Incident Response & Computer Network Forensics

Where cyber threat intelligence is focused on collecting and analyzing threats to the organization, incident response (IR) and network forensics deal with successful attacks and security events within the organization. If an attacker is able to breach your organization, there needs to be effective, structured plans of attack to deal with the event. Incident response outlines how these events are handled. Network forensics uses specific toolsets to examine the devices, networks and transactions involved in the event to provide pertinent information to examiners.

The document below was my final project for this course. The scenario involves personal information being posted on the internet. The report provides a structured process to respond to the incident and gather all information necessary. All of the examples are fictitious but represent a real-world event that could affect any organization.

Computer Forensic Examination Report_Rick_Guetschow.docx

Reflections

As I look back on this course I am reminded how important a structured, professional and ethical incident response team is. The strength of the incident response team can determine the ultimate success or failure of an organization involved in an incident. IR teams must maintain evidence and provide accurate analysis without passing judgment or trying to come to conclusions too soon in the process. The more information an IR team can gather the better their decision-making and guidance to leadership can be.

Not all organizations are able to build an in-house IR team, thankfully, there are third-party organizations such as Mandiant, Trustwave, and Secureworks that can parachute in IR teams to help secure organizations after an incident. Even if an organization decides to outsource its incident response, a cyber security professional has an ethical responsibility to be open, honest, and forthright with any IR professionals involved in the incident. Sharing information and cooperation can keep the business in operation after a breach.


References are cited in the Reference Link Library