- Security Awareness Training - Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
- Personnel Report Suspicious Activity - Develop a simplified, company wide-known way to contact IR team in case of suspicious activity on the user system. Make sure that the personnel is aware of it, can and will use it.
- Set Up Log Collection - Usually, data collection is managed by Log Management/Security Monitoring/Threat Detection teams. You need to provide them with a list of data that is critically important for IR process. Most of the time, data like DNS and DHCP logs are not being collected, as their value for detection is relatively low.
- Set Up Long-term log Storage - This is one of the most critical problems companies have nowadays. Even if there is such a system, in most of the cases it stores irrelevant data or has too small retention period.
- Create Communication Map - Develop a communication map for both internal (C-level, managers and technical specialists from the other departments, that could be involved in IR process) and external communications (law enforcement, national CERTs, subject matter experts that you have lack of, etc).
- Verification of Backups - Make sure there are both online and offline backups. Make sure they are fully operational. In the case of a successful ransomware worm attack, thats the only thing that will help you to safe your critically important data
- Create Network Map Diagram - Get network architecture map. Usually, its managed by the Network security team. It will help you to choose the containment strategy, such as isolating specific network segments
- Report of Host Vulnerabilities - Get information about a specific host existing vulnerabilities, or about vulnerabilities it had at a particular time in the past.
- Monitor Compromised Accounts - Put (potentially) compromised accounts on monitoring.
- Hosts Communicated with Internal Domain - List hosts communicated with an internal domain.
- Hosts Communicated with Internal IP Address - List hosts communicated with an internal IP address
- Hosts communicated with an internal URL - List hosts communicated with an internal URL
- Domain Analysis - Analyse a domain name
- List Data Transferred - List the data that is being transferred at the moment or at a particular time in the past.
- Collect Data Transferred - Collect the data that is being transferred at the moment or at a particular time in the past.
- Identify Transferred Data - Identify the data that is being transferred at the moment or at a particular time in the past (i.e. its content, value).