Your Task:
For this project, you will assess and document tools to be used by the Sifers-Grayson Incident Response Team during the preparation, detection, containment, eradication, and recovery phases of the Incident Response Process (as defined in NIST SP 800-61r2). The deliverable for this assignment is a set of three customized procedures suitable for inclusion in the Sifers-Grayson Incident Response Procedures Manual. Each procedure must be written so that it can be added / updated / removed without impacting other procedures in the manual. In other words, the procedures must be self-contained and stand on their own.
Detailed Instructions:
Your deliverable must use the provided MS Word template file (contact your instructor for formatting guidance if you cannot use this file). The required procedures are described below.
Procedure 1: Windows 10 Windows Defender
This procedure will instruct incident responders in the use of the Windows Defender anti-virus application to detect and analyze threats and attacks against Windows 10 endpoint devices.
1.
Investigate the use of Windows Defender AV to detect and analyze potential viruses, spyware, and other forms of malware. Your investigation should include researching best practices for configuring and using the scanning, detection, and analysis capabilities for this host-based anti-malware software. At a minimum, your research should address the following
a.
Update requirements for anti-virus definition files
b.
Configuration requirements to enable real-time scanning
c.
Procedures for conducting full system scans
d.
Fast or quick scan for high vulnerability areas of the system
e.
Removable media scanning
f.
Reviewing scan results including reviewing any quarantined files or detected malware
2.
Identify how the tool could be used during the incident response and recovery process (it may be useful in more than one phase). Typical uses include:
a.
Detecting malware at the point of entry to the system (e.g. in an email message or web page)
b.
Detecting intrusion attempts in real-time
c.
Analyzing files and file systems to detect and identify malware
d.
Quarantining files suspected of carrying threat payloads
e.
Deleting Infected Files
f.
Scanning removable media
g.
Reviewing Windows Event Log entries to find relevant ID’s and incident reporting information
Procedure 2: Windows 10 Windows SmartScreen
This procedure will instruct incident responders in the use of the Windows Defender SmartScreen application to detect and prevent threats and attacks against Windows 10 endpoint devices.
1.
Identify how the Smart Screen tool could be used during the incident response and recovery process (it may be useful in more than one phase). Typical uses include:
a.
Detect and block known bad websites
b.
Detect and block know bad application downloads and installation attempts
c.
Detect and report suspicious websites, web pages, and file downloads
d.
Reviewing Windows Event Log entries (generated by SmartScreen) to find relevant ID’s and incident reporting information
2.
Write a guidance document that identifies the tool, explains the capabilities it provides, and then lists and briefly describes the recommended uses as documented by Microsoft (2017a, 2017b, 2017, c, 2017d). Add a list of resources that can be consulted for additional information. Next, summarize the procedures required to perform the tasks listed under item b.1 (do not provide step-by-step instructions). Close your guidance document with a Notes / Warnings / Restrictions section that answers the question “Is there anything else the incident responder needs to be aware of when using or configuring this tool?”
