WEBVTT

00:00.000 --> 00:02.220
>> Incident response.

00:02.220 --> 00:05.070
The learning objectives
for this lesson,

00:05.070 --> 00:08.279
are to define each step of the
incident response process,

00:08.279 --> 00:11.114
to explore incident
response playbooks,

00:11.114 --> 00:13.665
and to detail the importance
of lessons learned.

00:13.665 --> 00:16.440
Let's get started. Here is

00:16.440 --> 00:19.080
an overview of the
incident response process.

00:19.080 --> 00:20.520
We begin with preparation,

00:20.520 --> 00:21.960
is where we harden our systems,

00:21.960 --> 00:23.610
we create policies
and procedures,

00:23.610 --> 00:26.660
we also create our incident
response procedure.

00:26.660 --> 00:28.920
Then we move to
detection and analysis,

00:28.920 --> 00:31.215
where we decide if an
incident has occurred,

00:31.215 --> 00:32.730
how serious is it, and then we

00:32.730 --> 00:34.605
would notify our stakeholders.

00:34.605 --> 00:36.390
After that, we move
to containment

00:36.390 --> 00:38.305
where we limit the
scope of the breach,

00:38.305 --> 00:40.140
and after that, we move
to eradication and

00:40.140 --> 00:42.645
recovery where we remove
the cause of the breach.

00:42.645 --> 00:45.605
Then finally we have our
post-incident activity

00:45.605 --> 00:47.000
where we have our after action

00:47.000 --> 00:48.800
review or lessons learned,

00:48.800 --> 00:51.325
what did we do well and
what can we improve.

00:51.325 --> 00:54.395
Let's go over each of
these in more detail.

00:54.395 --> 00:58.700
Preparation. The first
thing we would do

00:58.700 --> 00:59.810
here is to identify

00:59.810 --> 01:02.330
our critical systems and
their current state.

01:02.330 --> 01:04.790
We would also want to
harden key systems

01:04.790 --> 01:07.220
by removing any
unnecessary services,

01:07.220 --> 01:08.840
and making configuration
changes that

01:08.840 --> 01:10.835
help us further
secure the system.

01:10.835 --> 01:12.260
We also want to create

01:12.260 --> 01:14.540
our proper policies
and procedures,

01:14.540 --> 01:17.240
including our incident
response procedure.

01:17.240 --> 01:19.580
What backup systems do we have?

01:19.580 --> 01:21.815
Have we tested those
backup systems?

01:21.815 --> 01:23.570
How often do they backup?

01:23.570 --> 01:25.775
All of that needs
to be considered.

01:25.775 --> 01:27.860
A thing I like to consider
when I think about

01:27.860 --> 01:29.990
preparation is when did
Noah build the ark?

01:29.990 --> 01:32.760
He built it before
it started raining.

01:34.240 --> 01:37.985
Then we move to the
detection analysis phase.

01:37.985 --> 01:40.205
The first step is to determine,

01:40.205 --> 01:42.050
if an incident has
actually occurred.

01:42.050 --> 01:44.810
Is it just a false
positive or has something

01:44.810 --> 01:47.360
happened that we really
need to look deeper into.

01:47.360 --> 01:48.710
If it has happened,

01:48.710 --> 01:50.450
then we need to classify it.

01:50.450 --> 01:52.040
Then once it's classified,

01:52.040 --> 01:54.905
we need to notify the
appropriate stakeholders,

01:54.905 --> 01:58.830
based on the level of the
incident, who needs to be told?

01:59.980 --> 02:02.465
Who all needs to be
involved with this,

02:02.465 --> 02:04.130
and what level of
information needs to be

02:04.130 --> 02:05.780
given to each one of those?

02:05.780 --> 02:07.490
Stakeholders may
also be different

02:07.490 --> 02:10.320
depending on the severity
of the incident.

02:11.390 --> 02:14.750
Containment. Now that we've

02:14.750 --> 02:17.270
identified that this
is an incident,

02:17.270 --> 02:19.415
and we've let the appropriate
stakeholders know

02:19.415 --> 02:22.160
we have to move about
containing this breach.

02:22.160 --> 02:23.750
This is a critical stage of

02:23.750 --> 02:25.940
our incident response process.

02:25.940 --> 02:28.295
Our goal here is to
limit the scope.

02:28.295 --> 02:31.175
We don't want it to spread
any further to other systems.

02:31.175 --> 02:33.020
We can use firewall rules or

02:33.020 --> 02:36.780
router ACLs to help us
prevent lateral movement.

02:38.270 --> 02:42.175
Then we move to the eradication
and recovery phase.

02:42.175 --> 02:45.040
This is where we isolate
the impacted systems,

02:45.040 --> 02:47.545
and we begin to remove the
source of the incident.

02:47.545 --> 02:49.585
Is it malware, ransomware?

02:49.585 --> 02:51.280
What we want to do is keep them

02:51.280 --> 02:53.365
from spreading and
then cleaning it.

02:53.365 --> 02:56.860
This process may need to
be repeated several times,

02:56.860 --> 02:59.410
so that we're absolutely
sure that the system is

02:59.410 --> 03:03.080
clean and we're ready for it
to go back into production.

03:03.650 --> 03:07.210
Then finally, we have our
post-incident activity.

03:07.210 --> 03:09.730
This is where all
stakeholders get together,

03:09.730 --> 03:11.335
and we discuss what happened.

03:11.335 --> 03:13.480
What can we improve
for next time?

03:13.480 --> 03:15.220
We want to make sure
that we document

03:15.220 --> 03:16.510
those lessons learned,

03:16.510 --> 03:18.340
and add them to our
procedures so that

03:18.340 --> 03:20.640
next time we don't make
the same mistakes.

03:20.640 --> 03:23.990
Do any of the procedures
need to be changed?

03:23.990 --> 03:25.970
What technology
might we consider

03:25.970 --> 03:28.745
investing in to help us
not happening again?

03:28.745 --> 03:30.620
Again, this is also known as

03:30.620 --> 03:32.480
the lessons learned
part of the process.

03:32.480 --> 03:34.915
But the key here is,
this is critical,

03:34.915 --> 03:36.470
because we don't
want to keep making

03:36.470 --> 03:38.270
the same mistakes
over and over again.

03:38.270 --> 03:39.620
If there is something

03:39.620 --> 03:40.865
we can do differently
to prevent it,

03:40.865 --> 03:42.320
we want to make sure
that it's documented

03:42.320 --> 03:43.550
and then passed out to

03:43.550 --> 03:44.900
all key people to help us

03:44.900 --> 03:47.310
ensure that it gets implemented.

03:48.590 --> 03:51.370
Incident response playbooks.

03:51.370 --> 03:54.230
These will describe
the specific actions,

03:54.230 --> 03:55.550
that will need to be taken in

03:55.550 --> 03:58.040
response to different
sorts of incidents.

03:58.040 --> 04:00.200
The goal is to provide clarity,

04:00.200 --> 04:02.435
when you're not in your
right frame of mind.

04:02.435 --> 04:04.070
An incident response is often

04:04.070 --> 04:06.665
a chaotic situation and
you're not thinking clearly.

04:06.665 --> 04:10.630
You're maybe a little bit
jumped up on adrenaline.

04:10.630 --> 04:12.395
We want to make sure we

04:12.395 --> 04:14.000
have a checklist,
or in this case,

04:14.000 --> 04:15.470
a playbook that identifies

04:15.470 --> 04:17.120
all the steps we need to take,

04:17.120 --> 04:20.850
to respond to very specific
types of incidents.

04:21.340 --> 04:23.600
Imagine it this way.

04:23.600 --> 04:26.180
Ransomware response
won't necessarily be the

04:26.180 --> 04:29.345
same as a DDOS attack.

04:29.345 --> 04:31.160
We want to have
those steps already

04:31.160 --> 04:32.900
predefined for
each one of those.

04:32.900 --> 04:34.460
Those steps may change,

04:34.460 --> 04:36.050
as we go through
different incidents

04:36.050 --> 04:37.790
and we go through
our lessons learned.

04:37.790 --> 04:40.520
We also are insuring that

04:40.520 --> 04:42.170
only approved steps and

04:42.170 --> 04:44.150
actions are being
performed on this,

04:44.150 --> 04:47.520
because we've got those
documented in our playbooks.

04:47.570 --> 04:50.390
Let's summarize. We went over

04:50.390 --> 04:52.685
the five steps of
incident response.

04:52.685 --> 04:54.380
We also went over the importance

04:54.380 --> 04:56.480
of incident response playbooks.

04:56.480 --> 04:59.545
We also discussed the
importance of lessons learned.

04:59.545 --> 05:01.970
Let's do some example questions.

05:01.970 --> 05:05.425
Question 1, this is
a formal document,

05:05.425 --> 05:06.560
that details the steps

05:06.560 --> 05:10.500
necessary to respond to
a specific incident.

05:10.850 --> 05:15.270
Incident response
playbook. Question 2,

05:15.270 --> 05:18.185
in this stage of the
incident response process,

05:18.185 --> 05:19.910
changes that need to be made for

05:19.910 --> 05:22.560
future incidents are discussed.

05:22.940 --> 05:26.165
Stage 5, our post
incident activity

05:26.165 --> 05:28.265
are also lessons learned.

05:28.265 --> 05:30.530
Question 3, in

05:30.530 --> 05:32.930
this stage of the incident
response process,

05:32.930 --> 05:34.250
the source of the incident is

05:34.250 --> 05:37.200
removed from impacted systems.

05:37.310 --> 05:41.200
Stage 4, eradication
and recovery.

05:41.200 --> 05:43.400
Finally, Question 4, in

05:43.400 --> 05:45.710
this stage of the incident
response process,

05:45.710 --> 05:47.870
systems are hardened
against attacks.

05:47.870 --> 05:49.985
We will create policies
and procedures,

05:49.985 --> 05:53.400
and also key personnel
are identified.

05:54.230 --> 05:56.914
Stage 1 or preparation.

05:56.914 --> 05:58.370
I hope this lesson was helpful

05:58.370 --> 06:00.690
for you, and I'll see
you in the next one.