| Starije izmjene na obje strane
Starija izmjena
Novija izmjena
|
Starija izmjena
|
racfor_wiki:seminari2024:incident_response_u_microsoft365_okruzenju [2025/01/26 22:33]
Rivić Carević Sara [Literatura] |
racfor_wiki:seminari2024:incident_response_u_microsoft365_okruzenju [2025/01/26 23:53] (trenutno)
Rivić Carević Sara [Vrste napada] |
| |
| ===== Uvod ===== | ===== Uvod ===== |
| | Za početak, u sljedeća dva potpoglavlja detaljno ćemo objasniti definiciju i važnost odgovora na incident. |
| ==== Definicija incident response ==== | ==== Definicija incident response ==== |
| Incident response ili odgovor na incident je proces otkrivanja, analize i reagiranja na sigurnosne incidente kako bi se uklonila nastala šteta i osigurao oporavak sustava. No, što je to incident? Danas koristimo razne izraze koje smatramo sinonimima, a zapravo imaju različito značenje. Neki od njih su: | Incident response ili odgovor na incident je proces otkrivanja, analize i reagiranja na sigurnosne incidente kako bi se uklonila nastala šteta i osigurao oporavak sustava. No, što je to incident? Danas koristimo razne izraze koje smatramo sinonimima, a zapravo imaju različito značenje. Neki od njih su: |
| |
| ===== Osnovni pojmovi ===== | ===== Osnovni pojmovi ===== |
| | U ovom poglavlju obradit ćemo osnovne pojmove koji su bitni za razumijevanje teme. |
| ==== Sigurnosni incident ==== | ==== Sigurnosni incident ==== |
| Sigurnosni incident je svako digitalno ili fizičko kršenje koje ugrožava povjerljivost, integritet ili dostupnost informacijskih sustava organizacije ili osjetljivih podataka. Sigurnosni incidenti mogu biti u rasponu od namjernih cyber napada hakera ili neovlaštenih korisnika, do nenamjernih kršenja sigurnosne politike legitimno ovlaštenih korisnika. | Sigurnosni incident je svako digitalno ili fizičko kršenje koje ugrožava povjerljivost, integritet ili dostupnost informacijskih sustava organizacije ili osjetljivih podataka. Sigurnosni incidenti mogu biti u rasponu od namjernih cyber napada hakera ili neovlaštenih korisnika, do nenamjernih kršenja sigurnosne politike legitimno ovlaštenih korisnika. |
| |
| Mojih top 10 smjernica za postupanje tijekom i nakon incidenata: | Mojih top 10 smjernica za postupanje tijekom i nakon incidenata: |
| * Ostanite smireni | * Ostanite smireni: Incidenti mogu biti emocionalno intenzivni. Fokusirajte se na najvažnije radnje i izbjegavajte paniku. |
| Incidenti mogu biti emocionalno intenzivni. Fokusirajte se na najvažnije radnje i izbjegavajte paniku. | * Pažljivo dijelite informacije javno: Sve javne izjave i informacije prvo provjerite s pravnim odjelom kako biste izbjegli pravne i reputacijske posljedice. |
| * Pažljivo dijelite informacije javno: | * Potražite pomoć kad je potrebno: Angažirajte unutarnje stručnjake ili vanjske profesionalce ako vam nedostaje resursa ili stručnosti za rješavanje incidenta. |
| Sve javne izjave i informacije prvo provjerite s pravnim odjelom kako biste izbjegli pravne i reputacijske posljedice. | * Brzina i koordiniranost: Djelujte brzo, ali promišljeno, i osigurajte jasnu komunikaciju između tehničkih, pravnih i operativnih timova kako bi sve strane bile usklađene. |
| * Potražite pomoć kad je potrebno: | * Ne nanosite dodatnu štetu: Izbjegavajte radnje koje mogu uzrokovati gubitak podataka, poslovnih funkcionalnosti ili dokaza. |
| Angažirajte unutarnje stručnjake ili vanjske profesionalce ako vam nedostaje resursa ili stručnosti za rješavanje incidenta. | * Nemojte učitavati datoteke na mrežne skenere: Napadači mogu pratiti skenirane datoteke. |
| * Brzina i koordiniranost: | * Nemojte beskonačno istraživati: Fokusirajte se samo na ključne sustave koji su napadnuti ili kompromitirani. |
| Djelujte brzo, ali promišljeno, i osigurajte jasnu komunikaciju između tehničkih, pravnih i operativnih timova kako bi sve strane bile usklađene. | * Dokumentirajte: Bilježite sve radnje tijekom incidenta za potrebe forenzičke analize i kasnijih poboljšanja sigurnosnih procedura. |
| * Ne nanosite dodatnu štetu: | * Očekujte smanjenu učinkovitost tima: Planirajte za 50% kapaciteta osoblja zbog stresa i zahtjevnosti situacije. |
| Izbjegavajte radnje koje mogu uzrokovati gubitak podataka, poslovnih funkcionalnosti ili dokaza. | * Nemojte resetirati sve lozinke odjednom: Prioritetno resetirajte samo kompromitirane administratorske i servisne račune, a korisničke lozinke resetirajte postupno i kontrolirano. |
| * Nemojte učitavati datoteke na mrežne skenere: | |
| Napadači mogu pratiti skenirane datoteke. | |
| * Nemojte beskonačno istraživati: | |
