6- Lessons Learned
It is important in terms of saving time that all data can be examined from a single point with a central log collection system that can manage large files.
Enabling NTP on all devices in the network is important for matching the time information of the logs collected.
The fact that the user names of different accounts belonging to personnel are the same and different from other personnel makes it easy to monitor user activities in the event of an event.
The administrators of the services and systems used should be appointed and a document should be created on how to reach these managers if needed.
Instant access to information such as devices, operating systems, patch versions, and critical status should be available.
If necessary, the team may need to communicate independently of the internal network, for such cases mobile phone or secondary emails can be used.
The method of who will initiate the judicial process and in which situations should be determined before the incident occurs.
Since determining the event will determine the actions to be taken, it is important to determine the type of the incoming event. EX: DDoS, malware infection, data leak …
Action should be taken according to the technique used to intercept the attacker's method quickly. If there is an account that it has captured, simple measures such as account deactivation and IP blocking should be done quickly.
The image of the volatile memory along with the firewall, network traffic and other logs will be required for the investigation.
Unplugging the compromised system could be a solution, isolating it is a more viable solution.
After the systems affected by the incident are determined, the possibility of the attacker's spread in the network is cut and volatile information is collected, the next step can be passed.
With the information obtained in the 2nd and 3rd stages, the root cause of the event should be determined. The attacker must then be completely kick out.
If rootkits are suspected in the system, the disk should be cleaned and a clean backup installed. After the installation, the latest updates of the existing applications and systems should be installed.
Potential attack points on networks and systems should be identified and corrected by performing vulnerability scans.
When the necessary arrangements are prepared to prevent the event from recurring, the recovery phase can be started.
Verify that logging, systems, applications, databases, and other operations work correctly.
At this stage, the restore operation is coordinated.
Systems should be monitored for recurring events.
When there is no repetitive harmful situation or unusual activity, the next step is taken.
The report includes the examinations with the expert and the executive, the stages of good and bad working in the intervention plan, and the recommendations regarding the process. The report should be written in a way that the manager is sure that the event has been closed.