indicates both short- and long-term plans (assuming that you have a template or plan to counter incidents).
4] IR – Eradication
Eradication, in Incident Response’s six stages, means restoring the network that was affected by the attack. It can be as simple as the network’s image stored on a separate server that is not connected to any network or Internet. It can be used to restore the network.
5] IR – Recovery
The fifth stage in Incident Response is to clean the network to remove anything that might have left behind after eradication. It also refers to bringing back the network to life. At this point, you’d still be monitoring any abnormal activity on the network.
6] Incident Response – Lessons Learned
The last stage of Incident Response’s six stages is about looking into the incident and noting down the things that were at fault. People often give a miss this stage, but it is necessary to learn what went wrong and how you can avoid it in the future.
Open Source Software for managing Incident Response
1] CimSweep is an agentless suite of tools that helps you with Incident Response. You can do it remotely too if you can’t be present at the place where it happened. This suite contains tools for threat identification and remote response. It also offers forensic tools that help you check out event logs, services, and active processes, etc. More details here.
2] GRR Rapid Response Tool is available on the GitHub and helps you perform different checks on your network (Home or Office) to see if there are any vulnerabilities. It has tools for real-time memory analysis, registry search, etc. It is built in Python so is compatible with all Windows OS – XP and later versions, including Windows 10. Check it out on Github.
3] TheHive is yet another open source free Incident Response tool. It allows working with a team. Teamwork makes it easier to counter cyber attacks as work (duties) are mitigated to different, talented people. Thus, it helps in real-time monitoring of IR. The tool offers an API that the IT team can use. When used with other software, TheHive can monitor up to a hundred variables at a time – so that any attack is immediately detected, and Incident Response begins quick. More information here.
The above explains Incident Response in brief, checks out the six stages of Incident Response, and names three tools for help in dealing with Incidents. If you have anything to add, please do so in the comments section below.