Conclusion - AWS Security Incident Response Guide


Each operations phase has unique goals, techniques, methodologies, and strategies. Table 4 summarizes these phases and some of the techniques and methodologies covered in this section.

Table 4 – Operations phases: Goals, techniques, and methodologies

Phase Goal Techniques and methodologies
Detection Identify a potential security event.
  • Security controls for detection

  • Behavior and rule-based detection

  • People-based detection

Analysis Determine if the security event is an incident and assess the scope of the incident.
  • Validate and scope alert

  • Query logs

  • Threat intelligence

  • Automation

Containment Minimize and limit the impact of the security event.
  • Source containment

  • Technique and access containment

  • Destination containment

Eradication Remove unauthorized resources or artifacts related to the security event.
  • Compromised or unauthorized credential rotation or deletion

  • Unauthorized resource deletion

  • Malware removal

  • Security scans

Recovery Restore systems to a known good state and monitor these systems to ensure the threat does not return.
  • System restoration from backups

  • Systems rebuilt from scratch

  • Compromised files replaced with clean versions