Network Security Fundamentals Part 10: Incident Response and Digital Forensics
네트워크 보안 기초부터 실전까지 10편: 침해사고 대응과 디지털 포렌식
Introduction: The Importance of Incident Response
No matter how thorough your security posture is, security incidents can still occur. What matters is how quickly and effectively you respond when an incident happens. A well-prepared incident response process plays a key role in minimizing damage, enabling rapid recovery, and preventing similar incidents in the future.
In this final Part 10, we'll comprehensively cover the entire incident response process, incident response team organization, digital forensics techniques, evidence collection and analysis methods, and career guidance for security professionals.
1. Incident Response Process
1.1 NIST Incident Response Framework
The incident response framework proposed by NIST (National Institute of Standards and Technology) consists of six phases.
- Phase 1: Preparation
- Establish and regularly review incident response plans
- Form response team and define roles
- Acquire necessary tools and resources
- Conduct regular training and tabletop exercises
- Phase 2: Detection & Analysis
- Security event monitoring and alerting
- Confirm and classify incidents
- Assess impact scope and severity
- Begin collecting relevant evidence
- Phase 3: Containment
- Short-term containment: Immediate prevention of damage spread
- Long-term containment: System isolation and security hardening
- System backup for evidence preservation
- Phase 4: Eradication
- Remove malware and backdoors
- Eliminate root cause of breach
- Patch vulnerabilities and strengthen security
- Phase 5: Recovery
- Return systems to normal operation
- Enhanced monitoring
- Verify no additional attacks
- Phase 6: Lessons Learned
- Analyze and document incident
- Identify improvements
- Update processes and tools
1.2 Incident Classification and Prioritization
| Severity | Description | Response Time | Examples |
|---|---|---|---|
| Critical | Business disruption, large-scale data breach | Immediate (within 1 hour) | Ransomware infection, APT attack |
| High | Critical system compromise, sensitive data exposure | Within 4 hours | Server root access compromise |
| Medium | Limited system compromise, malware detection | Within 24 hours | Single workstation infection |
| Low | Policy violation, suspicious activity | Within 72 hours | Unauthorized software installation |
2. Incident Response Team Organization (CSIRT/CERT)
2.1 Difference Between CSIRT and CERT
- CERT (Computer Emergency Response Team): A registered trademark of Carnegie Mellon University, primarily referring to national or large-scale organizational cybersecurity response teams
- CSIRT (Computer Security Incident Response Team): A general term referring to internal security incident response teams within organizations
2.2 Incident Response Team Role Structure
- Incident Commander
- Direct overall response activities
- Decision-making and resource allocation
- Communication with executives and external agencies
- Technical Lead
- Direct technical analysis and response
- Oversee forensic analysis
- Provide technical recommendations
- Forensic Analyst
- Evidence collection and preservation
- Digital forensics analysis
- Timeline reconstruction
- Threat Analyst
- Analyze attacker TTPs
- Utilize threat intelligence
- Identify and share IOCs
- System/Network Administrator
- Perform containment and recovery tasks
- Support log and evidence collection
- System backup and restoration
- Communications Lead
- Internal employee notification
- Customer/partner communication
- Media response (if needed)
2.3 Incident Response Playbook
# Ransomware Incident Response Playbook Example
playbook:
name: "Ransomware Incident Response"
version: "1.0"
severity: "Critical"
initial_response:
- action: "Network Isolation"
description: "Immediately disconnect infected systems from network"
owner: "Network Admin"
time_limit: "15 minutes"
- action: "Scope Assessment"
description: "Identify affected systems and data scope"
owner: "Security Analyst"
time_limit: "1 hour"
- action: "Evidence Preservation"
description: "Acquire memory dumps and disk images"
owner: "Forensic Analyst"
time_limit: "2 hours"
containment:
- action: "Prevent Further Infection"
steps:
- "Block C2 server IPs at firewall"
- "Block email attachment IOCs"
- "Block related hashes at EDR"
eradication:
- action: "Malware Removal"
