60 lines
1.9 KiB
Python
60 lines
1.9 KiB
Python
def get_dfir_content():
|
|
return [
|
|
{
|
|
"title": "PICERL Framework",
|
|
"content": """
|
|
- Phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.
|
|
- Example: Containment using decoys or monitoring tools.
|
|
""",
|
|
"resources": [
|
|
"https://www.sans.org/",
|
|
"https://www.cisa.gov/"
|
|
]
|
|
},
|
|
{
|
|
"title": "Containment Challenges",
|
|
"content": """
|
|
- Rapid containment avoids losing critical intelligence.
|
|
- No containment leads to prolonged adversary presence (whack-a-mole).
|
|
""",
|
|
"resources": [
|
|
"https://www.ncsc.gov.uk/",
|
|
"https://attack.mitre.org/"
|
|
]
|
|
},
|
|
{
|
|
"title": "Hunt vs. Reactive Teams",
|
|
"content": """
|
|
- Reactive (Incident Response): Firefighting approach, putting out fires.
|
|
- Hunt Teams: Proactive, leveraging threat intelligence to predict and disrupt.
|
|
""",
|
|
"resources": [
|
|
"https://www.fireeye.com/",
|
|
"https://www.mandiant.com/"
|
|
]
|
|
},
|
|
{
|
|
"title": "Detection Engineering",
|
|
"content": """
|
|
- Focus on enabling actionable and collaborative processes.
|
|
- Outsource or automate repetitive tasks while maintaining oversight of critical alerts.
|
|
""",
|
|
"resources": [
|
|
"https://redcanary.com/",
|
|
"https://www.crowdstrike.com/"
|
|
]
|
|
},
|
|
{
|
|
"title": "Advanced Forensic Tools",
|
|
"content": """
|
|
- Volatility: Memory analysis.
|
|
- Splunk and Loggly: Advanced log analysis and monitoring.
|
|
- MFT Analysis: Tools like MFTECmd for NTFS evidence.
|
|
""",
|
|
"resources": [
|
|
"https://volatilityfoundation.org/",
|
|
"https://www.splunk.com/"
|
|
]
|
|
}
|
|
]
|