Incident Handling Steps
The incident response life cycle as defined by NIST Computer Security Incident Handling Guide1 has the following 5 steps:
- Preparation
- Detection & Analysis
- Containment, Eradication & Recovery
- Post-Incident Activity
This playbook may be used to aid in the first two steps of the life cycle.
Preparation Phase
The preparation phase calls for the establishment and training of an incident response team along with acquiring the necessary tools and resources to perform the response activities. This playbook is designed as a training guide for analysts working with Linux OS.
Detection & Analysis
Signs of an incident fall into one of two categories: precursors and indicators. A precursor is a sign that an incident may occur in the future. An indicator is a sign that an incident may have occurred or may be occurring now 1.
The playbook serves as a handbook and provides the sources for indicators. It details where to look for indicators, what conclusions can be drawn from the indicators as well as the data structure and organization of such artifacts.