Incident Containment

00:00

Hello. My name is David,

00:03

and welcome to you managing. And it

00:06

a genuine quarantine and isolation. Um,

00:12

pretty broad topic. In actuality, Step three in our overall incident response process covered here under containment eradication, recovery. There's a lot that comes into this step. Ah, lot that actually expands past,

00:29

uh, my expertise to be blown.

00:32

I'm an incident response engineer. I'm a digital forensic analyst. I'm a malware analyst, is what? But I don't do much Will be recover. I don't do much with backups. However, I do know that they are extremely important if you're going to try to recover from the cyber attack.

00:52

Um,

00:53

just about any kind of cyber attack grill. So it's not something that we can't overlook in its every spot the process, because you do need to be able to speak someone knowledgeably to um is important. And the incident response process to pursue this,

01:08

um, quickly in also methodically, um,

01:14

the containment is vitally important in containing the attacker to keep damage to a minimum. Think of a ship that has been struck with a torpedo. They seal off the compartments inside that ship to ensure that it stays. What if they failed to do that

01:34

the ship will sink faster,

01:37

then if they do not seal those compartments off. Technically, you're doing the same thing in the incident response process you're seeking to seal off. Those areas have breached to keep the attacker from getting even further into the network and stealing even more data war

01:53

doing the more damage. If the incident isn't contained and allowed his allowed just tea, too

02:01

room freely, it will overwhelm everyone. I'm not sure how good of a job that I've done telling you chaos, sleep deprivation and the worry that comes in the middle of a large instant response effort.

02:17

But if the containment isn't coming into play early on in the process,

02:23

then people are going to get overwhelmed because it's just gonna keep going. It's so needs to be very methodical in order. Better to get the attacker out of the network and also to ensure that your data is spot protected. Because these Attackers are tricky brats.

02:44

They will hide in that

02:46

and will not reveal their presence, and you do not want to allow containment slip. I too far without making some efforts to contain the problem is essential here to have your decision or making policies, and

03:05

were that I'm looking for here,

03:07

authority in place. A lot of companies fail here because you have asked these questions. Who has the authority to shut certain systems down? If I'm a Web based,

03:22

UM, where merchandise sellers a Amazon

03:27

just as an example, and I need to shut down my Web servers because of a DOS attack?

03:38

Um, certainly not. It is a responsible certainly not a systematic. It's gonna happen. Be somebody at management or higher low to give that. For now.

03:47

Caviar here.

03:50

Many incident response plans

03:53

our ring

03:57

delegating that authority from that higher level to lower level, at least on a temporary basis. So, for example, I have set a couple times. Most incidents start Friday afternoon through your car.

04:11

Where are most of your executives? Friday afternoon, It three or four o'clock?

04:18

Someone's a golf course.

04:20

Good possibility. Any other ideas?

04:25

Fishing boat? Yeah, it's not impossible. Stuck in traffic, trying to get home. That's a real possibility. Not that they don't work. I'm not saying that, however,

04:36

common sense and experience teaches that on Friday afternoon those people are either leaving early or trying to be really

04:45

on, they may be on a veil. What if the person that's in charge of that Web server that is currently being active Mountain where is on vacation with his family in the woods in the Rocky Mountains? Those cell phone service? No email, no anything

05:03

that there's been a revision or a Serie It to step in and authorize that system will be shut down and taking off.

05:14

You've got a problem. So these air, just a couple of examples here, owns on slide, shoving something down, disconnecting the system from the network. What if it's a client database that is necessary for the company to continue to cross his financial transactions?

05:29

And it's that that ransom well, and you need to disconnect the system from the Network for the spread.

05:35

Yeah, you're gonna cost your company a lot of money. Um, you need to have somebody with the authority to say Guess shut it down and connect it. Turn imports off whatever eyes necessary to do so when it comes to that, that portion of containment make sure that's included in your incident response.

05:55

Now these do very strategies do very. Based on the type of incident you're phishing. Email containment is gonna be radically different than a de dos attack contained across this. So one of the stages here is harkening back

06:13

again shooting preparation stage

06:15

where you need you have

06:17

somebody identify the major incident types that your company could very well face and then craft containment strategies for there's different threat batters and make sure that they are entirely crafted from beginning to end

06:35

so that you have the right authorities in place to offer shut down or restriction of access.

06:43

You have the ability to do a friend's image of it. You have the ability to restore our backup yet necessary, and you have a testing procedure of place to make sure that you can. He recover from backup.

07:00

Why you contain well has sentenced potential damage without resources is here.

07:06

If an attacker has been spotted and identified in your environment, and of course, you do want to contain that Attackers stop the bleeding, so to speak. Adam. It's preservation. Ransomware in particular will come through and basically wiped out all of your evidence

07:26

I've done several forensic cases were ransomware systems. We got systems. Later,

07:31

forensic analysis of it. And the ransomware changed all the date time stamps on all the files on that system so that we couldn't even identify when

07:42

those files would have been accessed the last time. So we were unable to determine whether an actor possibly had been in there before. The ransomware came in and changed all the day time stamps. Now there are some other methods that you can use truck do that. But

07:58

just one example.

08:01

It's a de dos, a distributed denial of service that you're losing your network on it. Have any customers, can't access you page where your internal Web pages and service is, then you need to be able to contain tiu that service back up right.

08:18

You need thio, evaluate what time and resources are needed.

08:22

Get your containment strategy in place that goes to table tops and exercises and testy to find out just how effective is your strategy? Yeah, contestant Or you don't know T to be blunt on Finally, there are temporary solutions that can be put in place out of containment.

08:41

How long do they last?

08:45

Uh, could they be considered permanent, or are they just short term to allow were the incident response process to continue to flow in function. So here's a little scenario for you to work through on your own. I want you to do is develop, document and identify some containment strategies for this following scenario

09:05

on Monday morning in the user, reports of a system is running slow.

09:09

He is the clicker phishing e mail that came in by afternoon and

09:15

you thought containment hand and complete. He isn't database Simon with access to a live variety of sugar drives. What are your next steps?

09:24

I want you to walk through the process on identify how you would actually go about campaigning. Something like that. Quarantining a system or a network is a possible form of containment. McAfee upl has a great resource where you can just isolate that system off the network and

09:45

restrict all networking and communications until you can either forensically examine it or

09:50

remediated threat on. And finally, any time you do any kind of step here, you need document it. Remember, I talked about the long book in the incident response process that would go into the long book on Daytime Person a sign, and when it was finished,

10:07

on. It was a temporary solution

10:11

when that temporary solution was removed and replaced with a purpose.