Préparation
ID: RS0001
Préparez-vous à un incident de sécurité.
Actions de réponse
ID | Nom | Description |
---|---|---|
RA1001 | S’exercer | Pratiquez dans l’environnement réel. Affiner les actions de réponse au sein de votre organisation |
RA1002 | Suivre des formations | Suivez des cours de formation pour acquérir des connaissances pertinentes |
RA1003 | Sensibiliser le personnel | Raise personnel awareness regarding phishing, ransomware, social engineering, and other attacks that involve user interaction |
RA1004 | Obliger le personnel à signaler une activité suspecte | Assurez-vous que le personnel signalera une activité suspecte, c’est-à-dire des e-mails suspects, des liens, des fichiers, des activités sur leurs ordinateurs, etc. |
RA1005 | Mettre en place une collecte de données pertinente | Usually, data collection is managed by Log Management/Security Monitoring/Threat Detection teams. You need to provide them with a list of data that is critically important for IR process. Most of the time, data like DNS and DHCP logs are not being collected, as their value for detection is relatively low. You can refer to the existing Response Actions (Preparation stage) to develop the list |
RA1006 | Configurer un stockage centralisé des journaux à long terme | Set up a centralized long-term log storage. This is one of the most critical problems companies have nowadays. Even if there is such a system, in most of the cases it stores irrelevant data or has too small retention period |
RA1007 | Élaborer une carte de communication | Develop a communication map for both internal (C-level, managers and technical specialists from the other departments, that could be involved in IR process) and external communications (law enforcement, national CERTs, subject matter experts that you have lack of, etc) |
RA1008 | Assurez-vous qu’il y a des sauvegardes | Make sure there are both online and offline backups. Make sure they are fully operational. In the case of a successful ransomware worm attack, thats the only thing that will help you to safe your critically important data |
RA1009 | Obtenir la cartographie de l’architecture du réseau | Get network architecture map. Usually, its managed by the Network security team. It will help you to choose the containment strategy, such as isolating specific network segments |
RA1010 | Obtenir la matrice de contrôle d’accès | Get Access Control Matrix. Usually, its managed by the Network security team. It will help you to identify adversary opportunities, such as laterally movement and so on |
RA1011 | Développer la base de connaissances des actifs | Develop assets knowledge base. It will help you to compare observed activity with a normal activity profile for a specific host, user or network segment |
RA1012 | Vérifier l’ensemble des outils d’analyse | Make sure your toolset for analysis and management is updated and fully operational. Make sure that all the required permissions have been granted as well |
RA1013 | Accéder aux journaux du système de gestion des vulnérabilités | Access vulnerability management system logs. It will help to identify the vulnerabilities a specific host had at a specific time in the past |
RA1014 | Connectez-vous avec des communautés de confiance | Connect with trusted communities for information exchange |
RA1101 | Accéder aux journaux de flux du réseau externe | Assurez-vous d’avoir accès aux journaux de flux réseau de communication externe |
RA1102 | Accéder aux journaux de flux du réseau interne | Make sure you have access to internal communication Network Flow logs |
RA1103 | Accéder aux journaux HTTP internes | Make sure you have access to internal communication HTTP logs |
RA1104 | Accéder aux journaux HTTP externes | Assurez-vous d’avoir accès aux journaux de communication Web externe (HTTP) |
RA1105 | Accéder aux journaux DNS internes | Make sure you have access to internal communication DNS logs |
RA1106 | Accéder aux journaux DNS externes | Make sure you have access to external communication DNS logs |
RA1107 | Accéder aux journaux VPN | Make sure you have access to VPN logs |
RA1108 | Accéder aux journaux DHCP | Make sure you have access to DHCP logs |
RA1109 | Accéder aux données internes de capture de paquets | Make sure you have access to internal communication Packet Capture data |
RA1110 | Accéder aux données de capture de paquets externes | Make sure you have access to external communication Packet Capture data |
RA1111 | Obtenir la possibilité de bloquer l’adresse IP externe | Make sure you have the ability to block an external IP address from being accessed by corporate assets |
RA1112 | Obtenir la possibilité de bloquer l’adresse IP interne | Make sure you can block an internal IP address from being accessed by corporate assets |
RA1113 | Obtenir la possibilité de bloquer un domaine externe | Make sure you have the ability to block an external domain name from being accessed by corporate assets |
RA1114 | Obtenir la possibilité de bloquer le domaine interne | Make sure you can block an internal domain name from being accessed by corporate assets |
RA1115 | Obtenir la possibilité de bloquer l’url externe | Make sure you have the ability to block an external URL from being accessed by corporate assets |
RA1116 | Obtenir la possibilité de bloquer l’url interne | Make sure you can block an internal URL from being accessed by corporate assets |
RA1117 | Obtenir la capacité de bloquer la communication externe du port | Make sure you can block a network port for external communications |
RA1118 | Obtenir la capacité de bloquer la communication interne du port | Make sure you can block a network port for internal communications |
