research-article

A forensic approach to incident response

Author:
Trevor Lamis

Kennesaw State University, MS, Kennesaw, GA

Kennesaw State University, MS, Kennesaw, GA
View Profile

InfoSecCD '10: 2010 Information Security Curriculum Development ConferenceOctober 2010Pages 177–185https://doi.org/10.1145/1940941.1940975

Published:01 October 2010Publication History

InfoSecCD '10: 2010 Information Security Curriculum Development Conference

Pages 177–185

ABSTRACT

An incident response plan is critical for the detection and removal of information security threats. Incident response involves many aspects other than technical issues. There are management, legal, and social issues that an incident response team needs to consider. An incident response identifies, contains, and eliminates the incident. Then, the compromised system is fully recovered and restored. To hold the intruder accountable, a forensic investigation is needed. Documentation of all activities and evidence gathering is crucial when during the entire response and investigation. The paper proposes and discusses interconnected methodological frameworks for both incident response and network forensics.

References

Adelstein, F. 2006. Live forensics: diagnosing your system without killing it first. Communications of the ACM. 49, 2, (Feb. 2006), 63--66. Google ScholarDigital Library
Brown, D. 2008. Incident response: communication is key. Security Magazine. Retrieved from http://www.securitymagazine.com/Articles/Feature_Article/BNP_GUID_9-5-2006_A_10000000000000227258Google Scholar
Jajodia, S., McCollum, C., and Ammann, P. 1999. Trusted recovery: prevention and detection receive most of the attention, but recovery is an equally important phase of information warfare defense. Communications of the ACM. 42, 7, (July. 1999), 71--75. Google ScholarDigital Library
Lathoud, B. 2004. Formalization of the processing of electronic traces. International Review of Law Computers & Technology. 18, 5. (July. 2004) DOI= 10.1080/1360086042000223490.Google Scholar
Mitchell, R., Marcella, R., and Baxter, G. 1999. Corporate information security management. New Library World. 100, 5, (1999), 213--227. DOI= 10.1108/0307480991028588.Google ScholarCross Ref
Mitropoulos, S., Patsos, D., and Douligeris, C. On incident handing and response: a state-of-the-art approach. Computers & Security. 25. (2006), 351--370. DOI= 10.1016/j.case.2005.09.006.Google Scholar
Paul, G. 2009. Improving logical security for critical infrastructure. Frost & Sullivan. Retrieved from http://www.frost.com/prod/servlet/market-insight-top.pag?docid=164966592.Google Scholar
Pilli, E., Joshi, R. C., and Niyogi, R. 2010. A generic framework for network forensics. International Journal of Computer Applications. 1, 11. (2010). Retrieved from http://www.ijcaonline.org/journal/number11/pxc387408.pdf.Google ScholarCross Ref
Rollason-Reese, R. 2003. Incident handling: an orderly response to unexpected events. ACM. New York, NY, 97--102. DOI= http://doi.acm.org/10.1145/947469.947496. Google ScholarDigital Library
Sanderson, E. and Forcht, K. 1996. Information security in business environments. Information Management and Computer Security. 4, 1. (1996), 32--37. DOI= 10.1108/09685229610114187Google ScholarCross Ref
Tan, T., Ruighaver, T., and Ahmad, A. 2003. Incident handling: where the need for planning is often not recognized. In 1^st Australia Computer, Network & Information Forensics Conference 2003. (Perth, Western Australia, 2003). Retrieved from http://frogchunk.com/documentation/security-management/terenceatiftobias.pdf.Google Scholar
Werlinger, R., Muldner, K., Hawkey, K., and Beznosov, K. 2010. Preparation, detection, and analysis: the diagnostic work of IT security incident response. Information Management & Computer Security. 18, 1 (2010). DOI= 10.1108/09685221011035241.Google Scholar
Whitman, M. and Mattord, H. 2010. Management of Information Security, 3^rd Edition. Cengage, Learning/Course Technology, Boston, MA 02210.Google Scholar
Wilcox, S., and Brown, D. 2005. Responding to security incidents - sooner of later you systems will be compromised. Journal of Health Care Compliance. 7, 2 (April. 2005), 41--48.Google Scholar

Index Terms

A forensic approach to incident response
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
  2. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Model-Based Incident Response Playbooks
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

Inevitably, all systems are vulnerable, and none are impervious to attack. Incident response is an important element in maintaining the cyber security posture of organizations. Incident response practitioners often rely on process descriptions in the ...
Read More
SP 800-86. Guide to Integrating Forensic Techniques into Incident Response
Read More
A forensic taxonomy of SCADA systems and approach to incident response
ICS-CSR '15: Proceedings of the 3rd International Symposium for ICS & SCADA Cyber Security Research

SCADA systems that monitor and control Critical National Infrastructure (CNI) are increasingly becoming the target of advanced cyber-attacks since their convergence with TCP/IP and other networks for efficient controlling. When a SCADA incident occurs ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
InfoSecCD '10: 2010 Information Security Curriculum Development Conference
October 2010
187 pages
ISBN:9781450302029
DOI:10.1145/1940941
Conference Chairs:
Mike Whitman,
Herb Mattord
Copyright © 2010 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 October 2010
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
evidence
incident response
network forensics
network traces
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate18of23submissions,78%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 6
  Total Citations
  View Citations
- 1,257
  Total Downloads
- Downloads (Last 12 months)82
- Downloads (Last 6 weeks)8
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A forensic approach to incident response

InfoSecCD '10: 2010 Information Security Curriculum Development Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

Model-Based Incident Response Playbooks

SP 800-86. Guide to Integrating Forensic Techniques into Incident Response

A forensic taxonomy of SCADA systems and approach to incident response