HTB's SOC Analyst Path - Incident Handling Process(Fundamental - 1)
Table of contents
No headings in the article.
Event (Any action occurring in the system/network) ---> Incident (Any event with negative consequence) ---> Incident Handling (It is a clearly defined set of procedures to manage and respond to security incidents in a computer and network environment)
Resources for Incident Handling --> NIST Incident Handling Guide
Cyber Kill Chain (7 stages) (RWDEICA)
Recon ---> Weaponize ---> Deliver ---> Exploit ---> Install ---> Command & Chain(C&C) ---> Action
Incident Handling Process (Cyclic)(4 stages) (PDCP)
Preparation ---> Detection & Analysis ---> Containment Eradication & Recovery ---> Post - Incident Recovery
Preparation (Stage 1)(Jump Bag)
a) Skilled Incident Handling members
b) Trained Workforce
c) Clear policies and documentation
d) Tools
Preparation (Stage 2)
a) DMARC
b) Privilege Identity Management/MFA/Passwords
c) Vulnerability Scanning
d) User awareness training
e) Purple team exercises
Detection & Analysis
a) Investigation
Initial Investigation Data ---> IOC(Indicators of Compromise) ---> Compromised Systems ---> Collection & Analysis (Cyclic Process)
CER(Containment Eradication and Recovery Stage)
a) Long Term container --> isolated VLAN, shut down
b) Short Term container --> Changing Passwords, Updating Firewall rules, Intruder Detection Systems
Note: Questions asked in the path are very easy, so if you can't solve them, leave your dream of becoming SOC Analyst