Incident Response Concepts

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

8 hours 33 minutes
Video Transcription
all right. Incident, response,
incident, response sometimes refer to as, you know, worse. Case scenario, you know, disaster recovery, incident. Response. All this stuff invokes fear into the hearts of many network engineers and security engineers out there. So you need to be able to prepare in plan
for those worst case scenarios.
One of the reasons one of the ways that you do that is by examining risk to your organization.
Risk is always for we're thinking it's always in the future. You don't think about risk that have already happened in the stuff that's behind you, but you want to be able to look at risk.
You know, in the future what type of attacks are going to occur,
You know, one of mice acceptable to you know what threaten vectors air out there. You know, what's the history of the tax, you know, that have occurred in the past, you know, so you can actually put some
some value to those type of things when you actually look at risk and you actually Google risk. There's probably 15 to 20 different risk calculations out there that organizations can use the most common one that's used out there for risk and most organization is what they look. Call the magnitude of impact
times the likelihood of the threats. So you're looking at
the impact to the system if that's where it occurs, times the likelihood of a threat and that can be voiced in the terms of in financial terms, using a quantitative risk value, you know where they're looking at the asset value.
Uh, you know what it's gonna cost for downtime and other equations to get in? Financial terms are they can use a subjective measurements. Amore qualitative thing. Yes, this is a high risk. This is very detrimental to our company's operations if we lose this type of, you know, you know, system.
So that's what you look at. Usually risk is looked at from
impact times the likelihood that gives us a raw, risk value toe look at for prioritizing our assets prioritizing or recovery objectives for that.
So if you look at the risk management process is broken out into six different steps,
you looking to step one identify assets and their values. Why is this important?
You know, this is where you identify all your critical assets. You know you're going to look, you know what? Components are critical in our infrastructure that we cannot live without. You know, these are very critical components. They pender the success
or, you know, unsuccessful. You know of the organization's goal and mission objectives. So we need to identify those critical assets and their values. What value is am I going to spend $100,000 to protect a $5000 piece of components?
You know where that's where those value tax come into
come into play?
Step two is where you identify the threats,
you know, identify threats that are out there to your system. We have Web applications out there, so we need to protect against denial of service attacks. We need Thio. You know, we live in the Midwest, you know, we're here in, you know, Ohio, Missouri, Indiana. We have to worry about tornadoes.
Whereas if you go down to Florida, you know the Gulf Coast, you know around, you know, Texas. You know, Louisiana, Alabama. You have to worry about hurricanes. We don't have to worry about hurricanes in the Midwest, but we have to worry about different, you know, environmental threats, you know, Thunderstorms, lightning, storms, tornadoes,
you know, gusty wind, straight line winds
where, you know, most coastal areas might have to look at other environmental factors. You know, flooding,
hurricanes, tropical storms, those type of things. So that's where you help identify those threats. And those threats can be considered adversarial
where you're looking at. Okay, What adversaries are going to attack our system if we're trying to protect nation state equipment, You know, for the U. S. Government or the d o d that we need to start looking at what threats are out there. What other nation? State actors that are going to try to gain access to our systems.
Well, China be able to go in and access our systems.
Well, Iranian, you know, Russia. You know those nation, you know, hosting the nation states, you know,
terrorists and stuff that are out there. They're trying to breach our system, those air where we are identifying those threats. And, of course, the non adversarial threats.
You know, temperature, you know, humidity, environmental controls, environmental mishaps, tornadoes, fires, floods, those things. So that's where we identify her threats.
Step three is way. Identify the vulnerabilities. How vulnerable are we to the systems where do we define a look at these vulnerabilities to our system? So we want to be able to look at those vulnerabilities to our systems. How are we vulnerable to, you know, denial of service attacks.
You know, we run skins, We run vulnerability skins were unpatched management, compliance standards. We're checking all the stuff to identify any vulnerabilities that we might see within our system.
Then we determined the likelihood of the event. How likely is that event gonna happen?
How likely is that tornado goingto happen each year? Do we see one a year? Do we see 10 a year? Do we see more than 10 a year? You know those air those likelihood that come into the effect? You know what we're trying to protect?
Identify the impact. What happens if a tornado tornado hits our data center
and wipes out our data center? What do we d'oh? You know that's where we're looking about the impact of the system.
And that's where we're going to take that likelihood times the impact and give us a risk rating.
The determined and Step six. What
combination of that? You know, likely that impacts gonna happen? What do we need to prioritize to help, kind of solidify our risk management process of what we're going to protect first what we're gonna bring up first for those type of systems.
