Incident Recovery

00:00

Hello. My name is David Visor. And welcome to post incident response.

00:06

Often times sad to say, we'd be caught up in the technical environment and we overlook, I guess what you could call soft skills. Um, however, the soft skills and the technical skills do

00:22

comfy. Mm. In a way that can't be overlooked. And if it is overlooked, then you're not going to be well rounded, holistic response annals. So hopefully, uh, we're learning as we go where Module five. Already talking about some boost

00:41

incident activities.

00:43

One of riches incident, recovery that is falling there. The end of our is their response process preparation We talked about briefly but

00:56

scattered throughout all of our time together. So far, preparation, as you've seen, is a key element in making sure that you can completely and adequately performed detection in analysis, containment eradication in recovery and then also your post is that activity.

01:15

So as we move over to first incident,

01:18

um, we are gonna kind of cover an element in that third step, which is containment eradication in recovery because it falls.

01:29

Yeah, I guess you could say it's fluid, so it's going to happen there early as the incident response process

01:38

moves along, but it also is going to be part of your post incident activity as well. Andi. It's important to track these issues because if you don't, you could very easily lose track of what's going on now. Recovery is simplest. Definition is to return to normal activity. That's

01:59

true. Weather is

02:00

surgery. As you can see, my extra hardware X ray there on that's attached to my spine. Now you're pretty big screws, actually, but I went through that surgery a couple years ago.

02:17

Ah, and I had to recover from that back surgery s So it was

02:24

you could say a long and tortuous word, and it has to be handled correctly. It's not. You could actually create and cause

02:34

more problems than what you you seek to solve by having the surgery. And when it comes into the response to see thing holds very, very true.

02:45

As you move into the recovery phase after you've declared your incident after you've done evidence gathering in your analysis and throughout the process of the analysis you developing in daycares compromise which has been passed out to other teams on the incident response team

03:02

like your firewall, an image that work and you'd your system advance

03:07

so that they can update their tools. Ruby in the containment now and as that. Those indicators are added to your tool sets and and systems are identified that were affected in her forensically captured and imaged and examined. And they are re imaged and brought back into service.

03:28

As you can see, that containment issue is almost now moving directly into recovery.

03:34

And whereas it may be a long road and hard room, it has to be beautiful correctly or you won't recover completely, and you could expose yourself to future incidents based on the lack of proper recovery. Now, this stage of the I. R process

03:52

does not resign with the cyber security, Um,

03:58

as it's strictly defined in the incident process, you will be dealing with a wide variety of other teams. Expect Ventured Exchange advance or Ravan's ate a vase. Adnan's. I can help this people in users management. Legal resource is

04:17

any time there's an incident, uh, any scope,

04:23

then you're going to see a lot of different people brought in. So as we move over into recovery, you are actually going to be dealing now instead more with administrators, database admits and others who are responsible for various segments of network in systems

04:41

that are attached to the network. But

04:45

I don't think that that doesn't mean that you have Whoa, you do especially whoever is a sign as the incident manage,

04:54

because the authority is invested in your manager in order to make sure that he steps are actually followed through on and completed, and that all has to be documented by your incident recorder. Whoever may have been assigned to that

05:14

position on these steps failed on recovery is not completed entirely. Then again,

05:23

you could have some other issues to Dio. As I said, the incident man's wrist order becomes a playground monitor here. He has to corral all of these different beings and persons and positions together to make sure that

05:39

the recovery process is still flowing along and being properly managed him.

05:45

If you've never been involved in an incident, you're going to be

05:50

involved in a ton of meetings, calls

05:55

Ah,

05:57

I find him to be highly annoying, but they also are essential because it's through those calls and meetings that all the responsible parties are held to tax there be are held to the fire, so to speak. Then if you don't have meetings,

06:15

um, you're not going to be able to confirm

06:17

that your recovery process is actually flowing along

06:21

sweetly on rapidly as well. So if the incident manager isn't calling meetings on holding them and making sure that these things were being available and then there's, ah problem in the works that could hinder the entire incident response process.

06:41

Hey, saved by the meetings are essential,

06:43

especially if there were vanished in a long a thon. Uncle, I know sitting through these lessons with me here. In the past, I've been involved in these meetings, but internally and externally, and I've seen do it. And Dad, it's the managers.

07:03

And the incident management position is one of extreme authority and responsibility. So that person, whoever is assigned there, needs to be someone who can manage a wide variety of dispirit person. Allen's Room four story. We're doing tabletop exercise for a company.

07:21

Um, we show up on what we're actually doing, meeting with difference

07:29

entities within the company's. Our first meeting was with the security.

07:33

They were our exit response sales or sake analysts. Our,

07:38

uh, whoever was assigned to security team in order to help protect now work. And we went to Devon, topped with them and got to the ish side where we're discussing problems that they were facing. And they venture that they have problems working with the exchange. And

07:53

so we go on through a series of other meetings. Finally, we have all the leadership sitting on more room from sis. Oh, all the way down on the incident response team leaders sitting across table from the exchange that and by the time the meeting was over, the two were screaming at each other across the table.

08:11

And this is so basically just sat there

08:13

on did nothing to quell the problem. That is that leadership, everyone. So don't be that person now. There are a lot of items covered under recovery that will hit on here, restoring systems normal operation. Some of these should be pretty obvious to you by now,

08:31

confirming the restorations important. Often times I've seen

08:35

systems were put back into operation whenever he confirms

08:39

to remediating vulnerabilities and ensuring that they are fixed, uh, replacing compromised files with clean versions patching is huge, but oftentimes difficult in the corporate environment, but it needs to be done. Password changes should happen, if necessary.

08:56

Tightening the network security I mentioned just a few minutes ago. Perimeter needs to be checked. Firewall Admin is needed. The involved. Just a madman so that

09:05

you can tighten down your perimeter and make sure that no other attacks might occur. The same variety increased logging, monitoring and auditing should also come and play. Their metrics comes into play.

09:20

I personally don't like metrics very much, but I know and recognise it is essential. So how do you determine them?

09:26

A lot of people use costs. They'll break it down by systems, personnel, legal fees and finds there's this disruption costs. Time could be a useful metric when it comes to recovery and measuring the progress. Different issues come into play there.

09:43

You could do a loss of time, do the system. They're your loss that you could do personnel time

09:48

that has been expended on the incident. So let's review quickly to find recover for me, right? Return to normal. Who handles the recovery process?

09:58

The larger team with the incident manager uh, making sure that is being taken care of, uh, providing good list of recovery items. We just covered that and define metrics and provides examples.