Incident Handling Fundamentals

00:00

Hello. My name is David. Welcome to handling incidence. We're gonna be talking about incident handling, handling incidents because we don't want you to be like the dog picture and have no idea what you're doing. And you'll see as I tell you a couple stories through

00:17

these episodes of why I use that as my

00:21

intro picture. You'll get to see it again. Actually, this is me, Advisor. I mean, it's a response engineer with private company. Before the end of my prior life, I was a police officer.

00:35

Please don't hold that against me. I didn't obey the law myself. 10 years. A criminal investigator with a large focus on

00:45

child ***. Network intrusions, Cybercrime. Um, I also has been a slight team for patrol. Got to do a lot of things in my career. I retired despite my appearance there on, then was hired as a

01:03

a member of a name SSP team for two years. And now I've been two years in a private industry working incident response. I've done penetration testing.

01:14

I'm also malware analyst. I like to be outside as much as possible and I love doing base, which is why we're all here together, right? Can't we all say that we all love to do that?

01:25

Which is why you're here and why we're talking about handling incidents.

01:30

There are a lot of studies out there that we could refer Thio, one that I refer to. A lot I need now is 2019 but

01:41

it's a bit of a shock path. It's 2017. That's only two years ago

01:47

than an average of 206 days or

01:52

incident handlers, cyber security professionals and professionals to detective reach 206 days.

02:00

That's a long time. And just the year before that, in 2016 the average was 201 days to detective Reach.

02:10

Something's missing,

02:12

and what is missing in

02:15

this factor is incident Hammer on a holistic approach to sew in the following Next, several miles on episodes together will be talking about this, that handling it, building from the ground up service speak.

02:30

Unfortunately, we will be going highly technical, but these ideas are things you need to hold off.

02:36

You want to see these 200 some odd days, detective breach. Get down. To me, that's just absolutely astounding. Frightening

02:46

and almost depressing

02:50

inside with me. Every time one of these reports come out, I do that.

02:53

We want to set ground level. You're

02:57

and look at some of the best practices for creating a Caesar. And these teams were called. All kinds of things are called Serves Critical Incident Response Team. They're called Cyber Security Incident Response Team's Call it what you will make it something that's catchy and sticky.

03:14

I kind of like they're in gum on the wall. You wanted Thio stick because that's step number one is your most important step.

03:21

Getting management's important by an advantage that doesn't care. Then you're not gonna be able to get the tools you need training any people. You need to cut these 200 some odd days down

03:32

to a manageable level. Ah, and yes, I am kind of

03:37

preaching here because I'm frankly passion about this topic. And everybody here at Psy Berry is passionate about this topic and we want to share that passion

03:46

because this is vitally important that some think about it. I would have your data is out there.

03:53

If you're like me, everything is out there.

03:57

Uh, any good

04:00

Packer attacker could basically put my life back together from the information that could be clean from one of these attacks.

04:09

Now, as we began, I also want you to know that there are kind of different resource is out there that you could draw on standards, so to speak. And you, as a professional, have to help your executive management help team leaders. If you're not a team Lee lovely one day you will aspire to be that

04:29

to paint the right stand

04:30

for your company or your business. Now we're gonna hit a lot of standards, lock protocols,

04:35

a lot of regulatory bodies, and they all seek to address cyber security and incident response slash incident him.

04:45

Some of the biggies are there on the screen for you. There's n'est sans is a fantastic company for in depth training, but also were governance because a lot of what they put out can be taken and applied. Cramped.

05:00

Yes, if I see if your financial institution they have some documents and some guidance when it comes incident. Hanlin hip also know their hip, and if if I see or more regulatory bodies, but they address the top, so

05:16

if you work in a hospital or a doctor's office. Then you want to read the HIPPA regulations that cover him.

05:24

You work in a bank or credit union or credit company of some sort. If I see is where you go now, there are more.

05:30

Um, don't make any mistake about that. Their arm or so If I were you, I would start with mist in Sands because they give you the gears and the tools that you need. And then your regulatory bodies give you the guidance that you need to put those tools and gears into place where you need

05:50

no incident handling incident response users terms interchangeably. I do anyway, ISA process

05:59

and most processes break down into you 24 or six.

06:03

Ah,

06:04

steps and you could see there on the screen. There's preparation, protection and palaces. There's containment around occasion in recovery imposed incident activity, and we're gonna hit all of those, uh, do the following episodes.

06:20

Um,

06:21

preparation is huge. I don't want to spend a lot of time on this slide because we are going to be going for in depth into these topics. But I believe in the old adage of line upon line precept on precept forward. The more you see it,

06:38

no more you hear it, the better you're going to remember.

06:42

It's true and physical training as well as mental eyes. Anyone here ever done any kind of martial arts

06:50

self defense courses?

06:53

There's something called muscle memory, and the more you do a particular move, the easier and quicker and will come back to you if you do it over 1000 times and that's not correct. So please don't upbraid me. But if you do it over 1000 times, it becomes muscle memory, it becomes refunds.

07:12

The same thing's true here and into that Hanley instant response. The more you do it, the more reflexive it comes, the better prepared you are faster. You can detect any analyze events quicker. You could move to containment around occasion coverage

07:27

and then assistant activities. Cleanup phase. We're sweeping everything together

07:31

and then moving back over to preparation. Prepare with next day and make no mistake,

07:36

there will be no rest now. Manion Zim Trends in 2017 which is another fantastic report. Now they're up in 2019. Link there on the screen will take you out to a listing of their annual reports, 53% of reaches weren't discovered by people working internally for the company.

07:56

They were discovered by third parties.

07:59

What,

08:00

53%?

08:03

That's to me. That's unacceptable.

08:05

There's something wrong the internal like these that really had no idea that they breach until somebody outside their company contacted him and said, Oh, aye, been breached. I don't know about you, but if I'm on the incident response team are in cyber security, I'm embarrassed,

08:22

I'm sure. Grint if I'm management for that company O r five

08:26

horrified. Why wasn't the people that I hired to do this job doing their job? That's the question. I'm gonna ask my manager now I've been through. Some of these were through for identification was made, and sadly,

08:41

it was a zit. Nothing really happened after the initial pa was over,

08:46

but it does ot evil, and it is an ill went against pirates and handling process.

08:52

When 53% of bridges

08:56

are identified from outside the company

09:00

from different sources, this is from the Mandy. It's interim report as well. Again, you can see that in 2000 King in internal

09:07

59% external wasn't 41%. So it's changing slightly over time and you could see those numbers out. Unfortunately, there's external numbers are, oftentimes way too high. And that's what this course will get us prepared toe lower that now on hopefully turn our eyes inside

09:28

again. Here's your a median dwell time.

09:31

If internal compromise was caught, it was 50%

09:35

external. You're at 184 days. Sorry. Days, not percent. 50 days in 184 days. So you can see if your internal teams none on the ball your number of all time gives up, and that's really, really not a good thing.

09:50

So we're gonna walk this process together involving episodes, hopefully laying groundwork for you to build out a good team