Preparation Stage (Part 1)

The preparation stage consists of 2 separate objectives.

1. Establishment of incident handling capability within the organization

2. Protecting against and preventing incidents (Implementing security measures like endpoint hardening, multi-factor authentication, and privileged access management)

---

Preparation Prerequisites

During the preparation, we need to ensure that we have:

• Skilled incident handling team members

• Trained workforce

• Clear policies and documentation

• Tools (software and hardware)

---

Clear Policies & Documentation

• Up-to-date incident response policies and procedures.

• Contact lists for key personnel (legal, compliance, IT, management, law enforcement, ISPs).

• System and network baselines for reference.

• Organization-wide asset management database.

• Pre-approved user accounts with privileged access for emergencies.

• Fast-track purchasing process for emergency tools.

• Forensic investigation cheat sheets.

---

Tools

Moving forward, we also need to ensure that we have the right tools to perform the job. These include, but are not limited to:

1. Hardware & Devices

   • Dedicated forensic workstations.

   • Hard drives and write blockers for forensic imaging.

   • Network cables, switches, and repair tools.

   • Secure storage and investigation facilities.

2. Software Tools

   • Digital forensic imaging and analysis tools.

   • Memory capture and live response tools.

   • Log analysis and network traffic analysis tools.

   • Encryption software and secure ticket tracking systems.

3. Jump Bag (Ready-to-Go Incident Kit)

   • Always ready with the necessary tools to be picked up and leave immediately.

---

Quiz: Preparation Stage (Part 1)

1. What are the two main goals of the preparation stage? a) Setting up an incident handling team and preventing incidents b) Investigating malware and contacting law enforcement c) Isolating infected systems and blocking attackers d) Removing security policies and using default settings

2. Why is workforce training important in the preparation stage? a) To ensure employees can handle incidents without IT involvement b) To improve security awareness and reduce risk c) To replace the incident handling team if needed d) To comply with GDPR only

3. What key information should be included in incident response documentation? (Select two) a) Contact details for the incident response team b) A list of employees’ personal devices c) The incident response plan and procedures d) Daily work schedules of employees

4. What is a jump bag used for? a) Storing backups of company files b) A pre-packed kit containing essential response tools c) A secure vault for encrypting company data d) A method for quickly wiping affected systems

5. Why should the incident documentation system be separate from the organization's infrastructure? a) To ensure it remains accessible even if internal systems are compromised b) To allow adversaries to access logs easily c) To store company financial records securely d) To improve internet speed across the network

Answers