In this chapter, we discussed the security incident response process and shared some of the industry practices, such as the NIST SP800-62, SANS Incident Handler Handbook, and MITRE's Ten Strategies of a World-Class Cyber Security Operations Center. We explored the incident response activities based on the phases defined by the NIST SP800-62, which are the preparation, detection and analysis, containment eradication, and post-incident activity phases.
In the preparation phase, we introduced some of the simulated attack tools for the red/blue team exercise. In the detection phase, we suggested applying CIS Critical Security Controls for Effective Cyber Defense to assess the detection and analysis capabilities. We introduced some containment ...