RA1119 | Obtenir la capacité de bloquer la communication externe de l’utilisateur | Make sure you can block a user for external communications |
RA1120 | Obtenir la capacité de bloquer la communication interne de l’utilisateur | Make sure you can block a user for internal communications |
RA1121 | Obtenir la capacité de trouver des données transférées par contenu | Make sure you have the ability to find data transferred at a particular time in the past by its content pattern (i.e. specific string, keyword, binary pattern etc) |
RA1122 | Obtenir la possibilité de bloquer le transfert de données par contenu | Make sure you have the ability to block data transferring by its content pattern (i.e. specific string, keyword, binary pattern etc) |
RA1123 | Obtenir la possibilité de répertorier les données transférées | Make sure you have the ability to list the data that is being transferred at the moment or at a particular time in the past |
RA1124 | Obtenir la possibilité de collecter les données transférées | Make sure you have the ability to collect the data that is being transferred at the moment or at a particular time in the past |
RA1125 | Obtenir la capacité d’identifier les données transférées | Make sure you have the ability to identify the data that is being transferred at the moment or at a particular time in the past (i.e. its content, value) |
RA1126 | Rechercher des données transférées par contenu | Make sure you have the ability to find the data that is being transferred at the moment or at a particular time in the past by its content pattern |
RA1127 | Obtenir la capacité d’analyser les user-agent | Make sure you have the ability to analyse an User-Agent request header |
RA1201 | Obtenir la possibilité de répertorier les e-mails ouverts des utilisateurs | Make sure you have the ability to list users who opened a particular email message |
RA1202 | Obtenir la possibilité de répertorier les destinataires des e-mails | Make sure you have the ability to list receivers of a particular email message |
RA1203 | Obtenir la possibilité de bloquer le domaine de messagerie | Make sure you have the ability to block an email domain |
RA1204 | Obtenir la possibilité de bloquer l’expéditeur du courrier électronique | Make sure you have the ability to block an email sender |
RA1205 | Obtenir la possibilité de supprimer un e-mail | Make sure you have the ability to delete an email message |
RA1206 | Obtenir la possibilité de mettre un e-mail en quarantaine | Make sure you have the ability to quarantine an email message |
RA1207 | Obtenir la possibilité de collecter un message électronique | Make sure you have the ability to collect an email message |
RA1208 | Obtenir la capacité d’analyser l’adresse e-mail | Make sure you have the ability to analyse an email address |
RA1301 | Obtenir la possibilité de répertorier les fichiers créés | Make sure you have the ability to list files that have been created at a particular time in the past |
RA1302 | Obtenir la possibilité de lister les fichiers modifiés | Make sure you have the ability to list files that have been modified at a particular time in the past |
RA1303 | Obtenir la possibilité de répertorier les fichiers supprimés | Make sure you have the ability to list files that have been deleted at a particular time in the past |
RA1304 | Obtenir la possibilité de répertorier les fichiers téléchargés | Make sure you have the ability to list files that have been downloaded from the internet at a particular time in the past |
RA1305 | Obtenir la possibilité de répertorier les fichiers avec des horodatages falsifiés | Make sure you have the ability to list files with a tampered timestamp |
RA1306 | Obtenir la possibilité de trouver un fichier par chemin | Make sure you have the ability to find a file by its path (including its name) |
RA1307 | Obtenir la possibilité de trouver un fichier par métadonnées | Make sure you have the ability to find file by its metadata (i.e. signature, permissions, MAC times) |
RA1308 | Obtenir la capacité de trouver un fichier par hash | Make sure you have the ability to find a file by its hash |
RA1309 | Obtenir la possibilité de trouver un fichier par format | Make sure you have the ability to find a file by its format |
RA1310 | Obtenir la possibilité de trouver un fichier par contenu | Make sure you have the ability to find a file by its content pattern (i.e. specific string, keyword, binary pattern etc) |
RA1311 | Obtenir la possibilité de collecter un fichier | Make sure you have the ability to collect a specific file from a (remote) host or a system |
RA1312 | Obtenir la possibilité de mettre le fichier en quarantaine par chemin | Make sure you have the ability to block a file from being accessed by its path (including its name) |
RA1313 | Obtenir la possibilité de mettre le fichier en quarantaine par le hash | Make sure you have the ability to block a file from being accessed by its hash |
RA1314 | Obtenir la possibilité de mettre le fichier en quarantaine par format | Make sure you have the ability to block a file from being accessed by its format |
RA1315 | Obtenir la possibilité de mettre le fichier en quarantaine par contenu | Make sure you have the ability to block a file from being accessed by its content pattern (i.e. specific string, keyword, binary pattern etc) |
RA1316 | Obtenir la possibilité de supprimer un fichier | Make sure you have the ability to remove a specific file from a (remote) host or a system |
RA1317 | Obtenir la capacité d’analyser le hash d’un fichier | Make sure you have the ability to analyse a file hash |
