DFIR
-
digital forensics and incident response
- cypat forensics like digital forensics, the rest is like IR
-
NIST 6 stage IR process
- prep - plan, staffing, software
- detect - [[SIEM]] tools in conjuction w ISP, police etc
- analysis - logs
- containment - C2 infra, lock down [[ports]], physically air-gap
- eradicate/recovery - bsuiness continuity, disaster recovery
- reinstall OS, software
- put back in backups
- audit user accts
- run [[vuln]] scan
- post-incident activity - debriefs/reviews
-
types of disaster recovery site
- hot - fully functional + immediate recovery from disaster
- warm - no prod work until disaster
- equipped site w no customer data
- cold - infrastructure to support IT, but not actual tech