So risk mitigation, planning strategies and controls.
So enterprise security architecture frameworks those air guidelines to ensure that the enterprise security architecture er is a comprehensive architecture.
You know, most frameworks include business capabilities, reference modules, business vision and drivers. So those air different frameworks that can be used out there, depending on which security architecture you're using there is like the risk management framework that the federal government and the D. O. D uses.
There's a PC, I there's hip, a security rule, all those difference architecture frameworks that you want to look at
as far as what are you going to implement for your security architects, you know, for your framework that you're going to use for your miss risk mitigation
Then you have your business continuity planning. You know that deals with identifying the impact of any disaster, ensuring that a viable recovery plan for each function and system has implemented correctly.
A primary focus of the business continuity plan is to carry out the organization's functions when a disaster or disruption occurs. So how are you going to plan to resume essential mission and business functions? You know what? Your recovery time objective? What's your recovery point objectives?
You know where you're going to be able to recover, too, So that's all goes into that business. Continuity. Planning
I T Governments
is several components used to provide comprehensive security management's the protection of data and other assets based on their value and sensitivity.
Strategic plan to guy long term security activities. Tactical plans to achieve short term goals in the strategic plan.
Your risk assessment. You know each organization needs to have a risk assessment done. If you follow any of the processes, the risk management framework, the hip PC, I compliance any of those compliance and regulatory. You know, statues we must follow
usually has a requirement for the risk assessments. You know, you know that's the tool that's gonna be used to identify risk and vulnerabilities the impacts to the system. So a risk assessment is commonly used in organizations to help identify and control those
things of what we need to protect help with business continuity, planning, disaster recovery, planning, all that stuff is helping, you know, informed from that risk assessment
statement of applicability
is identifies the controls chosen by an organization and explains how and why those controls are appropriate.
Why am I implementing this control?
You know what framework? So if I'm using the R M f the risk management framework for the D. O. D. And stuff that I know that it's those controls air there because then this special publication 800 Nash, 53 tells me they need to be there.
You know, for my for my impact of the system,
I have to do these controls. If I have a low impact to the system, I do these controls. If I have a moderate impact, I do these controls and high impact is more stringent. And I have to do these controls.
That's my statement of applicability. Why do those Why do we have to do those controls,
you know, And that's what school that's what's gonna be there.
Your business impact analysis is a function and at functional analysis that occurs as part of the business continuity and disaster recovery. So what's the impact of us losing?
You know the data center? One. Yes, we have a hot backup site of data. Center number two takes us 30 seconds. The 300.2 servers and directions over there and were recovered within, you know, a couple minutes to full capacity. Do we have a cold site somewhere that might take two hours to get to,
to restore everything. So that's where those business impact analysis comes in. As part of those
continuity and disaster recovery plans,
interoperability agreements I A. Is an agreement between two or more organizations toe work together to allow information exchange. So if you're having someone process your information for you, why you're down, making sure you have an agreement that stating, you know, what is the agreement for the information exchange between the two organizations?
Some critical policies
that go into the fact, especially with business continuity, disaster recovery, incident response, eyes, unemployment and termination procedures?
Organizations should have personnel security policies in place. That includes screening, hiring in termination policies.
You know what happens if someone is being terminated and they're left to do, you know, horribly. And they have been given two weeks notice you're getting laid off. You know what? What protections are in place
that they're gonna have to prevent them from, you know, performing a malicious act on the system before they leave.
continuous monitoring
is the capture and maintain those operational base line the security controls that we have implemented for our security functions in a MEChA sure that we're monitoring those security controls on a regular basis against, you know, the performance metrics. So what? You know what? They weren't the baseline. Are they still operating as intended,
implemented correctly and producing the desired outcome
that we need, You know, for that continuous monitoring. So
training and awareness for user's security awareness and training is a huge part of most compliance revelatory requirements that are out there, you know, coming from the D o d environment or from HIPPA or from PC High Compliance. They all require a security awareness and training
for that and having a good security awareness and training program at your organization
helps protect
what you have implemented there. You know, we you know, as we said, you know, humans air curiosity, you know, have curiosity by nature. They find the thumb drive out there in the parking lot. How many people are going to go? Take that thumb drive and plug it into their system to find out who that belongs to. Well, that thumb drive can have malicious software embedded on it.