RA1318 | Obtenir la capacité d’analyser les PE Windows | Make sure you have the ability to analyse a Windows Portable Executable file |
RA1319 | Obtenir la capacité d’analyser les fichiers Mach-o de macos | Make sure you have the ability to analyse a macOS Mach-O file |
RA1320 | Obtenir la capacité d’analyser un fichier ELF Unix | Make sure you have the ability to analyse a UNIX ELF file |
RA1321 | Obtenir la capacité d’analyser les fichiers MS office | Make sure you have the ability to analyse a Microsoft Office file |
RA1322 | Obtenir la capacité d’analyser un fichier PDF | Make sure you have the ability to analyse a PDF file |
RA1323 | Obtenir la capacité d’analyser un script | Make sure you have the ability to analyse a script file (i.e. Python, PowerShell, Bash scripts etc) |
RA1324 | Obtenir la capacité d’analyser un fichier jar | Make sure you have the ability to analyse JAR file |
RA1325 | Obtenir la capacité d’analyser le nom de fichier | Make sure you have the ability to analyse a filename |
RA1401 | Obtenir la possibilité de répertorier les processus exécutés | Make sure you have the ability to list processes being executed at the moment or at a particular time in the past |
RA1402 | Obtenir la capacité de trouver un processus par un chemin exécutable | Make sure you have the ability to find process executed at a particular time in the past by its executable path (including its name) |
RA1403 | Obtenir la capacité de trouver un processus par les métadonnées d’un exécutable | Make sure you have the ability to find process executed at a particular time in the past by its executable metadata (i.e. signature, permissions, MAC times) |
RA1404 | Obtenir la capacité de trouver un processus exécutable par le hash | Make sure you have the ability to find process executed at a particular time in the past by its executable hash |
RA1405 | Obtenir la capacité de trouver un processus exécutable par son format | Make sure you have the ability to find process executed at a particular time in the past by its executable format |
RA1406 | Obtenir la capacité de trouver un processus exécutable par un contenu | Make sure you have the ability to find process executed at a particular time in the past by its executable content pattern (i.e. specific string, keyword, binary pattern etc) |
RA1407 | Obtenir la possibilité de bloquer le processus par le chemin de l’exécutable | Make sure you have the ability to block process by its executable path (including its name) |
RA1408 | Obtenir la possibilité de bloquer le processus par les métadonnées de l’exécutables | Make sure you have the ability to block process by its executable metadata (i.e. signature, permissions, MAC times) |
RA1409 | Obtenir la capacité de bloquer le processus par le hash de l’exécutable | Make sure you have the ability to block process by its executable hash |
RA1410 | Obtenir la possibilité de bloquer le processus par le format de l’exécutable | Make sure you have the ability to block process by its executable format |
RA1411 | Obtenir la possibilité de bloquer le processus par le contenu de l’exécutable | Make sure you have the ability to block process by its executable content pattern (i.e. specific string, keyword, binary pattern etc) |
RA1501 | Gérer les politiques du système de gestion des ordinateurs distants | Make sure you can manage Remote Computer Management system policies |
RA1502 | Obtenir la possibilité de lister les clés de registre modifiées | Make sure you have the ability to list registry keys modified at a particular time in the past |
RA1503 | Obtenir la possibilité de répertorier les clés de registre supprimées | Make sure you have the ability to list registry keys deleted at a particular time in the past |
RA1504 | Obtenir la liste des clés de registre accédées | Make sure you have the ability to list registry keys accessed at a particular time in the past |
RA1505 | Obtenir la liste des clés de registre créées | Make sure you have the ability to list registry keys created at a particular time in the past |
RA1506 | Obtenir la possibilité de répertorier les services créés | Make sure you have the ability to list services that have created at a particular time in the past |
RA1507 | Obtenir la possibilité de lister les services modifiés | Make sure you have the ability to list services that have been modified at a particular time in the past |
RA1508 | Obtenir la possibilité de répertorier les services supprimés | Make sure you have the ability to list services that have been deleted at a particular time in the past |
RA1509 | Obtenir la possibilité de supprimer une clé de registre | Make sure you have the ability to remove a registry key |
RA1510 | Obtenir la possibilité de supprimer un service | Make sure you have the ability to remove a service |
RA1511 | Obtenir la capacité d’analyser une clé de registre | Make sure you have the ability to analyse a registry key |
RA1601 | Gérer le système de gestion des identités | Make sure you can manage Identity Management System, i.e. remove/block users, revoke credentials, and execute other Response Actions |
RA1602 | Obtenir la possibilité de verrouiller un compte utilisateur | Make sure you have the ability to lock user account from being used |
RA1603 | Obtenir la possibilité de répertorier les utilisateurs authentifiés | Make sure you have the ability to list users authenticated at a particular time in the past on a particular system |
RA1604 | Obtenir la possibilité de révoquer les informations d’authentification | Make sure you have the ability to revoke authentication credentials |
RA1605 | Obtenir la possibilité de supprimer un compte utilisateur | Make sure you have the ability to remove a user account |