First Steps in Incident Response

00:00

Hello, My name is David

00:03

and welcome to you Managing and it

00:06

Welcome back incident response. We are talking about incidents identifying incidents, managing incidents, since it's such an intensive and possibly intrusive

00:20

event that has occurred. If you have an incident declared, it helps to have good methodology in place. I'll have tools ready to go, and it helps having excellent team with your own, which we come

00:33

in some of our lodges. In this episode, we want to take a book on the first steps. An incident response. Now am on an episode one a model where we talked about

00:47

how you can identify it is we looked at Sims and talk about in point actually responsible, not anti virus.

00:55

We talked about their party calls, mentioned Brian Crabs in his great work, done a lot of good things, but you could get a notification of an incident from a lot of different sources. Now,

01:07

as we move here into the first steps of incident response when this happens, I can describe it to you as it is. Chaos. Um,

01:22

let's spend back and kind here briefly and think about carving incident target breach that occurred several years ago. A lot of information has come out about it. I'm just speaking in generalities here. I don't have anything in front of me to clue the word. Tatum Lee. I have heard several speakers that were

01:40

involved internally during the breach,

01:42

and they described it exactly as that chaos. Sadly, um, they failed in incident identification? Well, we just talked about in our last episode. And once they got the notification from the three letter, the agency that they had been breached panic ins

02:04

on many, many, many, many, many of all hours were spent any office investigating the breach, like identified scope of the breach and then dealing with the legal ramifications. So as we move into the first steps of the incident response process,

02:23

we need to keep in mind

02:25

that we do you need to follow methodology or we may very well get lost in chaos. And I laid out some steps here. Of course, we talked about preparation first time, so don't get tired of hearing about that. That's one of my sticky wickets that I go back to again and again and again because

02:45

if you haven't prepared

02:47

your first steps in incident response are going to put you way, way behind the curve, even when it comes to identification in scoping the incident. But you're really you're too first steps. Once you spotted in alert,

03:06

you've done your initial triage of that alert. Say you're investigating an event in here a r.

03:12

How you began to uncover evidence is that on actual breach did occur and you push the little red button that sparks off the incident response process. That is when scoping is going to start coming into play. We're going to have to identify

03:30

the who don't want to win the wear. And now the who off the Times isn't considered too important until maybe as an afterthought, however, you will have those in higher levels management who are going to push for the new.

03:50

They want to know who reached him.

03:52

Uh, I guess it's bleed over from Hollywood.

03:57

They're thinking, you know, nation state actors wasn't, uh this'll. This hacking route that reached us was at one of those for these first steps of the response process are important.

04:13

If you have an idea, I can give you some good indicators compromised by can also lead you down a rabbit trail

04:19

that you can't recover from. So you need to get to know what? Because you need to find out what was breached was an email. Was it databases? Customer information was P I ay with Pippa because all of those things are gonna help you scoop

04:38

the next steps which will flow into the containment and intelligence Gallatin down around that circle as you move in the I r. Process.

04:47

If you fail to score properly, could, uh ender, you're both your recovery and you re mediation the right inching process steps because the attacker eyes going to try to set up a resistance within your network so that it can come back in later, especially if they know

05:06

come upon them and uncovered the trail.

05:10

They want me back it. So

05:13

think clearly they methodically I know that's gonna be difficult to do in the midst of an instant, because just give you a little case. Study on incident occurs typically, and my experience that three or four o'clock on a Friday afternoon,

05:30

uh, and what is everyone's mind set and three or four cars on Friday afternoon,

05:35

Right, the weekend everybody's gonna go home? Uh, nobody wants to stay. Nobody's really thinking about working Saturday and Sunday and Monday. Do they all go through? But if an incident does occur, it's spotted no matter what time. That's when the clock starts ticking

05:53

and he prepared the works and very, very long hours,

05:57

the other the identification, scoping the containment down into the remediation before things will actually truly begin to slow down.

06:08

Now, as we're

06:10

identifying an incident and scoping it out is where our forensics and evidence collection procedures are going to start coming into play because you're gonna need your memory. FORENSICS Timeline Analysis, file System analysis Your data recovery projects already toe so quickly

06:30

when an incident is declared

06:31

because it's time, very time sensitive on attacker is either in your network, whereas patter network and we need to know what they're not. You know, hopefully meeting went on and then we need to be working with also law enforcement legal in order to ensure that we're not, um,

06:53

knocking out

06:54

the process for them. I use an example and one of my other courses.

06:59

When I was working as a criminal investigator, uh, local about identity was breached. They lost their non payroll amounting to several hundreds of thousands of dollars. Island got involved several days after that. I was able to uncover him.

07:15

Pieces of the mount. Where On this system key logger that was installed by the attack,

07:20

Uh, and

07:21

reached out to an FBI contact that I knew who forward and the indicators compromise that I had about on a J and found out that it was actually an ongoing federal investigation on my case was world into that. Now I would have messed up Jane custody or having a gathering or

07:42

anything like that and would not have fallen over.

07:45

So in these first steps again, slow down a time, remember, don't hit the panic button because he had a panic button.

07:54

You're gonna make mistakes and you don't want to make mistakes when it comes to things. Response first down for real.

08:01

Start a long book, start recording and documenting all the steps that were taken, who's taking them on the date and time that they were taken, and maybe even the location that necessary there. Akane of four match for long books out there, but you need to keep that current throughout the course of the incident. Uh,

08:20

some people like those signing incident handler which I totally agree with. You need to have somebody that's a two helms of a speak. But you also need an incident recorder. Somebody who's going to keep that long, but current and up to date and be a note taker.

08:37

Um, very meetings, because that will be a lot of use now, once your handler and

08:43

your record keeper had been appointed, then coordinate with the incident response team and determined next steps

08:48

asking a simple exploratory questions like eyes, the incident ongoing is active. It's time. Or is it an older incident that we are just now uncovering, which can definitely change the speed in the M back on. And then, of course, you want to ask that impact Is this

09:07

GPR violation? It could result in millions of dollars in fines. Is it a p I?

09:15

Is it possibly gonna hurt us in the eyes of the public as a company?

09:20

Um, all those things were going to be included in the first steps of in its scent response process. When one actually truly occurs Next, you want to identify the threat you're facing.

09:33

If it is email or wherever, so that you can begin to isolate the affected systems and networks segments and might be included in that threat. Then notify the appropriate people and teams, whether internal war external, keep that in mind as well.

09:52

Classify what you're gonna need for analysis and then make sure that you get that gathered and

09:58

preserved. Began to get evidence gathering procedures Clarify the extended capabilities of the threat that you're facing so that you can continue to scope. And I quit the remediating little graph for you basically just breaking down

10:13

different steps and stages a positive review that if you like, you have any questions. Reach out to me. I'm a baby Uh, 135 on cyber

10:24

before Dr G