mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 21:19:40 +03:00
67 lines
3.4 KiB
Markdown
67 lines
3.4 KiB
Markdown
# Standards and Framework References
|
|
|
|
## NIST SP 800-61 Rev. 3 - Incident Response Recommendations
|
|
- **Respond (RS) Function**: Containment falls under RS.MI (Incident Mitigation)
|
|
- RS.MI-01: Incidents are contained
|
|
- RS.MI-02: Incidents are eradicated
|
|
- **Detect (DE) Function**: Scope identification maps to DE.AE (Adverse Event Analysis)
|
|
- DE.AE-02: Potentially adverse events are analyzed to better understand associated activities
|
|
- DE.AE-03: Information is correlated from multiple sources
|
|
- Reference: https://csrc.nist.gov/pubs/sp/800/61/r3/final
|
|
|
|
## NIST SP 800-61 Rev. 2 - Computer Security Incident Handling Guide
|
|
- **Section 3.3**: Containment, Eradication, and Recovery
|
|
- 3.3.1: Choosing a Containment Strategy
|
|
- 3.3.2: Evidence Gathering and Handling
|
|
- 3.3.3: Identifying the Attacking Hosts
|
|
- Containment strategy criteria: potential damage, evidence preservation needs, service availability, time/resources, effectiveness duration, solution scope
|
|
- Reference: https://csrc.nist.gov/pubs/sp/800/61/r2/final
|
|
|
|
## SANS PICERL Framework
|
|
- **Phase 3 - Containment**: The SANS Incident Handler's Handbook defines containment as actions to limit damage from an incident
|
|
- Short-term containment: Immediate response to stop the bleeding
|
|
- System back-up: Forensic image before remediation
|
|
- Long-term containment: Temporary fixes allowing production use
|
|
- Reference: https://www.sans.org/white-papers/33901
|
|
|
|
## MITRE ATT&CK Framework - Relevant Techniques to Contain
|
|
|
|
### Initial Access (TA0001)
|
|
| Technique ID | Name | Containment Action |
|
|
|-------------|------|-------------------|
|
|
| T1566 | Phishing | Block sender, quarantine messages |
|
|
| T1190 | Exploit Public-Facing Application | Patch/WAF rule, isolate service |
|
|
| T1133 | External Remote Services | Disable VPN/RDP access |
|
|
| T1078 | Valid Accounts | Disable/reset compromised accounts |
|
|
|
|
### Lateral Movement (TA0008)
|
|
| Technique ID | Name | Containment Action |
|
|
|-------------|------|-------------------|
|
|
| T1021 | Remote Services | Block SMB/RDP/WinRM between segments |
|
|
| T1550 | Use Alternate Authentication Material | Reset tokens, rotate KRBTGT |
|
|
| T1570 | Lateral Tool Transfer | Block file sharing protocols |
|
|
|
|
### Command and Control (TA0011)
|
|
| Technique ID | Name | Containment Action |
|
|
|-------------|------|-------------------|
|
|
| T1071 | Application Layer Protocol | Block C2 domains/IPs at firewall |
|
|
| T1573 | Encrypted Channel | SSL inspection, block non-standard TLS |
|
|
| T1572 | Protocol Tunneling | Block DNS tunneling, inspect traffic |
|
|
|
|
### Exfiltration (TA0010)
|
|
| Technique ID | Name | Containment Action |
|
|
|-------------|------|-------------------|
|
|
| T1041 | Exfiltration Over C2 Channel | Sinkhole C2 domains |
|
|
| T1048 | Exfiltration Over Alternative Protocol | Block DNS/ICMP exfil |
|
|
| T1567 | Exfiltration Over Web Service | Block cloud storage uploads |
|
|
|
|
## CISA Incident Response Playbooks
|
|
- Federal Government Cybersecurity Incident and Vulnerability Response Playbooks
|
|
- Containment actions aligned with federal response guidelines
|
|
- Reference: https://www.cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf
|
|
|
|
## ISO/IEC 27035 - Information Security Incident Management
|
|
- Part 2: Guidelines to plan and prepare for incident response
|
|
- Containment classified as part of "Response" phase
|
|
- Emphasis on proportional response and business impact consideration
|