steps:
- "Reinstall infected systems (recommended)"
- "Restore data from backups"
- "Verify backup integrity before restoration"
recovery:
- action: "System Recovery"
steps:
- "Rebuild with clean systems"
- "Apply latest security patches"
- "Configure enhanced monitoring"
post_incident:
- "Write incident report"
- "Analyze infection vector"
- "Improve security policies"
- "Employee security awareness training"3. Evidence Collection and Preservation
3.1 Evidence Collection Principles
Principles that must be followed when collecting digital evidence:
- Order of Volatility: Collect data from most volatile first
- Registers, cache
- Memory (RAM)
- Network state
- Running processes
- Disk
- Remote logs/monitoring data
- Physical configuration, network topology
- Archive media
- Evidence Integrity: Minimize changes to original evidence, verify integrity with hash values
- Chain of Custody: Maintain records of evidence movement/access
3.2 Live Evidence Collection
# System information collection
date > incident_$(hostname)_$(date +%Y%m%d_%H%M%S).txt
hostname >> incident_report.txt
uname -a >> incident_report.txt
uptime >> incident_report.txt
# Network connection status
netstat -antp > netstat_output.txt
ss -antp > ss_output.txt
# Running processes
ps auxwww > process_list.txt
pstree -p > process_tree.txt
# Open files
lsof > open_files.txt
# Logged-in users
who > logged_users.txt
w > user_activity.txt
last > login_history.txt
# Memory information
cat /proc/meminfo > meminfo.txt
free -m > memory_usage.txt3.3 Disk Imaging
# Disk imaging using dd
# Source disk: /dev/sda
# Destination: evidence.dd
# Imaging with hash generation
dd if=/dev/sda bs=4M conv=sync,noerror status=progress | tee evidence.dd | sha256sum > evidence.sha256
# Using dc3dd (forensics-specific tool)
dc3dd if=/dev/sda of=evidence.dd hash=sha256 log=imaging.log
# FTK Imager CLI (Windows)
# ftkimager.exe \\.\PhysicalDrive0 evidence --e01 --compress 6 --verify
# Verify image integrity
sha256sum evidence.dd
# Compare with original to confirm match4. Digital Forensics Basics
4.1 Setting Up Forensics Analysis Environment
# SIFT Workstation installation (Ubuntu-based)
# Forensics analysis virtual machine provided by SANS
# Or install individual tools
# Autopsy (GUI-based forensics tool)
sudo apt install autopsy
# Sleuth Kit (command-line forensics tools)
sudo apt install sleuthkit
# Volatility (memory forensics)
pip install volatility3
# Key forensics tools:
# - Autopsy: Disk image analysis
# - Volatility: Memory analysis
# - Wireshark: Network packet analysis
# - YARA: Malware pattern detection
# - Plaso/log2timeline: Timeline analysis4.2 File System Analysis
# Mount disk image
sudo mkdir /mnt/evidence
sudo mount -o ro,loop,noexec evidence.dd /mnt/evidence
# Recover deleted files (Sleuth Kit)
fls -r -d evidence.dd > deleted_files.txt
icat evidence.dd [inode] > recovered_file
# Analyze file timestamps
# M: Modified, A: Accessed, C: Changed, B: Birth
stat /mnt/evidence/suspicious_file
# Find recently modified files
find /mnt/evidence -type f -mtime -7 -ls > recent_modified.txt
# Hidden files and directories
find /mnt/evidence -name ".*" -ls > hidden_files.txt
# SUID/SGID files (potential privilege escalation)
find /mnt/evidence -perm /6000 -ls > suid_files.txt5. Memory Forensics
5.1 Memory Dump Collection
# Linux memory dump
# Using LiME (Linux Memory Extractor)
sudo insmod lime.ko "path=/tmp/memory.lime format=lime"
# Or using /dev/mem (limited)
sudo dd if=/dev/mem of=memory.dump bs=1M
# Windows memory dump
# Using WinPmem
# winpmem_mini_x64.exe memory.raw
# Using DumpIt (double-click to run)
# DumpIt.exe5.2 Memory Analysis with Volatility
# Volatility 3 basic usage
# Auto-detect profile
vol -f memory.dump windows.info
# Process list
vol -f memory.dump windows.pslist
vol -f memory.dump windows.pstree
# Detect hidden processes
vol -f memory.dump windows.psscan
# Network connections
vol -f memory.dump windows.netstat
vol -f memory.dump windows.netscan
# DLL list
vol -f memory.dump windows.dlllist --pid [PID]
# Command execution history
vol -f memory.dump windows.cmdline
vol -f memory.dump windows.consoles
# Registry analysis
vol -f memory.dump windows.registry.hivelist
vol -f memory.dump windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"
# Malware detection
vol -f memory.dump windows.malfind
vol -f memory.dump windows.vadinfo --pid [PID]
