Network information system emergency response

Network security emergency response mainly provides a mechanism , Ensure that the assets can obtain professional personnel in time when they are attacked 、 Security technology and other resources , And ensure that the work can be carried out efficiently and orderly according to the established procedures in case of emergency , Protect network services from further infringement , Or the business system can be recovered as soon as possible after the network assets have been destroyed , Reduce business losses .

China's emergency response organization

CNCERT/CC Founded on 2001 year 8 month , The home page is http://www.cert.org.cn/, The main responsibility is to coordinate the emergency response teams for computer network security incidents in China , Jointly handle security emergencies on the national public telecommunications infrastructure network , For the national public telecommunications infrastructure network 、 The main national network information application systems and key departments provide computer network security monitoring 、 early warning 、 meet an emergency 、 Prevention and other security services and technical support , Collect in time 、 verify 、 Summary 、 Release authoritative information about internet security , Organize domestic computer network security emergency organizations to conduct international cooperation and exchanges .

His work content is as follows ：

1. information acquisition
2. Event monitoring
3. Event handling
4. Data analysis
5. Resource building
6. Security Research
7. Safety training
8. Technical consulting
9. International exchange

Emergency response stage

1. Preparation stage

   The main work in the preparation phase includes establishing a reasonable defense / Control measures , Establish appropriate policies and procedures , Obtain necessary resources and establish an emergency response team .

2. Detection phase

   Preliminary actions and responses shall be made in the detection stage , According to the obtained preliminary materials and analysis results , Estimate the scope of the event , Develop further response strategies , And retain evidence that may be used in judicial proceedings .

3. Inhibition stage

   The purpose of suppression is to limit the scope of the attack . Containment measures are important , Because too many security incidents can lead to rapid loss of control .

4. The eradication stage

   After the event is suppressed , By analyzing the results of malicious code or behavior , Find out the root cause of the incident and completely eliminate it .

5. Recovery phase

   The goal of the recovery phase is to completely restore all the broken systems and network devices to their normal task state .

6. Report and summary stage

   The goal of this stage is to review and sort out various relevant information about the event , Document everything as much as possible . The contents of these records , It is not only of great significance to other handling work of relevant departments , And it is also a very important accumulation for the development of emergency work in the future .

Windows System emergency response methods

1. Unplug the cable , Turn off the wireless network
2. see 、 Comparison process , Find the problem process
3. see 、 Compare ports , Find the port that caused the problem
4. View the program corresponding to the open port
5. see 、 Compare registry
6. Check the logs of other security tools

Computer crime forensics

1. Comparative analysis techniques
2. Keyword query technology
3. Data recovery technology
4. File fingerprint feature analysis technology
5. Residual data analysis technique
6. Data analysis technology of disk storage free space
7. Backup files to disk 、 Image file 、 Swap file 、 Temporary document analysis technology
8. Analytical techniques for documentation
9. Intrusion detection analysis technology
10. Trap technology