WEBVTT 00:00.649 --> 00:02.760 >> Now let's talk a little bit 00:02.760 --> 00:04.170 about what we're going to do if 00:04.170 --> 00:05.880 our monitoring indicates that 00:05.880 --> 00:08.130 negative events have occurred on the network. 00:08.130 --> 00:11.040 That would involve an incident response and 00:11.040 --> 00:14.550 sometimes it can lead to forensic investigations. 00:14.550 --> 00:17.205 With the incident response process, 00:17.205 --> 00:18.555 you have four basic steps 00:18.555 --> 00:20.100 and they need to happen in order. 00:20.100 --> 00:24.135 One preparation, two identification, 00:24.135 --> 00:27.000 three containment eradication and 00:27.000 --> 00:30.120 recovery and four lessons learned. 00:30.120 --> 00:32.820 Regarding preparation, the best thing to 00:32.820 --> 00:35.730 prepare for an incident is before it happens. 00:35.730 --> 00:37.600 As obvious as that seems, 00:37.600 --> 00:39.290 it doesn't always go that way. 00:39.290 --> 00:41.330 But this is where we get our policies and 00:41.330 --> 00:42.680 procedures and order and 00:42.680 --> 00:45.055 train our incident response team. 00:45.055 --> 00:48.935 On the test you could see the abbreviation IRP, 00:48.935 --> 00:51.965 which refers to as incident response policies. 00:51.965 --> 00:54.515 You could also see see CIRT, 00:54.515 --> 00:57.230 which is computer incident response team. 00:57.230 --> 00:59.360 There are various other acronyms that are 00:59.360 --> 01:01.265 related to these same concepts. 01:01.265 --> 01:03.590 Before the test, I think you will most likely 01:03.590 --> 01:06.900 see CIRT team and IRP. 01:07.570 --> 01:10.100 Regarding identification, 01:10.100 --> 01:12.350 when we talk about things that occur on the network, 01:12.350 --> 01:13.940 it's important to understand that 01:13.940 --> 01:16.145 an event is simply a change in state. 01:16.145 --> 01:19.100 It's not necessarily negative or positive. 01:19.100 --> 01:20.630 But if an event or 01:20.630 --> 01:23.345 multiple events have a negative impact on the network, 01:23.345 --> 01:25.765 that's when it becomes an incident. 01:25.765 --> 01:29.140 An incident is always negative and 01:29.140 --> 01:32.240 only after we identify an event as being an incident, 01:32.240 --> 01:34.234 then we will move on to containment, 01:34.234 --> 01:36.185 eradication, and recovery, 01:36.185 --> 01:38.490 and then lessons learned. 01:38.680 --> 01:42.095 Now, I'll just mention for identification 01:42.095 --> 01:43.280 earlier when we talked 01:43.280 --> 01:45.320 about implementing security controls, 01:45.320 --> 01:46.865 we mentioned KRIs, 01:46.865 --> 01:48.995 which are key risk indicators. 01:48.995 --> 01:50.660 We talked about that way in 01:50.660 --> 01:53.185 the beginning when we talked about risk management. 01:53.185 --> 01:55.685 We said that when we implement a control, 01:55.685 --> 01:57.920 we need to have various alerts in place to make us 01:57.920 --> 02:00.710 aware that a risk is going to materialize. 02:00.710 --> 02:03.200 For example, when I see 02:03.200 --> 02:05.660 network utilization go about 50 percent 02:05.660 --> 02:07.520 for a sustained period of time, 02:07.520 --> 02:09.440 that might be an indication of denial 02:09.440 --> 02:10.709 >> of service attack. 02:10.709 --> 02:13.850 >> That's the KRI. One of the things that 02:13.850 --> 02:15.680 makes incident response successful 02:15.680 --> 02:17.555 is to know what we're looking for, 02:17.555 --> 02:20.510 and then to set up those KRIs and map them to 02:20.510 --> 02:21.980 alarms or triggers to let us 02:21.980 --> 02:24.355 know where there is an incident. 02:24.355 --> 02:28.155 Also, we have our IDS and IPS, 02:28.155 --> 02:30.000 incident detection system and 02:30.000 --> 02:31.894 >> incident prevention system. 02:31.894 --> 02:33.920 >> We have a lot of tools that we can use 02:33.920 --> 02:36.065 to determine if there has been an incident. 02:36.065 --> 02:37.790 But it's all about using them 02:37.790 --> 02:40.440 together and using them effectively. 02:41.260 --> 02:44.210 Once we've prepared an identified an incident, 02:44.210 --> 02:45.200 what do we do? 02:45.200 --> 02:47.165 We contain the problem. 02:47.165 --> 02:49.670 This means isolating it and preventing the spread of 02:49.670 --> 02:53.465 malware or any infection from one host to another. 02:53.465 --> 02:56.720 You want to isolate the systems and quarantine them. 02:56.720 --> 02:59.045 That doesn't mean powering off the systems 02:59.045 --> 03:01.490 unless that is the only choice you have. 03:01.490 --> 03:03.665 If you have to power down the system, 03:03.665 --> 03:05.360 you might be getting rid of evidence that you'll want 03:05.360 --> 03:07.910 later, so you want to avoid that. 03:07.910 --> 03:09.590 Isolate the system in 03:09.590 --> 03:12.625 the least disruptive manner that you possibly can. 03:12.625 --> 03:15.390 Now with eradication, we want to 03:15.390 --> 03:17.555 get whatever is on the system off a bit, 03:17.555 --> 03:20.300 whether it's malware or some infection. 03:20.300 --> 03:21.830 But essentially, we want to 03:21.830 --> 03:24.110 remove the source of the problem. 03:24.110 --> 03:26.420 Then recovery means we're going to 03:26.420 --> 03:28.400 get back to full operations. 03:28.400 --> 03:30.200 An incident isn't over until 03:30.200 --> 03:32.965 you are back up and running completely. 03:32.965 --> 03:35.210 Then after that, we're going to 03:35.210 --> 03:37.460 document what happened and what we learned. 03:37.460 --> 03:39.260 It's always critical to document your lessons 03:39.260 --> 03:42.150 learned so you can apply them for the future.