# Process dump
vol -f memory.dump windows.memmap --pid [PID] --dump5.3 What Memory Analysis Can Reveal
- Running processes and threads
- Network connection information (remote IPs, ports)
- Loaded modules and DLLs
- Decrypted strings and passwords
- Unencrypted malware
- User input history
- Registry data
- Clipboard contents
6. Network Forensics
6.1 Packet Capture and Analysis
# Packet capture with tcpdump
sudo tcpdump -i eth0 -w capture.pcap
# Capture traffic related to specific host only
sudo tcpdump -i eth0 host 192.168.1.100 -w suspicious_traffic.pcap
# Specific port traffic
sudo tcpdump -i eth0 port 443 -w https_traffic.pcap
# Analysis with tshark (Wireshark CLI)
# Extract HTTP requests
tshark -r capture.pcap -Y "http.request" -T fields -e ip.src -e http.host -e http.request.uri
# Extract DNS queries
tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e ip.src -e dns.qry.name
# File extraction
tshark -r capture.pcap --export-objects http,./exported_files/
# Statistics
tshark -r capture.pcap -z conv,ip
tshark -r capture.pcap -z endpoints,tcp6.2 Network Artifact Analysis
# Generate network logs with Zeek (formerly Bro)
zeek -r capture.pcap
# Generated log files:
# conn.log - All connection records
# dns.log - DNS queries/responses
# http.log - HTTP traffic
# ssl.log - SSL/TLS connections
# files.log - Transferred files
# Analyze suspicious connections
# Abnormally large data transfers
cat conn.log | zeek-cut id.orig_h id.resp_h orig_bytes resp_bytes | sort -t$'\t' -k3 -rn | head
# HTTP traffic on non-standard ports
cat http.log | zeek-cut id.resp_p | sort | uniq -c | sort -rn
# DNS tunneling detection (long subdomains)
cat dns.log | zeek-cut query | awk 'length > 50' | sort | uniq -c | sort -rn7. Timeline Analysis
7.1 Using Plaso/log2timeline
# Extract timeline from disk image
log2timeline.py --storage-file timeline.plaso evidence.dd
# Or from mounted directory
log2timeline.py --storage-file timeline.plaso /mnt/evidence
# Convert timeline to CSV
psort.py -o l2tcsv -w timeline.csv timeline.plaso
# Filter specific time range
psort.py -o l2tcsv -w filtered_timeline.csv timeline.plaso "date > '2026-01-15 00:00:00' AND date < '2026-01-22 23:59:59'"
# Use specific parsers only
log2timeline.py --parsers "winevtx,prefetch,chrome_history" timeline.plaso /mnt/evidence7.2 Timeline Analysis Focus Points
- Initial compromise time: When first malicious activity occurred
- Lateral movement: When attacker moved to other systems
- Data access: When sensitive files were accessed
- Data exfiltration: When data was transmitted externally
- Persistence establishment: When backdoors were installed, accounts created
# Windows Event Log timeline analysis points
# Logon events: 4624, 4625
# Process creation: 4688
# Service installation: 7045
# Scheduled tasks: 4698
# Firewall rule changes: 2004, 2005
# PowerShell activity
# 4103: Module Logging
# 4104: Script Block Logging
# 4105, 4106: Start/Stop Command8. Indicators of Compromise (IOC) Utilization
8.1 Types of IOCs
- Network-based IOCs
- IP addresses (C2 servers, malicious infrastructure)
- Domain names
- URL patterns
- SSL certificate hashes
- Host-based IOCs
- File hashes (MD5, SHA1, SHA256)
- File paths and names
- Registry keys
- Mutex names
- Process names
- Behavior-based IOCs
- Specific API call patterns
- Command-line arguments
- Network behavior patterns
8.2 Writing YARA Rules
// YARA rule example for malware detection
rule Suspicious_PowerShell_Download {
meta:
description = "Detect suspicious downloads using PowerShell"
author = "Security Team"
date = "2026-01-22"
severity = "high"
strings:
$ps1 = "powershell" nocase
$ps2 = "pwsh" nocase
$download1 = "DownloadString" nocase
$download2 = "DownloadFile" nocase
$download3 = "Invoke-WebRequest" nocase
$download4 = "wget" nocase
$download5 = "curl" nocase
$encoded = "-enc" nocase
$bypass = "-ExecutionPolicy Bypass" nocase
condition:
($ps1 or $ps2) and
(any of ($download*) or $encoded or $bypass)
}
rule Webshell_Generic {
meta:
description = "Detect generic webshells"
strings:
$php_eval = /eval\s*\(\s*\$_(GET|POST|REQUEST)/
$php_exec = /exec\s*\(\s*\$_(GET|POST|REQUEST)/
$php_system = /system\s*\(\s*\$_(GET|POST|REQUEST)/
$php_passthru = /passthru\s*\(\s*\$_(GET|POST|REQUEST)/
$asp_exec = "Execute(" nocase
$asp_eval = "Eval(" nocase
condition:
any of them
}8.3 IOC Sharing and Utilization
// IOC example in STIX 2.1 format
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created": "2026-01-22T12:00:00.000Z",
