Circling back to the beginning with each step/phase is a must for OODA - Observe | Orient | Decide |Act
Observation points for what occurred is identified through various logs including firewall, IDS/P, Proxy services, and to local system logs; and helpful is a central / aggregated store or SIEM. Perhaps one of my favorite these scenario is the use of netflow data. A couple options exist for exports including: Taps, Span, mirror ports and virtual machine installs on WMware ESX servers. Of course, advances in technology stretch the capabilities and blur analysis of full data packet capture including APTs, virtualized data centers, DDoS, IPv6, etc. so whats equally important is proper kill chain. Starts with Reconnaissance and understanding the Exploitation, and determining/detecting the command-and-control methods which can lead to data exfiltration, corruption, and harvest (or hold hostage) of critical information. So, having the appropriate toolset is complemented by having the right escalation, communication path and SMEs. Recovery strategy and capability will come to bear in terms of recovery as much as Dwell Time (time of infection to detection to recovery).
Specific considerations for Netflow include: flow assembly, flow deduplication and retention (allows efficient storage and eliminates false positives), and behavioral analysis/recognition (algorithm and visualization). Finally, related analytics and visual representation will offer the best indexes, alarms, and reactionary awareness. An available source of info: lanscope.com
No comments:
Post a Comment