Incident Response

Under construction

Models of Incident Response

PICERL Model

Preparation

Identification

Containment

Eradication

Recovery

Lessons Learned

A More Dynamic Approach

In the updated SANS SEC504 course, the authors explain that in the modern threat landscape a more dynamic approach is needed since there is no one size fits all approach, as there are numerous sources of detection and the authors emphasize a cyclical approach to scoping the incident as illustrated below.

NIST Model

Offensive Models

MITRE ATT&CK

Cyber Kill Chain

Diamond Model

F3EAD

Enterprise Incident Response

Identification & Criticality

Log Sources

Where to Start?

DNS Event Analysis

Web Proxy Event Analysis

Malware Analysis

Endpoint Intrusion Analysis

Memory Analysis

Investigative Models

OODA