Notes 11-19-19

Incident Response

Preparation
	Consider posssible scenarios
	Backups
		Hot site - duplicate functionality
			live data duplication
			tech, people
		Warm site - more work to bring online
			update data
		Mutual/Shared site
			service provided for multiple users
		Cloud Shared Site
			virtual services
	Asset Management System (track computers)
		Keeping data up to date (add a device)
		Centralizing Purchases
		Normalizing data, Centralized DB (one DB of record)
	Baseline data - what does normal operation look like?
		Network traffic
		File use
		Process lists, numbers

Indicators of Compromise (IOCs)
	Difference from baseline
	Login attempts
	People/complaints
	many requests for the same file
	Larger http responses (e.g. from DB)


Discovery/Indetification
	Yahoo! breech Dec 2016
		incident began Aug 2013

Containment/Escalation
	Taking computers offline
	Faraday cage
	Filtering network

	Data loss: