WEBVTT 00:00:01.020 --> 00:00:05.760 Once the incident has been detected, classified, 00:00:05.770 --> 00:00:10.850 and we've tried to contain it, we want to then eradicate the problem. 00:00:11.470 --> 00:00:15.480 In this case, eradication where we remove the damage, 00:00:15.480 --> 00:00:17.470 the damaged system or software, 00:00:17.820 --> 00:00:23.500 and rebuild the system maybe from backups or making sure that we 00:00:23.500 --> 00:00:28.660 have a clean backup that is not infected as well and apply any 00:00:28.660 --> 00:00:31.590 patches that were missing that maybe allowed the attack to 00:00:31.590 --> 00:00:32.820 happen in the first place. 00:00:33.380 --> 00:00:34.700 In some cases today, 00:00:34.700 --> 00:00:38.880 the problem is that many of the attacks will 00:00:38.880 --> 00:00:43.360 actually affect the hardware itself, and there has been a number of cases, 00:00:43.360 --> 00:00:44.880 especially with ransomware, 00:00:44.970 --> 00:00:49.200 where it's actually required to actually replace the hardware because it's 00:00:49.200 --> 00:00:52.900 impossible to remove the infection that's in there reliably. 00:00:54.600 --> 00:00:58.010 The idea of restoration is we want to get back to normal, 00:00:58.380 --> 00:00:59.580 and of course, 00:00:59.590 --> 00:01:02.020 part of getting back to normal is to recover the 00:01:02.020 --> 00:01:04.110 things that are most important first. 00:01:04.330 --> 00:01:07.710 We set out timelines and priorities for recovery. 00:01:08.560 --> 00:01:09.620 It's important, though, 00:01:09.620 --> 00:01:12.970 that we don't just get back to normal and become re‑infected. 00:01:13.400 --> 00:01:17.280 So we need to take steps to make sure that we've identified the 00:01:17.290 --> 00:01:22.650 actual root cause of the initial infection and taken steps to 00:01:22.650 --> 00:01:24.500 prevent that from happening again. 00:01:26.160 --> 00:01:30.650 We've talked a number of times about documentation and sometimes the 00:01:30.650 --> 00:01:35.200 documentation of the incident is the most valuable thing we have. 00:01:35.660 --> 00:01:40.920 It outlines the steps and procedures we are to use in the recovery process, 00:01:41.200 --> 00:01:45.840 but then it also documents what we did so that we can 00:01:45.840 --> 00:01:49.250 make sure that we can review it, what went well, 00:01:49.250 --> 00:01:50.620 what could be improved, 00:01:50.720 --> 00:01:54.090 are there decisions that would have been easier to 00:01:54.090 --> 00:01:56.940 make if we'd had more information, for example. 00:01:57.420 --> 00:02:03.440 So we keep this documentation in order to assist in reviewing the feedback, 00:02:03.450 --> 00:02:05.900 and of course, future incidents. 00:02:06.530 --> 00:02:09.470 If we've already addressed this problem once, 00:02:09.810 --> 00:02:12.710 it's really good if we know how we did it and we don't have to 00:02:12.710 --> 00:02:17.670 reinvent the wheel and try to find out how to make that same repair 00:02:17.670 --> 00:02:21.030 again or repeat even the same mistakes again. 00:02:22.690 --> 00:02:24.170 Reporting is important. 00:02:24.560 --> 00:02:28.450 We should obviously report when the incident is over and so that 00:02:28.450 --> 00:02:31.620 everybody knows that this is now finished and completed. 00:02:32.040 --> 00:02:35.720 But part of the report should include our analysis 00:02:35.720 --> 00:02:38.650 and assessment of the incident, what caused it. 00:02:39.480 --> 00:02:41.170 It could be more than one thing. 00:02:41.860 --> 00:02:44.730 It could be many small things, not one big thing. 00:02:45.140 --> 00:02:48.720 We often say that the problem is that organizations 00:02:48.720 --> 00:02:50.270 look too much for the trigger, 00:02:50.930 --> 00:02:54.100 but the trigger was just the spark that started it. 00:02:55.250 --> 00:02:56.820 That was a small part. 00:02:56.910 --> 00:03:00.340 There were many other things that led up to the incident 00:03:00.350 --> 00:03:03.430 before maybe that spark or trigger happened. 00:03:05.150 --> 00:03:08.490 We document and report on what we did. 00:03:08.850 --> 00:03:11.020 How did we fix the problem? 00:03:11.030 --> 00:03:17.030 And certainly from all of that, we assess how the staff responded as well. 00:03:17.710 --> 00:03:20.770 Not everybody is good during a time of stress, 00:03:21.170 --> 00:03:25.600 and we want to know who are the people that do work well 00:03:25.600 --> 00:03:31.110 and excel when it's a time of stress, so those are key people on our teams. 00:03:32.130 --> 00:03:35.310 All of this should result in lessons learned. 00:03:35.750 --> 00:03:37.000 Now the problem, of course, 00:03:37.000 --> 00:03:41.330 with many organizations is that by the time the incident is over, 00:03:41.330 --> 00:03:43.660 they didn't document anything, and therefore, 00:03:43.660 --> 00:03:46.170 they don't learn what they could have learned from it. 00:03:47.350 --> 00:03:48.670 The key points review. 00:03:49.650 --> 00:03:55.810 We need to have incident response plans because incidents will happen, 00:03:55.810 --> 00:04:00.310 so it's a critical capability required for every business, 00:04:00.870 --> 00:04:04.900 but we also need senior management support when there is an incident. 00:04:05.030 --> 00:04:07.810 It's not that everybody is guessing what should we do, 00:04:07.850 --> 00:04:11.500 but the senior management supports the plans we have in place. 00:04:12.300 --> 00:04:16.329 We know that the plans should be detailed and action‑oriented and 00:04:16.329 --> 00:04:20.160 should list the procedures we will follow and it should be required 00:04:20.160 --> 00:04:22.960 that everybody follows those procedures. 00:04:23.780 --> 00:04:27.030 All of the team members should be properly chosen, 00:04:27.160 --> 00:04:33.050 trained, and equipped to be able to do their job in a crisis time. 00:04:33.720 --> 00:04:38.400 And certainly, incident response should link to our other plans as well, 00:04:38.610 --> 00:04:41.900 such as business continuity, disaster recovery, 00:04:41.910 --> 00:04:43.810 and human resources plans.