DFIR and Backups

Learning outcomes:

• Able to describe and practice some Disaster planning and recovery using best practices
• Be able to articulate why backups are important and the different kinds of backups
• Able to describe and practice some Incident Response using best practices including post mortem

Would you like to download my PowerPoint to follow along?

• Disaster Planning
• DLP (data loss prevention)
• Tools and processes to prevent data from being lost
• Can be monitoring, encryption, backups, endpoint activities and more
• Compliance, Laws and regulations, GDPR
• Have a plan in place that includes business continuity and business impact analysis. Should include prioritization
• Internal recover, 3rd party support
• Disaster Recovery
• Journaling systems
• Keeps track of changes not yet committed
• System failure or power outage can be an issue with other systems, this will recover faster
• Atomic transactions
• Deleting Windows files vs Deleting files on Linux
• Incident Response
• Verify incident happened (not just bug)
• Classify incident type (DDOS, virus, rootkit, etc.) and priority level (critical? Important? Etc.
• Preserve evidence
• Recover
• Post Mortem on incident
• After the Incident (Post Mortem)
• High level summary of what happened
• Root cause analysis
• What did we do during the incident?
• What was the time line of the incident?
• What went well?
• What didn't go well?
• Focus should be on culture of learning and improvement, this is NOT a blame game
• The importance of an incident postmortem process (NOTE: You do not need their product to do this! It's just a well written article)
• Backups
• Overview
• Copy of our data/apps/settings/etc
• Can be local or offsite
• Can be on multiple types of hardware
• Third party services that provide backups
• Backups are forDisasters (natural and unnatural), Accidents, and Incidents
• Types and Guidelines
• Incremental backups - only files since last backup (most frequent)
• Full backups - copy of all files (medium frequency)
• Forensic Copy (Least frequent)
• Frequency is based on company, industry, personal risk profile and what you're willing to lose
• Backing up more than just servers, config files, applications, changes, users and more
• Backup Best practices from NIST
• Security Guidelines for storage Infrastructure
• Backup auditing
• Is your backup working?
• How often do you check the backup happened and works?
• Such as once a year on May 4th (Star wars days)
• Where is it stored?
• How is it stored?
• Is it documented?
• Did we update the documentation?
• Review backup policy and what's being backed up frequently (at least once a year)

Suggested Activities and Discussion Topics:

• Pick a lab you have finished and write a short report on how your lab went. Use this sample report from Google as a template.

Would you like to see some more classes? Click here