Incident Documentation

00:00

Hello. My name is David Visor and welcome to post Incident Response. Welcome back. Incident handling. It's in that handlers, everyone guards out, kind of like being a dog in front on and in some ways, that's what it is. But dealing with people and with

00:18

data and your equipment is we are going to be talking about documentation.

00:25

Ah, not a popular topic. Nobody likes paperwork on the same way, but

00:31

we live in a world where you can't escape. Um, I grew up in a world with a lot of paper pre digital age, a CZ you remember me mentioning earlier. I am going on. No, guys, I hear, um,

00:46

but documentation, whether it's not digitally, whether it's done on paper in a notebook ir a ver informed whenever is extremely important to the incident handling process, I am one of

01:00

the biggest ones is your plan your response plan. But there are tons of other plans out there

01:08

other ways to document things that were going on. You have a distant response. Forensic report. You could have a mountain where, uh, analysis report. You can have reports

01:19

from system admin is exchange and men's. You could have service now tickets and included as part of your report that you could see your building your documentation on coming out of law enforcement.

01:33

One of the big things that we learned was document document document. If it's not written down somewhere, then it technically did not happen.

01:41

Ah, and auditors are big on that, too. So I don't think that's just some stupid lone horse. That thing for an auditor of other times, if they can't see it on a piece of paper in front of them on the screen in front of them than to them, it was a non issue. It never happened. So when it comes to visit me as a witness, that response

02:00

documentation is extremely important. When it comes to an incident, a breach, it's extremely important to follow your documentation. It's not time to go the way of a while. Last in just start shooting. In all their actions,

02:17

it's time to follow the

02:22

when the auditors will ask about that, inspectors will ask about that. They may very well sit down and look at your incident response documentation,

02:34

something that happened like during the incident. Let's say

02:38

then they're going to look back at your response plan and see if you actually follow it. If you didn't, you could very well contained by them because you failed, not aspect, not be on it. I have seen that happen in the real world. Some auditors

02:53

having particular about those kinds of things. So what we need to do is focus on documentation for a few minutes. Here together,

03:01

you have reports, processes, procedures. You have e mails

03:07

again. Not only new auditors check these things out, but civil liability could come into play as well. Um,

03:19

I've used examples from court testimony and things like that in some prior episode side of really one of 42 years of this kind of things. But I do need to stress it with you that this is important to remember.

03:32

E mails can be vital. Uh, one email sent from an incident response analyst to a system admin providing them of indicators compromised. To add to, say, an I. D. S or nine P s. And then during the follow up period, the after action

03:51

it's order that there's indicators compromise work at it.

03:54

Two

03:55

the i. D. S. R I. P s. Well, then it becomes a, uh, battle of words system admin saying on that email the incident response analyst saying, I know I sent it to you. But the response analysts deleted, it has a record of it,

04:13

and things get uncomfortable very quickly.

04:15

Sue, if you're in the middle of an instant document document talking way, talk about the incident response plan on There are,

04:26

I want to say, hundreds, but it's probably not hundreds, but there's at these dozens of templates out there on the Internet that you could do searches for on, download on and utilize to draft your own. That they all want to warn you about here is that don't be that person.

04:45

The download's a template.

04:46

So after a company logo on and says, This is our incident response plan that you throw in the folder a binder. It was in your desk. And when the n. C. U A. Auditors come in and their asking clearances response plan, that's what you get up. It's ridiculous on its foolish,

05:02

but that's what I see many, many times out in the real world. That's how

05:09

nontechnical people address this issue

05:12

you as the expert, the subject matter expert. Did she harass sitting? I can't afford to allow that kind of thing happen. So why wants to do in this episode is actually take a look at the computer security and responsible. Now, this is just one template.

05:29

I'm actually gonna let this onto our

05:31

course so that if he wanted you came down with it, he can adapt it and take it and use it again. I'm gonna warn you here. Don't just slap your logo on it and say this is it personalized and build it the right way.

05:49

These could be a CZ complex or as non compliant. Did you want to make them?

05:55

I find that they need to be fairly detailed in order to

06:00

actually be adequate and useful in the real World Document history section. Basically thes things. Thes reports. These plans should be updated in multiple ways after every incident, but they should be reviewed and updated,

06:15

Uh, at least annually. If there's no incident in the year, then you should be reviewed and updated because guess what? The cyberworld is always changed.

06:27

New attacks, new protected measures. Um,

06:32

new person now being assigned to your team are hired by the company come into play, so at least annually on it definitely should be done after each incident. It should be reviewed. And then you document there's refusing updates underneath the document History section right here.

06:48

That way you have a record of when you document it and hate it.

06:54

Then you need some signatures because this is basically you're irritated. Clean. This is the decree from the King that is giving the lower beings in the field

07:06

the authority to do certain things. If you remember back a few episodes we talked about who has the authorities on blood system to shut down a lead to

07:15

restore database. This is where that comes from. Eso you have some signatures here and depending upon how they're titled in your company Corsi and managers or whoever made Britain, then the really important ones Would that be in your director level?

07:33

Your VP level

07:36

remount the lineup right? Or you're CIS set should sign off on this. These approval signatures are important. In order to grant the proper authority and power to your incident responders who are going to be asking for things like shut down the X Games over.

07:56

Shut down that database, turn off all access to it.

08:00

It could cost your business money. It could cause business continuity churches. And if the authority isn't provided in a written format, then people are gonna be saying, Whoa, you don't have the authority to tell me to do that. I'm not. Do that. Remember our last episode? I said the incident manager was a playground monitor.

08:18

That's where that comes into play.

08:20

So you can write this up in a number of different ways. Is always an introduction, sort of setting the stage, providing the objectives of the plans that everybody that reads it knows what is going to be covered in the plan You definitely need to do. And it's that roles and responsibilities and identify who is the c cert

08:48

mister we needed. Whether it's this is so our vice president or director, the incident manage one of the most important roles during an incident needs to be identified here so that whoever is gonna put people in that position, those they have before you, of course, the document, our management team

09:07

and then the proceed response procedure, which should be followed on these can be taken and updated every once you have got deeper and there's a Mrs Brad old. But, hey, some companies do you still use beepers

09:22

identifying all the different steps that need to be followed to again? Take this adapted to your use, um,

09:30

and whatever way and method that you need and whatever index is you need. So we have some passed within the incident response life cycle which has been identified. We've seen these before preparation, detection, analysis, containment,

09:45

eradication and recovery. And then finally, lessons learned on DDE

09:50

so you can adapt these however you want

09:52

regards. Analysis is important when it comes to an incident.

09:56

And then you have rolls again laid out What responsible work

10:01

Don't

10:01

again. This is gonna be up on the course website so that you can download this you it actually will and pleasure andan adapted to the use that you find necessary. Port