Which data sources should be collected during incident analysis?

During incident analysis, it is essential to gather a comprehensive set of data sources to get a complete picture of what happened, how it happened, and the impact of the incident. Each of the mentioned data sources plays a vital role in this analysis.

Collecting DNS and whois records is crucial because they provide information about domain names, IP addresses, and their ownership. This information can help identify the source of an attack and the infrastructure used by malicious actors.

Threat feeds are valuable as they provide real-time data on known threats, vulnerabilities, and malicious activities. Utilizing these feeds can help analysts understand the context of an incident, including whether it is part of a larger trend or related to specific adversarial tactics.

Application and system logs are fundamental to incident analysis. They record the activities and behaviors of systems and applications, which can reveal unauthorized access attempts, changes made during the incident, and other relevant actions. These logs can be vital to reconstructing the timeline of the incident.

By integrating insights from all these sources, incident responders can build a more comprehensive understanding of the incident, leading to more effective response and recovery efforts. Each type of data source contributes unique information that enhances the overall analysis, making the collection of all of them essential for thorough incident analysis.