[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [EXT] [cacao] Playbooks
Frans,
Are you looking for examples of what exists in the SoC today? If you search for "security playbooksâ on Google the first 2 or 3 non sponsored links have some visual examples. In slide ware, when I talk about this, I often give the follow examples
as it is something that most people can easily understand:
Security Operations Center
â Open ticket with priority level 2
â Call level one network support
â If they do not respond within 10 minutes
â Escalate to level 2, then level 3, then management
Network Support
â Quarantine system to sandbox VLAN
Security Operations Center
â Call level level one desktop support
â If they do not respond within 30 minutes
â Escalate to level 2, then level 3, then management
Desktop Support
â Delete run at start reg keys and triggers
â Reboot into SafeMode
â Kill process sysmg.exe then winsrvx.exe then xnc.exe
â Delete temp files
â Delete compromised files defined in KB article 311
â Delete other registry keys defined in KB article 312
â Reboot system in to safe mode
â Verify processes do not restart after cleanup
â If this does not work, escalate
â Patch AV system and run updated AV scan
â Patch OS
â Run additional on-demand special AV scanners
â Reboot system to normal mode
â Update ticket
Network Support
â Monitor traffic from system for 90 minutes
â If no abnormal behavior is detected move system out of sandbox VLAN in to a restricted watch VLAN for 24 hours
â If no user issues or abnormal behavior is detected move system to production VLAN
â Update and close ticket
Bret
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]