Incident Response Kits Introduction

00:00

Hello, My name's David and welcome to pre incident response

00:07

you're moving alone on. And we have looked at the incident response process

00:13

we talked about which primarily I should say. Primarily we talked about

00:19

which two standards or the incident response process?

00:24

Yes, very good Sands and

00:28

missed. Yes. Now

00:31

they aren't the only two. Of course, there are other standards out there that you can refer to, but Sands and Nest there are pretty well known, pretty heavily relied appointing use when it comes to the response process.

00:46

Now, part of the process is preparation. Now, as we move here in the Module three, where we thought about instant response kids

00:55

that's going to fall more in line with preparation. However, it is also going to come in tow line with detection, containment, recovery on analysis, because what you're going to do with these kits is gather evidence for analysis,

01:12

analyze that evidence and then crack your recovery process around what you learn from that. So

01:19

the kids kind of

01:21

move across the spectrum of the incident response process. They're a vital part of it that I gave you a task of going out into the yard and chopping down a tree.

01:33

One of the first things that you're going to do is say, well, what tool am I going used to talk street out?

01:40

If you say it spoon,

01:42

it's obvious that you're in the wrong career.

01:46

If you say

01:49

an axe,

01:51

Congratulations, you're you're a little closer. It can get the job done. It's a little more labor intensive than, say, a chains. All would be.

02:00

You can see the same process picking your tools to help you in your job dollars through from

02:06

a physical job, like chopping a tree into the cyber world.

02:09

These tools and these kids are essential.

02:14

They are what you're going to use to do your job. Of course,

02:17

um, the right tools

02:21

help you do your job faster. Easier.

02:23

But in order to pick those tools, you need to keep the job. Focus. Which kind of Parker's back to the entire preparation stage of the incident response process? I'm going to give you a short example for my own life is in its response.

02:42

Ah, analyst toe hopefully share a mistake or my can't really say it's a state, but I was definitely un prepared for this scenario when I walked into it,

02:52

I was working my own business as a penetration tester and cyber security consultant.

03:00

I was contacted by local businesses. Said, Hey, we have an issue. Hopefully, you can help us. Sure. Much problem.

03:06

Well, we host one pages for a wide variety of customers, and we discovered that several of those Web pages happened based

03:15

buying attacker. And we need somebody to come in and help us do the incident response so that we can assure, but our customers on ourselves that nothing else happened. It was just a Web page to basement campaign and they didn't get into our network. Hey, great,

03:31

fantastic. I'll be happy. Help! I'll be there whatever time you need to be seven meeting. Go ahead, sit down with Brooke Customer. His IittIe staff were discussing the issue, so I began to ask questions pertinent to my function. Which was the incident? Respond or

03:51

position? So I asked first and foremost what you use. What kind of operating systems are your environment?

03:58

They said Matt,

03:59

In the end, he said, No, just Matt.

04:02

Oh, I said, How about your service? We use Apple service,

04:06

huh?

04:08

Instantaneous problem,

04:10

because I had very little experience in conducting forensic. So Max, even knowing how an Apple server was set up, operate the all systems were involved in any kind of hardware I might have needed in order to conduct imaging or forensic imaging. And that kind of thing has zero

04:30

of that.

04:30

So, as you see, I kind of stumbled into a position

04:36

liability because without those tools and without that knowledge, I wasn't going to be able to provide them with the best

04:46

incident response analysis that he needed Now, fortunately, I was able to gather logs from the servers there Patty logs and Web server logs, firewall logs.

05:00

And what do those on and discover that there have actually been there deeper penetration that way. So there was no other need for forensics. Ernie, I got to come into black. However, that kind of highlights the need for youto have tool kit set up adequately in order to deal with whatever problem you might

05:18

space, which leads us to our first bullet on this slide is know your environment.

