Network traffic analysis for incident response (IR): What incident responders should know about networking


In this article, we’ll discuss the various things that incident responders must know about the operation of a network and how this can help improve how their security teams respond to incidents.

We’ll look at common attacks that organization networks suffer today and how they can be mitigated against. We’ll also discuss some network devices and what they do, the OSI layer and what is important for incident responders, different ports and protocols. Finally, we’ll explore the structure of a data packet, as well as common tools that can be used to perform incident response by IR teams.

AppSec/API Security 2022

Overview of incident response

Incident response involves responding to security breaches and handling them in a manner that contains the damage and eradicates the primary cause of the incident. “The demand for cyber security incident responders remains high,” says Debbie Henley, president and co-founder of Redbud, an information security recruitment firm.

The main importance of incident response within your organization is to enable you to:

  1. Reduce losses
  2. Restore processes and services
  3. Mitigate exploited vulnerabilities

Once an incident is contained, the affected organization can prevent catastrophic outcomes resulting from the potential beach. This is usually done establishing of best practices, which in turn prevent cyberattacks before they can be executed again.

Incidence response and networking

Enterprises should be aware that a successful network attack is most certainly going to take place and is usually a matter of “when” and not “if.” According to Sean Mahoney, a partner at K&L Gates, “The more connected you are, the more risk you have. There’s no way around it.”

What follows are some of the things that incident responders should know in relation to networking and how they influence the organization.

Acceptable risk within the network and crown jewels

Incident responders need to be (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Lester Obbayi. Read the original post at: