WEBVTT

00:00.300 --> 00:06.690
No matter how well you apply your security controls no matter how careful you are incidents will take

00:06.690 --> 00:07.520
place.

00:07.620 --> 00:09.900
And that's what this episode is all about.

00:09.960 --> 00:16.160
Incident Response What do we do as an organization when an incident takes place.

00:16.170 --> 00:25.730
Now luckily for us the entire exam is based very heavily on the famous computer incident response process

00:25.740 --> 00:31.620
so pretty much all of the objectives you're seeing are taken directly from this well-known and popular

00:31.620 --> 00:32.160
source.

00:32.250 --> 00:33.630
And that's a good source for it.

00:33.630 --> 00:40.970
So what I want to do is first let's talk about what actually is the incident response process.

00:41.100 --> 00:44.940
The first step to the incident response process is preparation.

00:44.940 --> 00:46.170
This is the big plan.

00:46.170 --> 00:49.800
First of all we have to define the organization who's going to do what.

00:49.800 --> 00:51.770
In case an incident takes place.

00:51.990 --> 00:58.380
Secondly we need to organize the types of incidents we might be anticipating and defining who does what.

00:58.380 --> 01:04.860
Depending on the type of INS part of good preparation is actually going through and drawing some scenarios

01:04.860 --> 01:07.070
and seeing how that works out.

01:07.170 --> 01:13.430
Next we have to talk about reporting in the case that a incident takes place what reports go to whom

01:13.440 --> 01:19.600
so that we're aware of this and also important issues like escalation if the job really gets big.

01:19.620 --> 01:26.460
Number two and this is actually part of preparation our practice scenarios next is identification you

01:26.460 --> 01:29.460
need to be able to recognize that an incident has occurred.

01:29.490 --> 01:32.550
So we need to be watching things like reports from users.

01:32.610 --> 01:38.670
We need to be checking the monitoring tools that we might have watching alerts and logs as part of that.

01:38.670 --> 01:42.510
We also have to assess the impact and define who is involved.

01:43.520 --> 01:49.420
Next is containment containment boils down to mitigating the damage stopping the attack.

01:49.460 --> 01:51.920
Do what we have to do do we segregate the network.

01:51.920 --> 01:53.430
Do we shut down the system.

01:53.450 --> 01:55.070
Do we turn off a service.

01:55.100 --> 01:58.090
This is where we handle that type of situation.

01:59.300 --> 02:06.850
Next is eradication and now it's time to clean up the mess we remove the malware we close off the vulnerability

02:06.920 --> 02:08.630
we add new controls.

02:08.630 --> 02:11.980
We do what we need to do to eradicate the problem.

02:13.230 --> 02:16.820
After that comes recovery and now it's time to get back to normal.

02:17.040 --> 02:24.510
Here we restore from backups we pull snapshots we hire replacement personnel and very important as part

02:24.510 --> 02:28.940
of recovery is we monitor for a while to ensure good operations.

02:29.880 --> 02:37.050
Last is lessons learned here we document the incident what failed what worked and generating the final

02:37.050 --> 02:38.190
report.

02:38.190 --> 02:41.930
So really the big part to all this is preparation.

02:41.940 --> 02:48.480
So what I want to do right now is go through the fairly complicated process of creating a decent Incident

02:48.480 --> 02:51.480
Response Plan.

02:51.590 --> 02:58.370
The cornerstone of any incident response plan is here cyber incident response team or sometimes also

02:58.370 --> 03:01.350
called your computer Incident Response Team.

03:01.580 --> 03:07.100
These are a group of people within your organization whose job is to respond to all incidents.

03:07.100 --> 03:10.820
These can be full time part time or both.

03:10.820 --> 03:16.470
A C I R T is going to consist of an I.T. security team.

03:16.520 --> 03:20.750
These are going to be security pros who understand the incident response process.

03:20.780 --> 03:24.510
They also understand issues like for example forensics.

03:24.680 --> 03:28.940
It might also include your I.T. department to provide technical skills.

03:29.210 --> 03:33.340
It might include human resources in case there's a person involved with the issue.

03:34.110 --> 03:37.970
It could include legal in case there are any legal issues.

03:38.070 --> 03:42.360
And of course public relations to deal with the public.

03:42.480 --> 03:47.780
Next we're going to have to document incident types and category definitions.

03:47.880 --> 03:53.820
We should be able to define things like well what do we do if the incident is physical access or what

03:53.820 --> 03:54.920
if it's malware.

03:54.960 --> 03:56.120
What if it's phishing.

03:56.280 --> 04:01.080
What if we have a social engineering issue or what if somebody is accessing our data in a way that we

04:01.080 --> 04:02.410
don't want.

04:02.430 --> 04:05.280
Third is roles and responsibilities.

04:05.460 --> 04:12.030
How do we get information to the CRT that incidents have taken place.

04:12.030 --> 04:13.960
Who has that job.

04:13.980 --> 04:16.310
So things like for example users.

04:16.440 --> 04:19.920
How does a user report that something's taking place.

04:20.280 --> 04:26.100
Or perhaps a helpdesk maybe someone's being socially engineered through the helpdesk and they need some

04:26.100 --> 04:30.030
source to be able to say I'm recognizing an incident.

04:30.030 --> 04:34.950
Human resources may notice someone quitting and might want to be able to let people know that an issue

04:34.950 --> 04:41.010
could be taking place a database manager might see a corruption that he had not anticipated before and

04:41.010 --> 04:42.290
need to make that call.

04:43.080 --> 04:49.410
That's why we often see what we call an incident hotline pretty much a one stop tool that almost anybody

04:49.410 --> 04:54.350
within your organization can use to determine that there is an incident.

04:54.480 --> 05:01.050
On the other end of that is going to be a incident response manager or maybe an incident response officer

05:01.320 --> 05:05.810
whose job is to field these and to determine if they need to go to the team.

05:06.000 --> 05:14.700
Next our reporting requirements an escalation any incident is going to have some level of severity and

05:14.700 --> 05:20.110
determining that severity is important for us to be able to understand what we do with it.

05:20.220 --> 05:22.750
If it's a big deal we need to escalate it.

05:22.770 --> 05:28.320
We need to send it up the chain to the right people within our organization who know how to deal with

05:28.320 --> 05:29.220
it.

05:29.400 --> 05:31.680
Escalation comes into play in a lot of other ways.

05:31.680 --> 05:37.900
For example reporting law enforcement none of these tools are going to work together unless you practice.

05:38.100 --> 05:45.840
Any organization is going to have at a minimum annual and in some organizations virtually ongoing practice

05:45.840 --> 05:51.750
scenarios so that they can deal with Incident Response I'm not going to fib yet.

05:51.870 --> 05:56.690
There's not going to be that many questions on the exam that actually hit on Incident Response.

05:56.700 --> 05:59.460
However it is a critical tool.

05:59.520 --> 06:07.410
Any organization of any size absolutely must have an incident response plan in place first so that they

06:07.410 --> 06:08.620
can get back on line.

06:08.700 --> 06:14.040
And secondly to be able to show that they've done good due diligence in case people create a question.