Incident Response
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Incident response.
00:00
The learning objectives for this lesson,
00:00
are to define each step of the incident response process,
00:00
to explore incident response playbooks,
00:00
and to detail the importance of lessons learned.
00:00
Let's get started. Here is
00:00
an overview of the incident response process.
00:00
We begin with preparation,
00:00
is where we harden our systems,
00:00
we create policies and procedures,
00:00
we also create our incident response procedure.
00:00
Then we move to detection and analysis,
00:00
where we decide if an incident has occurred,
00:00
how serious is it, and then we
00:00
would notify our stakeholders.
00:00
After that, we move to containment
00:00
where we limit the scope of the breach,
00:00
and after that, we move to eradication and
00:00
recovery where we remove the cause of the breach.
00:00
Then finally we have our post-incident activity
00:00
where we have our after action
00:00
review or lessons learned,
00:00
what did we do well and what can we improve.
00:00
Let's go over each of these in more detail.
00:00
Preparation. The first thing we would do
00:00
here is to identify
00:00
our critical systems and their current state.
00:00
We would also want to harden key systems
00:00
by removing any unnecessary services,
00:00
and making configuration changes that
00:00
help us further secure the system.
00:00
We also want to create
00:00
our proper policies and procedures,
00:00
including our incident response procedure.
00:00
What backup systems do we have?
00:00
Have we tested those backup systems?
00:00
How often do they backup?
00:00
All of that needs to be considered.
00:00
A thing I like to consider when I think about
00:00
preparation is when did Noah build the ark?
00:00
He built it before it started raining.
00:00
Then we move to the detection analysis phase.
00:00
The first step is to determine,
00:00
if an incident has actually occurred.
00:00
Is it just a false positive or has something
00:00
happened that we really need to look deeper into.
00:00
If it has happened,
00:00
then we need to classify it.
00:00
Then once it's classified,
00:00
we need to notify the appropriate stakeholders,
00:00
based on the level of the incident, who needs to be told?
00:00
Who all needs to be involved with this,
00:00
and what level of information needs to be
00:00
given to each one of those?
00:00
Stakeholders may also be different
00:00
depending on the severity of the incident.
00:00
Containment. Now that we've
00:00
identified that this is an incident,
00:00
and we've let the appropriate stakeholders know
00:00
we have to move about containing this breach.
00:00
This is a critical stage of
00:00
our incident response process.
00:00
Our goal here is to limit the scope.
00:00
We don't want it to spread any further to other systems.
00:00
We can use firewall rules or
00:00
router ACLs to help us prevent lateral movement.
00:00
Then we move to the eradication and recovery phase.
00:00
This is where we isolate the impacted systems,
00:00
and we begin to remove the source of the incident.
00:00
Is it malware, ransomware?
00:00
What we want to do is keep them
00:00
from spreading and then cleaning it.
00:00
This process may need to be repeated several times,
00:00
so that we're absolutely sure that the system is
00:00
clean and we're ready for it to go back into production.
00:00
Then finally, we have our post-incident activity.
00:00
This is where all stakeholders get together,
00:00
and we discuss what happened.
00:00
What can we improve for next time?
00:00
We want to make sure that we document
00:00
those lessons learned,
00:00
and add them to our procedures so that
00:00
next time we don't make the same mistakes.
00:00
Do any of the procedures need to be changed?
00:00
What technology might we consider
00:00
investing in to help us not happening again?
00:00
Again, this is also known as
00:00
the lessons learned part of the process.
00:00
But the key here is, this is critical,
00:00
because we don't want to keep making
00:00
the same mistakes over and over again.
00:00
If there is something
00:00
we can do differently to prevent it,
00:00
we want to make sure that it's documented
00:00
and then passed out to
00:00
all key people to help us
00:00
ensure that it gets implemented.
00:00
Incident response playbooks.
00:00
These will describe the specific actions,
00:00
that will need to be taken in
00:00
response to different sorts of incidents.
00:00
The goal is to provide clarity,
00:00
when you're not in your right frame of mind.
00:00
An incident response is often
00:00
a chaotic situation and you're not thinking clearly.
00:00
You're maybe a little bit jumped up on adrenaline.
00:00
We want to make sure we
00:00
have a checklist, or in this case,
00:00
a playbook that identifies
00:00
all the steps we need to take,
00:00
to respond to very specific types of incidents.
00:00
Imagine it this way.
00:00
Ransomware response won't necessarily be the
00:00
same as a DDOS attack.
00:00
We want to have those steps already
00:00
predefined for each one of those.
00:00
Those steps may change,
00:00
as we go through different incidents
00:00
and we go through our lessons learned.
00:00
We also are insuring that
00:00
only approved steps and
00:00
actions are being performed on this,
00:00
because we've got those documented in our playbooks.
00:00
Let's summarize. We went over
00:00
the five steps of incident response.
00:00
We also went over the importance
00:00
of incident response playbooks.
00:00
We also discussed the importance of lessons learned.
00:00
Let's do some example questions.
00:00
Question 1, this is a formal document,
00:00
that details the steps
00:00
necessary to respond to a specific incident.
00:00
Incident response playbook. Question 2,
00:00
in this stage of the incident response process,
00:00
changes that need to be made for
00:00
future incidents are discussed.
00:00
Stage 5, our post incident activity
00:00
are also lessons learned.
00:00
Question 3, in
00:00
this stage of the incident response process,
00:00
the source of the incident is
00:00
removed from impacted systems.
00:00
Stage 4, eradication and recovery.
00:00
Finally, Question 4, in
00:00
this stage of the incident response process,
00:00
systems are hardened against attacks.
00:00
We will create policies and procedures,
00:00
and also key personnel are identified.
00:00
Stage 1 or preparation.
00:00
I hope this lesson was helpful
00:00
for you, and I'll see you in the next one.
Up Next
Module 3 Review Questions
10m
Instructed By