And that way you know, it says they plug it into the system your network is compromised
on. Then you're running around, you know, you know, don't incident, response cape, you know, capacity and all that stuff to prevent this incident from propagating even more so. A good security awareness and training the user's is very appropriate. Teaches the personnel the skills
needed to perform the jobs
in a secure man in a manner, and they don't recognize this email from somebody. Do they afford it? You know, a spam? Do they afford it to their system administrator saying, Hey, don't know who this is. Here's an attachment. I don't think it's very good, You know, you want personnel to know what they have to do in order to help protect the
help protect the system because we can have all the security systems in the world. You know, millions of dollars worth of compliance is, and you know all this stuff all over your network. But if someone lets him in the back door and holds the door open for them.
That's a problem. And that's where a good room bus security education, you know, targeted. You know, for the people in your in house users us as security professionals. No.
You know the dangers of plugging in a USB device, you know, the normal user, they're just curious they want to see this USB devices. Maybe I can use it at home. I'm gonna plug it in and check in at work,
you know, So they're going to do that. The curiosity of is going to get the better of them. But with a good education program, you can hopefully help prevent that within your organization.
E discovery, especially for when it comes into legal perspectives and stuffy discovery, is getting, you know, bigger. You know, someone is terminated from an organization. There might be a lawsuit involved.
So lawyers file a discovery notices to organizations, and that puts difference, you know,
legal requirements for organizations to maintain the data for longer periods. They can't go in and delete data that's going to be used for Maybe, you know, for trial purposes are lawsuits. So,
data handling the use of access control list. They see l's the implementation how group policies were managed. You know what security groups they were put in. Any data loss prevention, You know, software. Ah, that's taken place within the organization.
Do they clearly label and store storage media? So, yes, they process classified information. He took classified information out of the facility. Was that information and media marked classified. So they knew what they were doing it. If it wasn't marked classified and they took it out, they didn't know better. They could use that as a legal
ramification. I didn't know it was classified. So
then track all backup media. So all back at media is being tracked and documented somewhere. You know, a lot of organization use facilities like Iron Mountain as a secure storage backup. And they in tipped and crypt their tapes and DVDs and sent him off to an off site storage solution. But they're tracking where all that back up in storage.
The stuff goes
from the legal side.
The legal holds for data
and stuff on there require organizations to maintain archive data for longer periods of time, must be properly identified in appropriate security controls put in place to the secure to ensure the data cannot be tampered with our deleted. That chain of custody comes into the effect. Who has access to it? Who can change it, who can delete it?
All those appropriate security controls that we have in place that our organization
still hands in place. When we store this, you know, data for longer periods of time and offsite facilities,
data breaches,
detection and collection. Identify the incidents,
secure the system and identify evidence. Makes system images, implement chain of custody, document the evidence and record time stamps. So when you identify the incidents, first thing you're gonna do is secure the system,
you know, in its current states, and help identify any evidence that is out there. You're gonna make your system images, because when you start performing your
collection of evidence and identifying evidence, you're not working on the original piece of computer. You might be working off a clone, the hard drive, or an image of the of the same hard drive where you're keeping the original hard drive in tact. For that,
your response. Once the data breach has been analyzed, an organization should fully investigate
the preventative actions that can be taken to prevent such a breach from occurring again. What did they learn from and how did they gain access to the system? What can I do? What is their response?
Once the data breaches fully understood, all findings should be recorded in a lessons learned database to help future personnel understand all the aspects of the data breach. When I go out and perform assessments on organizations, one of the big things is the after action reports. You know, lessons learned about a base. What are they learning
from their last incident? What are they learning from their last,
continuously playing testing? You know, I look at all that olders after action reports all that lessons learned to see if their learning and their updating their policies in the corporate policies and documents to reflect all those lessons learned
within those systems.
Design systems to facilitate incident response.
When evaluating internal and external violations, security professionals must understand how to distinguish between different violations and how to address these situations.
So privacy policy violations conducted privacy impact assessment of P I A. To determine what risk associating with that p I ay collection use in transmission.
Any significant changes to an organization system should result in a P I review, because that might whatever news changes coming to the system that might impact somebody's privacy to that system.
Insider threat.
Implement the appropriates event collection and log review policies to provide the means to detect insider threats as they occur.
So elevated privileges you know, most insider threats that we see out there in the news today, you know in the past is that they see you know these in the outsider. Threats are coming from privileged users, users that have a subset of privileges that allow them to access more data than the average user.
So you need to make sure you appropriate those event collection and longer view
to facilitate and detect those insider threats.
Detect someone's accessing privileged account. They're using their system administrator account to access all these policies and download them. There should be a red flag that goes up and occurs anytime someone longs in as a privileged account user that logs what databases they access, what files they're opening.
