{"id":15142,"date":"2021-09-17T07:30:26","date_gmt":"2021-09-17T05:30:26","guid":{"rendered":"https:\/\/www.secuinfra.com\/?p=15142"},"modified":"2022-04-01T09:20:45","modified_gmt":"2022-04-01T07:20:45","slug":"process-models-using-the-example-of-the-federal-office-for-information-security-bsi","status":"publish","type":"post","link":"https:\/\/testing.secuinfra.com\/en\/techtalk\/process-models-using-the-example-of-the-federal-office-for-information-security-bsi\/","title":{"rendered":"Incident Response Process Models using the Example of the Federal Office for Information Security (BSI)"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-flat ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">[inhalt_uebersetzt]<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/process-models-using-the-example-of-the-federal-office-for-information-security-bsi\/#Incident_Response_Process_Models\" >Incident Response Process Models<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/process-models-using-the-example-of-the-federal-office-for-information-security-bsi\/#The_BSI_Model\" >The BSI Model<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Incident_Response_Process_Models\"><\/span>Incident Response Process Models<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>One of the most widespread models in German-speaking countries is the process model of the Federal Office for Information Security (BSI). The BSI has set up a model that divides the procedure into 6 different phases and thus subdivides it in a very finely granulated manner compared to other models. An alternative to the BSI model is the Casey model, which is widely used in Anglo-Saxon countries. With 12 phases, this model is even more detailed than the BSI model and will be the subject of the next article on the topic of process models.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_BSI_Model\"><\/span>The BSI Model<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Figure 1 shows the process chain of the BSI model.<\/p>\n<p>The start is the strategic preparation. It is important to note that the third, fourth and fifth phases represent a loop, i.e., these phases can be repeated should they be deemed insufficient by later findings. In addition, documentation must start at the beginning of the third phase and be carried out without gaps until the last phase.<\/p>\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"wp-image-15143 aligncenter\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/process-models-EN-300x171.png\" alt=\"\" width=\"767\" height=\"437\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/process-models-EN-300x171.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/process-models-EN-1024x584.png 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/process-models-EN-768x438.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/process-models-EN-1536x877.png 1536w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/process-models-EN-2048x1169.png 2048w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/process-models-EN-24x14.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/process-models-EN-36x21.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/process-models-EN-48x27.png 48w\" sizes=\"(max-width: 767px) 100vw, 767px\" \/><\/p>\n<h3>Phase 1: Strategic preparation<\/h3>\n<p>The first phase deals with all the preparations that need to be made before a security incident occurs. This includes, for example, preparing software and hardware, such as a workstation or a write blocker. In addition, instructions for communication must be defined. Which department must be involved, when and how, for example, lawyers must be called in.<\/p>\n<h3>Phase 2: Operational preparation<\/h3>\n<p>Operational preparation is carried out when the incident has occurred. At the beginning, a scope for the investigation is set and the initial suspicion is defined.<\/p>\n<p>Based on this, an inventory of the potential affected systems is made. This procedure ensures that no systems are overlooked in the subsequent data collection and that all sources known at that time are taken into account. In addition, questions regarding data protection must be clarified in this phase.<\/p>\n<h3>Phase 3: Data collection, recovery<\/h3>\n<p>In phase 3, data collection is carried out according to the specifications made in the operational preparation. Here, a distinction is made between a complete image of all systems and a triage. While the former creates a 1-to-1 image of the systems in order to store all data accurately and not to cover any traces, triage is limited to the rapid collection of data that, in the context of a cyber attack, provides information about the procedure and type of attack. A detailed article on the topic of triage in digital forensics can be found here (<a href=\"https:\/\/testing.secuinfra.com\/en\/news\/digital-forensics-triage-2\/\">Triage in digital forensics<\/a>).<\/p>\n<p>The order in which data is backed up also plays a major role. Volatile storage such as RAM should always come first in the data backup process. In phase 3, the relevance of the chain of custody also begins. This describes a complete documentation of the whereabouts of the evidence and must be maintained in detail until the investigation is completed. Also, the progress log is started to be written in this phase.<\/p>\n<h3>Phase 4: Data investigation<\/h3>\n<p>Data investigation is the preliminary stage of the actual analysis. In this phase, the data is to be prepared for the forensic examination. For this purpose, traces are extracted from the collected evidence and, if necessary, transferred to another format. In addition, deleted or corrupt data sets can be restored in this phase. If new data sources are identified in this course, the data collection can be repeated.<\/p>\n<h3>Phase 5: Data analysis<\/h3>\n<p>The fifth phase now deals with the evaluation of the data obtained and their interpretation. As a rule, this phase attempts to put the data in a chronological and logical order in order to be able to recognize and evaluate correlations. If new data sources are identified or if it is determined that data sets are incomplete, a new data collection can be initiated as in phase 4.<\/p>\n<h3>Phase 6: Final Report<\/h3>\n<p>The final report is also referred to as the final log. The BSI explicitly distinguishes this from the progress log, which is already started in phase 3 and is part of the chain of evidence. This progress report contains all investigation steps, forensic tools and collected data. With the help of the progress log, the final log for the specified target group can now be written in the sixth phase. It thus contains an overview of the entire forensic process as well as the results collected from the analysis.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>BSI has set up a model that divides the procedure into 6 different phases, which is very finely granulated compared to other models.<\/p>\n","protected":false},"author":6,"featured_media":27627,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[86,81],"tags":[],"dpc_coauthors":[],"class_list":["post-15142","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-incident-response","category-techtalk"],"acf":[],"_links":{"self":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/15142","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/comments?post=15142"}],"version-history":[{"count":0,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/15142\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media\/27627"}],"wp:attachment":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media?parent=15142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/categories?post=15142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/tags?post=15142"},{"taxonomy":"dpc_coauthors","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/dpc_coauthors?post=15142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}