Containment, Eradication and Recovery

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

9 hours 59 minutes
Video Transcription
at this point in the incident response lifecycle. We've done our preparation. We have alerting in place. We've been alerted to a problem. We've analyzed the problem, given it a rough impact assessment.
Now let's talk about methods for containing eradicating and recovering from the problem at hand.
In this video, we'll talk about Step one in that process and described follow on tactics for achieving this in the cloud.
First and foremost, we want to make sure that the attacker is no longer on the cloud management plane. This is step one, so you're going to take advantage of that master cloud account. We talked about this in the past. Have this master root account for your cloud, and nobody's really using it. It's been tucked away in a safe place. You've been
other accounts to different individuals and using the principle of lyft privileges. But now it's time to break out the big guns because you're under attack and you want to make sure that nobody else is on the management plane. This master account gives you that full of visibility, full capabilities to do all sorts of things across the cloud management plane,
and it's very likely you're gonna lock out a lot of other accounts within your organization on the cloud management plane.
But this is an important step to make sure that when you're doing the subsequent methods of containing and eradicating that attacker, they don't still have the keys to then perform additional actions like initiate a massive number of deletes or things like that to punish you or
send a message and try to deter you and distract you and make the situation a whole lot worse.
Once you know that the attacker is no longer on the management plane, there's some tactics that you could start employing. And so let's cover some of these tactics that air particular toe. Working in the cloud one approaches to rebuild your STN and cloud assets and restore from backups. So in effect, this is isolating the Attackers. Foothold on those cloud resource is
by creating a completely new network and essentially rebuilding your infrastructure
very similar to the disaster recovery method in a regional outage. As a note, your no network may have the same vulnerabilities as the old one, so it will only deter the attacked her and delay them. But it's not necessarily resolving the core problem.
Other things will want to do are isolating the virtual machines, and this is particular to an eye. As model.
You can create extensive firewall rules to minimise the ingress and egress traffic all going into and coming out of that virtual machine. And then this also allows you to keep the virtual machine around as well. For better analysis of understanding. What was the exploit used? How did the attacker do these?
Those third party intelligence services are valuable here. Toe let you know a bit more about the attacker. Whether is it it just, ah bought an automated script or malware kind of spreading itself?
Or was it potentially some sort of more organized and orchestrated attack? Could this just avenges some initial probing and testing of your system with the intention to come back to your system and do something much more malicious? The cloud provider themselves may take actions at your expense, so keep in mind that
Tenet isolation is a top priority of the cloud provider.
And if the attack on your resource is air creating problems for other tenants like starving them of resource pools, the provider may contain things on your behalf.
This is why communication both ways between the cloud provider and the customer is important early on in the attack.
And let's take a little quiz on some of the things we learned in this section in an I s environment. How can you quickly quarantine a server,
create a snapshot of the disc, log onto the server and log out other user sessions? Change this STN firewall rules to restrict ingress. Egress to the investigators station on Lee
paused the server to retain volatile memory
Onley. One of these answers is correct. It's kind of a judgment call. It's kind of a tricky question, but something you can do quickly to retain it is answer C, creating that firewall rules and just minimising and just isolating that virtual machine. The other options described are all valid actions to take when responding to an attack.
However, see is the best way to go about quarantining the server.
This video was focused on taking action to contain, eradicate and recover your system. It was really just a overview, and there's gonna be a lot of specific methods and techniques you're going to use. It's going to depend on the cloud provider is going to depend on the model. I asked past sass that you're using, but
important and globally considerations were taken into account. So
first and foremost, clearing that management plane doesn't matter which model Urine. That's step number one. And then we went over containment and eradication recovery methods that C s a talks about in the sea CSK exam is going to be focused on.
Up Next