05:23

I'm working as a consultant or 1/3 party. That's kind of difficult for you to do. Uh, if you're gonna do that just by yourself for starting your own small company. It's a big investment. You'll you'll see that some of these tools are rather

05:36

costly. But you can't skip on that, because if you do your clients or something,

05:43

remember the preparation stage. Survey your environment. See what you might need. What think could come into play and get it. So you have it on hand.

05:53

Um, ask. You know, potential clients. What kind of operating systems to use? What kind of network hardware do you have? What programs do you rely a lot? Just 3 65 Email, huh?

06:03

Hey, it's cloud based. What knowledge do I have about conducting forensics in the cloud? Do I know Office 3 65 cannot conduct since that response in that program? These were things that you need to be building your knowledge and technical expertise sense so you could have the right tools.

06:21

Asked what kind of threats are facing, financial institutions face different threats than, say, medical institutions. Your doctor's offices

06:29

there are also governed by different regulatory body, so you need to know what regulatory body is going to want to know so that you have tools and the ability to be able to provide that knowledge regarding any incidents that you may investigate for you.

06:45

Point of set sail machines have been big cards and restaurants.

06:49

Another quick case study after I retired from law enforcement, I still continue to do vulnerability scans, penetration, testing. And

07:00

I went is, ah, local credit union was talking to one system managers, and they started telling me about credit card breach at a local restaurant

07:10

and how our local criminal investigators were going out to interview please, because breach find out who was stealing great for data. I had just read a Brian Krebs article saying that this particular restaurant brand tag suffered a breach nationwide and it wasn't a local problem.

07:28

Contacted law enforcement shared that knowledge with them and with credit unions that I worked with, had managed to avoid a huge block, overblown criminal investigation into our local teenage restaurant. Who eats that?

07:42

Be prepared, uh,

07:44

always be expanding your knowledge and know how to respond to brand somewhere. For example, um,

07:51

you'll be able to help your customers your clients to recover from Ransomware, of course, is mostly preparation, but what your crypt. Reserve it.

08:01

You have access to them. You have the ability to conduct forensics on a partially encrypted computer to help them re mediate. Problem.

08:09

All these things come into play when you're picking and choosing your tool kit.

08:13

Look over reports like this one from CNN's, which was, ah, white paper put out about their its response, surveyed 2000 King

08:22

Ah, and identify different areas that you may face a CZ, an incident response analyst and craft your tool kit around these kinds of incidents so that you are ready and able to respond to them if they come. For instance, some places have mostly

08:39

smartphones and tablets in their environment, so you need a whole different

08:43

physical token in order to be able to deal with them. Now they're two methods of approach to this, the first software. You have to be able to handle a wide variety of software along with conducting network. So keep that in mind. And then there's hardware,

08:58

which in our next episode I'll be showing you some examples of different kinds of arbor to kids that you can purchase and by, uh, they're very hardware specific. For instance, cell phones come in a wide variety of different formats and with different connectors. So you need to have a good tool kit to handle that

09:16

as well as your network and Versace

09:20

network versus host based. You may need a network tap. You may need a switch to you, maybe germ router hook into the network in order to conduct package captures to watch network traffic, etcetera, etcetera, etcetera. In order to be able to help your client. Now for software,

09:37

there's a lot of different forensic software is. After that, you could turn to to you sip this morning example, which is a screen capture.

09:43

There's in case there's F K. There's autopsy. I'll give you a look in a couple of those as well in one of our future episodes that you can see what's available and start building your own knowledge Base

09:58

wire. Shark Network. Minor ex ways. Ah, whole host of different kinds of software that you as an incident responders need to be familiar with, and it worked.

10:09

How do you choose?

10:09

I want a budget

10:11

Areas of interest is the criminal case. Are they in turn, um, internal investigations or any legal liability involved with it?

10:18

Uh, your own skill set and familiarity with the tools come into play as well. Don't buy the boat without the yours. If you do, you'll be stuck out there in the middle of the ocean and unable to return to shore.