O'Reilly logo

Incident Response by Richard Forno, Kenneth R. van Wyk

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Keeping Up with Attack Profiles

Because it is so important to maintain a current knowledge and awareness of the state of the hack, every incident response team must ensure that its members are adequately collecting, analyzing, assimilating, and disseminating the right information. That means that a percentage of time of every person on the team, no matter how small or large, should be spent on maintaining the knowledge base and gathering intelligence. There are a number of ways to do that efficiently, but in the end, there’s no real substitute for reading, testing, and documenting. Some suggestions for maintaining your knowledge base include:

Open sources of information

There are hundreds of public information sources that directly relate to state of the hack technology issues out on the Internet. These range from web sites to electronic mailing lists and Usenet newsgroups. In fact, finding the groups is the easy part; sifting through the vast amounts of data to separate the quality content from the noise is the difficult part. In their aggregate, these information sources produce an enormous amount of information that is probably more than any one person can reasonably read to any appreciable level of comprehension. One way to optimize a team’s efforts in sifting through these information sources is to assign different lists, technologies, pages, and so forth, to each team member. Another alternative is to use automated data filtering tools to search for particular key words, ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required