"modified": "2026-01-22T12:00:00.000Z",
"name": "Malicious IP - C2 Server",
"description": "IP address confirmed as ransomware C2 server",
"indicator_types": ["malicious-activity"],
"pattern": "[ipv4-addr:value = '192.168.1.100']",
"pattern_type": "stix",
"valid_from": "2026-01-22T00:00:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "lockheed-martin-cyber-kill-chain",
"phase_name": "command-and-control"
}
]
}9. Post-Incident Report Writing
9.1 Incident Report Structure
- Executive Summary
- Incident overview
- Impact scope
- Key findings
- Recommendations
- Incident Overview
- Detection date/time and method
- Incident type and severity
- Affected systems/data
- Timeline
- Attack timeline
- Response timeline
- Technical Analysis
- Attack vector
- Tools/malware used
- Attacker TTPs
- IOC list
- Impact Assessment
- Business impact
- Data breach scope
- Financial impact
- Response Activities
- Containment measures
- Eradication work
- Recovery process
- Lessons Learned and Recommendations
- Root cause
- Improvement recommendations
- Short/medium/long-term actions
- Appendix
- Detailed IOCs
- Log samples
- Screenshots
10. Security Career Guide
10.1 Security Career Paths
- Security Operations
- SOC Analyst (Level 1, 2, 3)
- Security Engineer
- SIEM Administrator
- Incident Response
- Incident Response Analyst
- Digital Forensics Analyst
- Malware Analyst
- Offensive Security
- Penetration Tester
- Red Team Specialist
- Vulnerability Researcher
- Security Architecture
- Security Architect
- Cloud Security Architect
- Application Security Specialist
- Governance and Compliance
- Security Consultant
- GRC Specialist
- Privacy Specialist
- Management and Leadership
- Security Team Lead
- CISO (Chief Information Security Officer)
10.2 Recommended Certifications
| Level | Certification | Domain |
|---|---|---|
| Entry | CompTIA Security+ | Foundational Security |
| Entry | CompTIA CySA+ | Security Analysis |
| Intermediate | CEH (Certified Ethical Hacker) | Penetration Testing |
| Intermediate | GCIH (GIAC Certified Incident Handler) | Incident Response |
| Intermediate | GCFE (GIAC Certified Forensic Examiner) | Forensics |
| Advanced | OSCP (Offensive Security Certified Professional) | Penetration Testing |
| Advanced | CISSP (Certified Information Systems Security Professional) | Comprehensive Security |
| Expert | GREM (GIAC Reverse Engineering Malware) | Malware Analysis |
| Expert | OSEE (Offensive Security Exploitation Expert) | Exploit Development |
10.3 Resources for Skill Development
- Practice Platforms
- TryHackMe - Beginner to intermediate practice
- HackTheBox - Intermediate to advanced practice
- CyberDefenders - Blue team practice
- LetsDefend - SOC analyst practice
- CTF (Capture The Flag)
- CTFtime.org - CTF competition schedules
- picoCTF - Beginner CTF
- OverTheWire - Wargames
- Learning Resources
- SANS Reading Room - White papers
- MITRE ATT&CK - Attack technique framework
- OWASP - Web security
- Community
- Reddit r/netsec, r/AskNetsec
- Twitter/X security community
- Security conferences (DEF CON, Black Hat, RSA)
Series Conclusion
We conclude the 10-part "Network Security Fundamentals to Practice" series. Here's a summary of what we covered:
- Part 1: Network fundamentals and basic concepts
- Part 2: OSI 7-Layer model and TCP/IP
- Part 3: Firewall principles and configuration
- Part 4: IDS/IPS systems
- Part 5: VPN and encrypted communication
- Part 6: Web security and OWASP Top 10
- Part 7: Vulnerability analysis and patch management
- Part 8: Malware analysis and response
- Part 9: Security monitoring and log analysis
- Part 10: Incident response and digital forensics
Security is a constantly evolving field. New threats emerge, and new defense technologies are developed. Build upon the foundational knowledge from this series through continuous learning and practice to develop your expertise.
"Security is a process, not a product." - Bruce Schneier
While technical tools and knowledge are important, ultimately security is completed through the harmony of people, processes, and technology. Building an organization's security culture and continuously improving it is the true role of a security professional.
Thank you for reading this series. If you have any questions or feedback, please feel free to reach out. We'll continue to bring you practical and in-depth security content.