Incident Response

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cyberays.
00:00
Of course, I'm your instructor Brad Rhodes.
00:00
Let's talk about incident response.
00:00
By training and trade,
00:00
I'm an incident responder or defender,
00:00
and so this is near and dear to my heart.
00:00
In this video, we're going to
00:00
talk about the incident response cycle
00:00
as defined by the National
00:00
Institute for Standards and Technologies.
00:00
We're going to talk about communications
00:00
during an incident and why that is vital,
00:00
and then we're going to talk about why it's important
00:00
to have an IR checklist.
00:00
This is the incident response cycle as defined by NIST.
00:00
You see preparation, you see detection and analysis,
00:00
you see containment eradication
00:00
and recovery, and post-incident activity.
00:00
Obviously, we want to do a lot of work in preparation
00:00
that's putting those controls in
00:00
place is that's what we do.
00:00
We don't want to do that detection and analysis,
00:00
so that's continuous monitoring.
00:00
We want to be able to know what's happening.
00:00
If something does happen,
00:00
you have to have the means to contain,
00:00
eradicate, and recover very quickly,
00:00
and that's where we talk about things like
00:00
business continuity, recovery time objectives,
00:00
recovery point objectives,
00:00
we think about disaster recovery plans,
00:00
all of that stuff we have to do that here.
00:00
Then post incident activity.
00:00
Obviously, we're going to assess how
00:00
well we did in the incident response and
00:00
we're going to look to improve upon
00:00
what we did and that's how we capture that there.
00:00
This is obviously cyclical and
00:00
clearly you can see
00:00
you can do a lot of work in preparation,
00:00
but still have to detect
00:00
something and still have to contain something.
00:00
It's not perfect,
00:00
but at least it's a framework to work with.
00:00
Communications during an incident is very
00:00
important for the incident response team.
00:00
As you can see them here centered in this graphic,
00:00
they talked to lots of other people.
00:00
They could be talking to ISPs.
00:00
They can be talking to law enforcement.
00:00
They could be talking to customers.
00:00
Goodness, I hope you don't have
00:00
to do an incident response
00:00
where you talk to customers because that's no fun.
00:00
You may be talking to other response teams
00:00
and say the same industry vertical
00:00
that you're in to
00:00
understand if they're seeing the same kinds of things.
00:00
Maybe you have to talk to vendors as well.
00:00
Maybe it was their product
00:00
that was the cause of the breach.
00:00
The point here is that
00:00
incident responders talked to lots of people.
00:00
In the case of an ISI,
00:00
if the incident is related to
00:00
a control you helped to builder or
00:00
employer deploy an organization,
00:00
you're likely going to be interacting with
00:00
the incident response team and communicating with them.
00:00
But here's the thing and here's the most important point.
00:00
Here's the secret of communications and an incident.
00:00
Have a plan. Know who you're supposed to talk to.
00:00
Know you're reporting chains.
00:00
Know the old military term chain of command.
00:00
Know who's got the authorities
00:00
to make decisions on expenditure of funds.
00:00
If you don't communicate during
00:00
an incident or don't know who to or how-to,
00:00
if you don't have a plan,
00:00
you're just going to be sunk out of the gate
00:00
and you're going to be grasping at straws.
00:00
Incident responders always walk
00:00
in the door with a checklist,
00:00
and it's not because they don't
00:00
remember stuff or they forgotten things.
00:00
No. This is so that we
00:00
standardize what we do in an incident response.
00:00
If we go into every incident and we don't do
00:00
the same processes, policies, procedures, guidelines,
00:00
that kind of thing, we are going to
00:00
miss something when it comes to trying to detect,
00:00
contain, eradicate, and recover.
00:00
It's just a given fact.
00:00
By the way, in the midst of an incident response when
00:00
the "Cyber bullets are flying,"
00:00
if you don't have some process that you follow,
00:00
i.e an incident response checklist,
00:00
it is very likely that you will miss something and
00:00
have significant problems because the
00:00
adversarial just establish persistence
00:00
and hangout because you've missed it.
00:00
Please, understand having incident response checklists
00:00
and if incident responders come to
00:00
you this season and asks for your inputs,
00:00
talk to them, figure out what they need.
00:00
Get them what they need because you probably know
00:00
the controls as good as if not better than they do.
00:00
In this lesson, we talked about
00:00
the incident response cycle,
00:00
we've talked about communications during
00:00
an incident and the fact that you'd need to have a plan,
00:00
and we've talked about the fact that
00:00
an incident response checklist in many cases is the plan
00:00
that keeps you on track and focused and calm
00:00
in the heat of an incident. We'll see you next time.
Up Next