| Fokusirajte se samo na ključne sustave koji su napadnuti ili kompromitirani. | |
| * Dokumentirajte: | |
| Bilježite sve radnje tijekom incidenta za potrebe forenzičke analize i kasnijih poboljšanja sigurnosnih procedura. | |
| * Očekujte smanjenu učinkovitost tima: | |
| Planirajte za 50% kapaciteta osoblja zbog stresa i zahtjevnosti situacije. | |
| * Nemojte resetirati sve lozinke odjednom: | |
| Prioritetno resetirajte samo kompromitirane administratorske i servisne račune, a korisničke lozinke resetirajte postupno i kontrolirano. | |
| |
| |
| ===== Literatura ===== | ===== Literatura ===== |
| |
| [1] Microsoft. "What is Incident Response?" *Microsoft Security*. Dostupno na: | [1] Microsoft. "What is Incident Response?" //Microsoft Security//. Dostupno na: |
| [[https://www.microsoft.com/en-us/security/business/security-101/what-is-incident-response#How-incident-response-works]] | [[https://www.microsoft.com/en-us/security/business/security-101/what-is-incident-response#How-incident-response-works]] |
| |
| [2] IBM. "What is Incident Response?" *IBM Think Blog*. Dostupno na: | [2] IBM. "What is Incident Response?" //IBM Think Blog//. Dostupno na: |
| [[https://www.ibm.com/think/topics/incident-response#What+is+incident+response%3F]] | [[https://www.ibm.com/think/topics/incident-response#What+is+incident+response%3F]] |
| |
| [3] [[https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#why]] | [3] Palo Alto Networks. "What is Incident Response?" //Cyberpedia//. Dostupno na:[[https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#why]] |
| |
| [4] [[https://learn.microsoft.com/en-us/security/operations/incident-response-overview]] | [4] Microsoft. "Incident Response Overview." //Microsoft Learn//. Dostupno na:[[https://learn.microsoft.com/en-us/security/operations/incident-response-overview]] |
| |
| [5] [[https://learn.microsoft.com/en-us/defender-xdr/incidents-overview]] | [5] Microsoft. "Incidents Overview in Microsoft Defender XDR." //Microsoft Learn//. Dostupno na:[[https://learn.microsoft.com/en-us/defender-xdr/incidents-overview]] |
| |
| [6] [[https://learn.microsoft.com/en-us/azure/sentinel/investigate-cases]] | [6] Microsoft. "Investigate Cases in Microsoft Sentinel." //Microsoft Learn//. Dostupno na: [[https://learn.microsoft.com/en-us/azure/sentinel/investigate-cases]] |
| |
| [7] [[https://en.wikipedia.org/wiki/Incident_management]] | [7] Wikipedia. "Incident Management." //Wikipedia//. Dostupno na:[[https://en.wikipedia.org/wiki/Incident_management]] |
| |
| [8] [[https://www.microsoft.com/en-us/security/business/microsoft-incident-response]] | [8] Microsoft. "Microsoft Incident Response." //Microsoft Security//. Dostupno na: [[https://www.microsoft.com/en-us/security/business/microsoft-incident-response]] |
| |
| [9] [[https://www.microsoft.com/en-us/security/blog/2023/08/15/how-the-microsoft-incident-response-team-helps-customers-remediate-threats/?culture=hr-hr&country=hr]] | [9] Microsoft. "How the Microsoft Incident Response Team Helps Customers Remediate Threats." //Microsoft Security Blog//. Dostupno na: [[https://www.microsoft.com/en-us/security/blog/2023/08/15/how-the-microsoft-incident-response-team-helps-customers-remediate-threats/?culture=hr-hr&country=hr]] |
| |
| [10] [[https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-xdr#tabx37134098f73249128ed30143c025befe]] | [10] Microsoft. "Microsoft Defender XDR Overview." //Microsoft Security//. Dostupno na:[[https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-xdr#tabx37134098f73249128ed30143c025befe]] |
| |
| [11] [[https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-sentinel#x7b1217f75434457baf6d56f71077615b]] | [11] Microsoft. "Microsoft Sentinel Overview." //Microsoft Security//. Dostupno na: [[https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-sentinel#x7b1217f75434457baf6d56f71077615b]] |
| |
| [12] [[https://www.microsoft.com/en-us/security/business/security-101/what-is-siem]] | [12] Microsoft. "What is SIEM?" //Microsoft Security//. Dostupno na: [[https://www.microsoft.com/en-us/security/business/security-101/what-is-siem]] |
| |
| [13] [[https://www.microsoft.com/en-us/security/business/security-101/what-is-soar]] | [13] Microsoft. "What is SOAR?" //Microsoft Security//. Dostupno na:[[https://www.microsoft.com/en-us/security/business/security-101/what-is-soar]] |
| |
| [14] [[https://www.microsoft.com/en-us/security/business/security-101/what-is-xdr]] | [14] Microsoft. "What is XDR?" //Microsoft Security//. Dostupno na: [[https://www.microsoft.com/en-us/security/business/security-101/what-is-xdr]] |
