Defining Incidents

00:00

Hello. My name is David. Welcome to handling incidence in pitch.

00:06

It's two. For too long. Cyber security has sort of then

00:13

you've forgotten child in a relationship

00:17

and your system. Advantage of network admits exchange abdomens. They think they know what they're doing when it comes to cybersecurity. But they're the dog in the picture. They have no idea what

00:28

they never received, really end up training or anything of that age.

00:33

It's so sad to say

00:35

you are gonna have the fight multiple. That's and I'm just kind of prepping. You hear even coming in to a company that has an established operative security burger, and you're still going to run into this kind of thing that the bad part is, is it is if they think that you're there to steal their job

00:53

and we're not, You know, I've got first Adrian, but that doesn't make me a doctor or a brain surgeon.

01:00

I'm not a system man. I'm not in exchange. I recognize that I don't want the job. I'm here to do cyber security. I'm here to help them, and they're there to help me. It's a mutually giving relationship, and that's what you need to keep in mind on bring to the table

01:17

when you come into the organization so that you could actually help

01:21

handle these kinds of incidents when they commit. So let's look at it. It's sad to say

01:26

there's really no common understand a lot of cyber security incident. It's now. I know there are a lot of different definitions of in. It's a bit out there. This has, um, Sands has a F f i C.

01:41

All of those regulatory bodies, top badness and one they all have definitions of minutes. However, when you go out into the private field, you're gonna find out these incident definitions very wife. Now that brings its own problems because with no agreed upon definition

01:59

in all these different companies and organizations docking different views which affect their practice, it's difficult plane

02:08

effectively and also understand what kind of cyber security isn't handling capabilities they need.

02:16

That's a weakness. I'm not sure what the solution to that is. There are a lot of people pushing for a standardisation, which I would totally agree with I and support. But it's not in place yet, so it's difficult now.

02:34

The main difference between different types of cyber security incidents seems to lie in the source of so

02:43

you can look at

02:46

looking kind of. I get my law enforcement career. We doubt with what we call minor criminals. You're one time criminal, say, a shoplifter at a local convenience store,

02:58

Crime of Opportunity.

03:00

Then you had organized crime and it was their lifestyle. So you actually dealt with them differently both in court and also even during the arrest procedure. An investigation through you can kind of see how that carries over here into silence. Carrie,

03:15

you're dealing with a 16 year old hacker who hacked into the local school system to change his grades. That's different.

03:22

The dealing with an advanced, persistent threat.

03:24

Hopefully you agree with me

03:27

now.

03:28

You could look at it from sores, which would be what we just talked about, where you could look at it from the type of this attack.

03:37

Was it malware that came in the fishing? Was it? Somebody got specially engineered and allow a minute best off connection to their corporate laptop, and thus data was stolen, so you can see where differences will rise,

03:53

both in definition, on application of the definition to the cyber security process

03:59

do It ranged across of why I expected from the basic all the way up to your advanced, persistent threat, which have to be a nation state. It could be a criminal gang, a cyber gang, any even acts of work here in the same room s o.

04:17

It's tricky.

04:20

Uh, and of course,

04:23

depending upon the vertical

04:25

business for all that you're working in, they're gonna deal with these times and threats different, too.

04:30

So we're incident handling. Um,

04:33

I'm not gonna give you a definition here what admits that it is because it's going to depend upon who you working for. But what we want to do is look at this overall process and how we can apply some of these big, broad ideas to whatever definition it is that your company and your organization has decided

04:51

to implement and then create a fast, effective and comprehensive

04:56

It's a handling processing siege.

04:59

Now, looking at incident handling, there are alive years and play here this big machine on and you are a cob in in the machine. Don't take that personally. Take it is belittling. We're all calls and variety of different shootings. Whether we Like it or not,

05:18

there are the people. Huge numbers of people are off in cybersecurity. Also, I pee and then you have your nontechnical people are interacting with these systems on the day bastes. You have processes and procedures in place

05:34

that range from cyber security all the way up. The human resource is legal, too

05:41

internal and external documents and dealing with customers and internal impolite. The technology that's involved is pretty vast. And of course, you've got the information and data that is flowing through the network that you're seeking to protect.

05:57

Now a typical attack

05:59

run sort of ideas that carry out Constance. And believe me, this is a shortened version.

06:04

Can Underhill has some great classes on ethical lacking? There are other forces on penetration. Testing to give a more in depth into this from cyber highly recommend detectives out. But if you think about the process of an attack, you can kind of see

06:18

where incident handling is going to come into play and we'll apply. This is because you are episodes together, so they carry out reconnaissance.

06:26

They determine what cards they want to attack. We look for vulnerabilities and then that actors hard bits and hopefully achieve their objective. So as you can see their own screen, you can identify your target. But from the vulnerabilities that you're gonna attack, it's all part of your reconnaissance phase. Then you attack, split, exploit those *** villains.

06:46

You look for security control that have been put in place, and then you seek ways to defeat them. And that's all part of it

06:51

all through here, or places that it's a hand could come into play, depending upon

06:58

the depth and the strength of your security.

07:00

Finally, when they achieve their objective, disrupt, we're seeing more and more of that. It's just disruption, attack or destruction of data. They could extract data and steal it or manipulate the data in order to do some other kind of various action.

07:17

So knowing how an attacker's been a Comanche helps you develop camera matters, which is all part of its handling.

07:24

You wanna look at monitoring a lot of you want to look at situational awareness, um,

07:30

for user's for the management security team for the staff

07:33

you want secure architectural system designed that should be built in. Sadly, it's not. Those networks were built long before security and even now that security has become more of an issue when they're upgraded security sort of an apricot

07:47

standard Patrols, penetration, testing needed instance. Process. Business continuity. Disaster recovery plants play this heavily. And of course, there's now Siler Insurance out there

08:01

that will have a role because your insurance companies were putting demands in policies that go toward its handling. So you need never. So what are the top 10 challenges? And it's inhaling. One is, as we said, identifying a suspected cyber experienced.

08:18

Then you need the established. The objections oven an investigation and clean up

08:24

need analyze what information you got pertaining to the incident. That's tricky enough itself. We'll talk a little bit about that. Another episode. German would actually happen. Root cause analysis. Identify what was compromised,

08:35

what information was possibly disclosed. Park attribution, if necessary. Not always possible. How did it happen? What impact on the business didn't have? And then are you conducting sufficient investigations all important challenges that have to be met in its him?