Domain 9 Knowledge Recap

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:01
>> Domain 9 was all about incident response.
00:01
It's a discipline of its own.
00:01
Each organization is going to vary a little bit.
00:01
This particular tactics that you're going to use
00:01
are going to be different based on the applications,
00:01
the Cloud provider you're using and so forth.
00:01
But we did talk about a grander framework
00:01
and that's how we examine this.
00:01
If this is an area that you're actually working in,
00:01
I highly recommend the NIST-861 Rev.
00:01
2 specification.
00:01
This is what we followed in our structure.
00:01
It's also what the CSA follows in it's structure.
00:01
You don't have to read it for the CCSK exam itself,
00:01
but it really does provide
00:01
a thorough perspective on incident management.
00:01
As we looked at the incident response life cycle,
00:01
we started out looking at the preparation phase.
00:01
This was establishing the SLAs,
00:01
defining roles and responsibilities.
00:01
Importantly, creating and testing a communication plan.
00:01
To highlight key points in
00:01
the detection and analysis phase,
00:01
setting up alerting and
00:01
automated responses wherever possible,
00:01
and knowing how to access and interpret
00:01
the data logs that we were going to be dealing with.
00:01
Containment, eradication and recovery.
00:01
Big point, clearing the management plane
00:01
before thwarting the attacker.
00:01
Then isolating and rebuilding applistructure being
00:01
something we can take advantage of in the Cloud world.
00:01
Finally, we post incident activity.
00:01
This is where we're focused on evaluating
00:01
what we did to respond to the incident,
00:01
how things went, and are there areas for
00:01
future improvement that we could put in place?
00:01
Let's go through some end of
00:01
module questions here before wrapping everything up.
00:01
How often should you drill your incident response plans;
00:01
every day, once a month,
00:01
once a year, whenever significant changes are made,
00:01
only after you first create them?
00:01
There's more than one correct answer to this.
00:01
Think about it, we'll walk through it.
00:01
According to CSA guidance,
00:01
you want to drill your incident response plans
00:01
once a year and whenever significant changes are made,
00:01
that would be C and D. You can do it more frequently,
00:01
but you may be spending
00:01
cycles and effort that you don't need to.
00:01
Certainly only doing it after you first create
00:01
an incident response plan is going to be very inadequate.
00:01
In which phase of the incident response life cycle
00:01
do you do the following,
00:01
set of proactive scanning,
00:01
perform vulnerability assessments
00:01
and conduct risk assessments?
00:01
Preparation phase, detection, containment,
00:01
eradication and recovery, or post incident phase.
00:01
Only one answer on this and it is A, preparation.
00:01
This is when you're putting
00:01
together everything and ready.
00:01
Detection is when you're receiving the alerts
00:01
and analyzing the situation and starting to respond.
00:01
In which service model will you most rely on
00:01
logging instrumented in your application,
00:01
also referred to as observability,
00:01
SaaS, PaaS, IaaS, infrastructure,
00:01
applistructure, metastructure, or infrastructure?
00:01
The correct answer would be B.
00:01
With the SaaS model,
00:01
you're not making the application really and you
00:01
don't have control over this login capability.
00:01
With the PaaS model,
00:01
a lot of the nuances
00:01
of the underlying virtual infrastructure
00:01
are actually abstracted from you
00:01
and your ability to obtain logs,
00:01
say virtual machine logs aren't going to be there.
00:01
In the IaaS model,
00:01
you can still have access to
00:01
the machine log and often employ the tools that
00:01
you've used traditionally when
00:01
handling incident response situations.
00:01
Info structure, applistructure,
00:01
metastructure and infrastructure are
00:01
part of the logical stack.
00:01
These are not part of the different service models.
00:01
That wraps it up for this module on
00:01
Domain 9 incident response.
00:01
Thank you and look forward to
00:01
proceeding under the next domain.
Up Next