Incident Response Planning Processes

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
14 hours 39 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Now, we're going to move into the elements of
00:00
an incident response plan per
00:00
the document provided to us by
00:00
the University of California.
00:00
You see here, we're going to have
00:00
six stages of the plan.
00:00
Again, it's not so much that you be able to say,
00:00
well, this is the University of California,
00:00
this is the SEI,
00:00
it's more that you get
00:00
the steps that are taken as part of
00:00
incident management and ultimately
00:00
how the pieces all come together.
00:00
In this piece, what are the sections that
00:00
you should have when you're
00:00
writing an incident response plan?
00:00
We're going to start with preparation
00:00
and you're going to see that's just like
00:00
planning in the previous set of processes.
00:00
Our approach.
00:00
What's our methodology?
00:00
Preparation and planning is all
00:00
about defining what we're going to do.
00:00
We're not doing anything yet
00:00
except determining how we're going to do it.
00:00
Our policy is going to dictate what our steps
00:00
are and it's going to lead into our processes.
00:00
We're going to talk about, in preparation again,
00:00
we're going to outline the criteria
00:00
for labeling something an incident.
00:00
We're going to make sure that the necessary tools are
00:00
available as well as training on how to use those tools.
00:00
We have to look at preparation as
00:00
the first stage of any incident response.
00:00
Then we're going to document how we identify an incident.
00:00
Again, that's called violation analysis.
00:00
Not everything is as it appears.
00:00
An intrusion detection system could sound an alarm,
00:00
but it could be a false positive.
00:00
Could just be normal network traffic
00:00
that for whatever reason triggered an alarm.
00:00
When we do determine
00:00
that something is legitimately an incident,
00:00
that's when we assign ownership to
00:00
individuals on the incident response team,
00:00
and we're going to immediately establish a chain of
00:00
custody for any evidence
00:00
that will be collected as part of the next step.
00:00
Also, we need to get
00:00
the idea of how severe this incident is.
00:00
It may be that we find ourselves
00:00
operating outside our capabilities,
00:00
it may be that we need to escalate to
00:00
senior management or perhaps to outside authorities.
00:00
We've identified it as an incident,
00:00
we know an incident is going on,
00:00
we have to move into containment.
00:00
How do we contain an incident?
00:00
What are we allowed to do making
00:00
sure that we have processes in place?
00:00
Again, maybe segment systems
00:00
or even subnets from the network,
00:00
pull the switch, pull them off the network.
00:00
Antivirus software.
00:00
What we need to do to preserve evidence,
00:00
should that evidence be presented in court?
00:00
Again, there's a line between
00:00
just incident response and forensics evidence collection.
00:00
What is going to define that line?
00:00
We're going to make sure that we
00:00
control our communications to the public,
00:00
and in relation to controlling communications,
00:00
we need to be very aware of the fact that it's not
00:00
always the CEO that
00:00
is best prepared to go out in front of the public.
00:00
If any of you remember the BP oil spill,
00:00
Tony Hayward, every time
00:00
that guy was going to be on an interview,
00:00
I just got myself a little bag of popcorn.
00:00
[NOISE] I was just
00:00
waiting to hear what he was going to say because he
00:00
made a tremendous amount of
00:00
poor statements that really left BP looking unprepared.
00:00
It certainly made them look
00:00
very uncaring to the general population.
00:00
In this piece,
00:00
we're going to make sure that we have selected
00:00
people that are going to contain the damage,
00:00
not just of the incident
00:00
itself from a technical standpoint,
00:00
but contain the damage to
00:00
our organization and how
00:00
we present ourselves to the media.
00:00
[NOISE] Then eradication.
00:00
With containment,
00:00
we're limiting the damage,
00:00
but with eradication, we're eliminating it.
00:00
We are removing the virus,
00:00
we are restoring from backup,
00:00
we are looking to get to the root of problems.
00:00
We want to figure out if there
00:00
are any additional weaknesses.
00:00
We want to make sure that the means that we've used to
00:00
protect our system is going to leave our systems
00:00
clean and not susceptible to further compromise.
00:00
Recovery, get back to where we were before the incident.
00:00
We're going to meet those service-level objectives.
00:00
Service delivery objectives may be something you'll see,
00:00
it's the same thing as a service level agreement.
00:00
We have to get back to where we're providing
00:00
the degree of service our customers expect from us.
00:00
We'll also look to the BCP and
00:00
we may find things like recovery time objectives,
00:00
recovery point objectives,
00:00
whatever those will be.
00:00
But recovery is not about
00:00
just getting rid of the malicious file,
00:00
we're back up and running to a state that we were.
00:00
I won't say to the state we were before the incident,
00:00
but to a state of permanence.
00:00
We really don't want to get to where we were before
00:00
the incident because we just got banned,
00:00
so to a state of permanence.
00:00
Then last, once again, documentation.
00:00
Get those lessons learned.
00:00
Conduct a post-mortem, debrief your staff,
00:00
document what happened, analyze the events that happened.
00:00
Ultimately, analyze that
00:00
and figure out how we can get better next time.
00:00
Then that report is going to be provided to
00:00
whatever stakeholders we determined were
00:00
relevant back in the preparation phase.
Up Next