| |
| [15] [[https://www.sans.org/white-papers/33901/]] | [15] SANS Institute. "Incident Response White Paper." //SANS White Papers//. Dostupno na:[[https://www.sans.org/white-papers/33901/]] |
| |
| [16] [[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf]] | [16] National Institute of Standards and Technology (NIST). "Computer Security Incident Handling Guide." //Special Publication 800-61 Revision 2//. Dostupno na:[[https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf]] |
| |
| |
| |
| |
| 1. Microsoft. "What is Incident Response?" *Microsoft Security*. Dostupno na: [https://www.microsoft.com/en-us/security/business/security-101/what-is-incident-response#How-incident-response-works](https://www.microsoft.com/en-us/security/business/security-101/what-is-incident-response#How-incident-response-works) | |
| 2. IBM. "What is Incident Response?" *IBM Think Blog*. Dostupno na: [https://www.ibm.com/think/topics/incident-response#What+is+incident+response%3F](https://www.ibm.com/think/topics/incident-response#What+is+incident+response%3F) | |
| 3. Palo Alto Networks. "What is Incident Response?" *Cyberpedia*. Dostupno na: [https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#why](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#why) | |
| 4. Microsoft. "Incident Response Overview." *Microsoft Learn*. Dostupno na: [https://learn.microsoft.com/en-us/security/operations/incident-response-overview](https://learn.microsoft.com/en-us/security/operations/incident-response-overview) | |
| 5. Microsoft. "Incidents Overview in Microsoft Defender XDR." *Microsoft Learn*. Dostupno na: [https://learn.microsoft.com/en-us/defender-xdr/incidents-overview](https://learn.microsoft.com/en-us/defender-xdr/incidents-overview) | |
| 6. Microsoft. "Investigate Cases in Microsoft Sentinel." *Microsoft Learn*. Dostupno na: [https://learn.microsoft.com/en-us/azure/sentinel/investigate-cases](https://learn.microsoft.com/en-us/azure/sentinel/investigate-cases) | |
| 7. Wikipedia. "Incident Management." *Wikipedia*. Dostupno na: [https://en.wikipedia.org/wiki/Incident_management](https://en.wikipedia.org/wiki/Incident_management) | |
| 8. Microsoft. "Microsoft Incident Response." *Microsoft Security*. Dostupno na: [https://www.microsoft.com/en-us/security/business/microsoft-incident-response](https://www.microsoft.com/en-us/security/business/microsoft-incident-response) | |
| 9. Microsoft. "How the Microsoft Incident Response Team Helps Customers Remediate Threats." *Microsoft Security Blog*. Dostupno na: [https://www.microsoft.com/en-us/security/blog/2023/08/15/how-the-microsoft-incident-response-team-helps-customers-remediate-threats/?culture=hr-hr&country=hr](https://www.microsoft.com/en-us/security/blog/2023/08/15/how-the-microsoft-incident-response-team-helps-customers-remediate-threats/?culture=hr-hr&country=hr) | |
| 10. Microsoft. "Microsoft Defender XDR Overview." *Microsoft Security*. Dostupno na: [https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-xdr#tabx37134098f73249128ed30143c025befe](https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-xdr#tabx37134098f73249128ed30143c025befe) | |
| 11. Microsoft. "Microsoft Sentinel Overview." *Microsoft Security*. Dostupno na: [https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-sentinel#x7b1217f75434457baf6d56f71077615b](https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-sentinel#x7b1217f75434457baf6d56f71077615b) | |
| 12. Microsoft. "What is SIEM?" *Microsoft Security*. Dostupno na: [https://www.microsoft.com/en-us/security/business/security-101/what-is-siem](https://www.microsoft.com/en-us/security/business/security-101/what-is-siem) | |
| 13. Microsoft. "What is SOAR?" *Microsoft Security*. Dostupno na: [https://www.microsoft.com/en-us/security/business/security-101/what-is-soar](https://www.microsoft.com/en-us/security/business/security-101/what-is-soar) | |
| 14. Microsoft. "What is XDR?" *Microsoft Security*. Dostupno na: [https://www.microsoft.com/en-us/security/business/security-101/what-is-xdr](https://www.microsoft.com/en-us/security/business/security-101/what-is-xdr) | |
| 15. SANS Institute. "Incident Response White Paper." *SANS White Papers*. Dostupno na: [https://www.sans.org/white-papers/33901/](https://www.sans.org/white-papers/33901/) | |
| 16. National Institute of Standards and Technology (NIST). "Computer Security Incident Handling Guide." *Special Publication 800-61 Revision 2*. Dostupno na: [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf) | |
| |
| |
