Incident Response

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> We've talked about security operations
00:00
monitoring in Cloud environments,
00:00
but now we're going to discuss incident response.
00:00
In this lesson, we want to talk about the goals
00:00
of the incident response process.
00:00
What the incident response process entails,
00:00
and the typical steps of an incident response process.
00:00
In general, we want to first define an incident.
00:00
An incident basically is the investigation
00:00
of any suspicious or unusual behavior
00:00
detected within your Cloud environment.
00:00
It may develop into,
00:00
you discover that a malicious actor
00:00
actually has gain access to your
00:00
system and looked at your data.
00:00
That is when an incident becomes a full fledged breach.
00:00
The overall goal of the incident response process
00:00
is to minimize the loss of value or assets,
00:00
whether that's data, whether
00:00
that's availability to your system,
00:00
or damage to your business operations.
00:00
Then ultimately, the goal of the process is to
00:00
restore or maintain availability
00:00
and prevent any further damage.
00:00
Now let's go into the particulars of
00:00
the incident response process.
00:00
First is before an incident
00:00
even really happens, the preparation step.
00:00
We've talked a lot about ensuring
00:00
that there is proper logging and
00:00
monitoring configurations on all your systems,
00:00
and hypervisors, and applications out there.
00:00
Well, without that visibility,
00:00
it's going to be very hard to detect an incident.
00:00
That takes us to our second step,
00:00
the identification of unusual behavior,
00:00
whether it's processes, utilization of CPU,
00:00
high volume of traffic.
00:00
There can be many different indicators that
00:00
might lead to an incident being declared.
00:00
Now, the declaration incident,
00:00
this is an important step
00:00
because within your organization,
00:00
you really have to define
00:00
what are the criteria for declaring an incident.
00:00
Who has the responsibility
00:00
and authority to declare an incident,
00:00
to begin the incident response process?
00:00
This should be done fairly loosely so that people with
00:00
insecurity or business units can declare
00:00
the incident response process and get things going.
00:00
First and foremost, the first day is just containment.
00:00
Containing something within the Cloud environment
00:00
is a little easier because
00:00
you have greater granularity of spinning up,
00:00
and breaking down,
00:00
and being isolate particular services
00:00
or servers out there.
00:00
However, at first, you want to contain
00:00
the malicious activity or
00:00
unusual activity until you can begin investigating.
00:00
Second, you want to begin eradicating
00:00
any malware or list
00:00
of services that are running on the affected machine.
00:00
Then ultimately, you want to begin
00:00
recovering building that machine backup.
00:00
Now, depending on how the compromise has occurred,
00:00
you may have to do a lot
00:00
more in terms of remediation to ensure that
00:00
whatever Moshe software and that was installed has
00:00
actually been removed or remediated,
00:00
and that's why there could be this feedback loop
00:00
back to the containment step.
00:00
Then another very important thing also between
00:00
this eradication and recovery is that
00:00
there really should be some care taken
00:00
to preserve any important evidence.
00:00
Because if someone has actually penetrated
00:00
your Cloud environment and
00:00
is manipulating data or installed malware,
00:00
a crime has taken place.
00:00
It's very important to preserve
00:00
what they called the chain of custody,
00:00
the evidence that will be used to prosecute that crime,
00:00
and ensure there's non-repudiation with regards
00:00
to how that evidence has been shifted or changed.
00:00
I think some organization are getting trouble
00:00
thinking that their typical security teams
00:00
have the expertise to
00:00
do proper evidence protection and preservation.
00:00
However, I really think this is an area where you
00:00
should utilize a third party that
00:00
specializes in digital forensics for
00:00
evidence preservation and
00:00
incident response in the wake of an incident.
00:00
Continuing the incident itself,
00:00
ultimately, at the end of the incident,
00:00
when operations return to normal,
00:00
when whatever compromise occurred has been remediated.
00:00
You want to use
00:00
the lesson to learn from the experience to
00:00
improve both your defenses
00:00
and the incident response process itself.
00:00
How quickly was your team able to go through
00:00
the process from identifying
00:00
suspicious behavior to declaring an incident,
00:00
to containment, eradication,
00:00
recovery, and so on?
00:00
Utilizing these lessons will help
00:00
the organization improve in
00:00
the future and minimize
00:00
the impact of an incident on the business.
00:00
Let's reflect for a moment.
00:00
Have you read your incident response process?
00:00
Do you know in many ways,
00:00
incident response security training
00:00
often focus on how people should not be fished.
00:00
Yet if you're really getting
00:00
involved in information security in the Cloud,
00:00
you should really have a decent knowledge of what
00:00
your organization incident response process
00:00
is, how it's declared.
00:00
Because this really is one
00:00
>> of your last lines of defense.
00:00
>> Your defenses that we've talked about
00:00
have failed in some way potentially,
00:00
and you now need to respond,
00:00
and knowing the incident response process will
00:00
be crucial to doing so quickly and effectively.
00:00
Let's go to the second question.
00:00
Who is responsible for declaring an incident?
00:00
This is important because
00:00
incident response does require
00:00
a mobilization of resources,
00:00
and it's important to understand
00:00
who can declare it and empowering
00:00
individuals who have that capability to do
00:00
so should they suspect anything to
00:00
prevent the damage from
00:00
an incident or a potential breach from escalating.
00:00
In summary, we talked about
00:00
the goals of incident response.
00:00
We talked about the incident response process,
00:00
the individual steps, and
00:00
many other considerations for
00:00
implementing incident response.
00:00
I'll see you in the next lesson.
Up Next