All that stuff needs to be looked at to help prevent thes insider threats.
Criminal actions.
When a suspecting criminal action has occurred.
Law enforcement should be involved early.
Ah, lot of times A lot of organizations out there don't have
the required skill sets to help investigate these systems.
Not everybody can afford a forensic investigator on her staff.
Look at forensics, so you might have to get law enforcement involved early to help with the forensics and evidence collection. Especially, this is going to result in a lawsuit
of some sort that you might need to involve law enforcement early.
The order of volatility and chain of custody must be considered during evidence collection. Who has access to those systems when you're doing you no chain of custody? You know, you know, I'm logging this into an evidence locker only I have no access to this locker. Whoever you know, the security personnel have access to this locker law enforcement.
If they sign something out, there's a chain of custody. It goes into their hands. But there's definitely documentation is going to be used because the first thing the defense is going to try to do is say, Hey,
the stock, this this hard drive or something was out of custody. Where did it go to somebody could have tampered with it. It wasn't my client.
So it's just that
thing to protect yourself. An organization. That chain of custody is huge when it comes to lawsuits.
The established and review of system audit and security logs organizations have established policies regarding the collection and storage of security of logs.
Security professional should be trained on how to use the logs to detect when incidents have occurred.
So ah, lot of a lot of security professionals are using those CMEs. The security incident in event management systems
commonly referred to a CM's. And that way they can review those logs to detect what incidents have occurred. So a lot of security operations centers they feed. You know, all these logs feed into the CM's for them to aggregate all these log files and look for potential red flags that people doing something that they shouldn't be doing.
And people need to be trained on how to use those.
The average Joe is not going to know what to look for in a audit log. You know where a security professional or a trained professional will have that you know, properly trained to look at those logs and know how to investigate those
incident and emergency response
chain of custody
shows. Who controlled the evidence, who security evidence and who obtained the evidence, Make sure it hasn't been tampered with. We want that effective non repudiation, you know. Yes, you know, here's the original hard drive in his things. I signed out a cloned hard drive to do my forensic analysis on this system,
so I'm not using the original system. But I didn't sign something out. You know,
making sure I'm attaining this appropriate levels off a chain of custody for evidence purposes,
forensic analysis of compromise systems,
you know, media analysis, software analysis, network analysis, hardware and abetted device analysis. When it comes to forensic analysis, not everybody has forensic analysis people
under staff. So that's where law enforcement comes into the effect getting them involved early with the investigation so they can help new forensic analysis. Third party companies that do nothing but forensics, you know, hiring them to come in and do some forensic analysis of those devices for that
continuity of operations plan your coup plans
kind of like a business continuity plans, but consider all aspects that are affected by disaster, including functions, systems, personnel facilities. Ah, lot of people overlook personnel as well.
The building is destroyed by a tornado. What policies do they have in place? Okay, we have a telework. Policy is part of our coup. Plain people just work from home from with their laptops and being able to connect to our servers. And we continue our operations that way by having a
telework policy. Or we have a storage. We have a meeting room set up in another organ in another facility,
another office
that we can go to its connect and start, you know, working. You know, you know that way. So
definitely cope. Who plans Ceelo Pecan Continuity of operations,
Order of volatility.
Insurers at the investigations collect evidence from components that are most volatile. First
volatile is the stuff that changes on a normal basis. So one of the biggest things that are up there is forest Order of volatility is the memory contents. Because you know your cash and your registers all that memory. As soon as you shut that computer off,
that memory contents are dumped, you know, they're very volatile, so there is nothing that is stored in memory. That's that random access memory.
It's just there, and it's just you know why the system is on.
That's where it's there, so soon as you turn off the computer, you've lost everything that's in your memory contents
for that system. So that's one of the most volatile systems that needs to be conducted first. Is that memory content?
Then you have your swap files, your routing tables, your art cash is your colonel statistics file system information roll disc blocks, remote logging and monitoring data, physical configuration, networked apology and then the arc. Archival media or their backup
media CDs and DVDs most of time breaches or not
found in the organization's for six months, sometimes even a year.
So you need to determine, you know, investigators and incident response needed to determine when this system was first breaks. So we might have to go back to last year's log review and see what events changed. So that's where that's archival media, except that backup media that was used tapes, CDs, DVDs
from their offsite storage location. We need to bring that back into the facility to look at the
forensically analysis, analyzed that to see how long this breaches happen.
Thank you
Up Next