Welcome to Cyber Aires Video Siris on the cop T A security plus 5 +01 Certification and exam. I'm your instructor, Ron Werner.
Cease I buried at I t. For more information on this certification and many others.
This next video for the security plus domain five will help you prepare for section five dot for
given on a scenario, follow incident response procedures.
This session is all about incident response,
Not to be a pessimist, but systems fail
There were always be events out of our control that take down our systems
and we need to be ready for it.
Planning for such events is vital to ensure effective incident handling in response. When the time comes,
proper planning makes the difference between being able to recover quickly instead of potentially ruining your business.
Section 5.4 on incident response covers the following concepts
First Section incident Response planning.
This is the document you will develop defining your incident response plan,
showing roles and responsibilities, reporting requirements, who's involved with it and then the actual steps involved in incident response for your organization.
The second section is about the incident response process.
Preparation for the incident. Identification, containment, eradication, recovery. Then lessons learned.
Let's dive in the incident response plan,
for we can go too far in defining our incident response plan. It's important to understand the definition of an incident
is that malware isn't malware that was clean. Is it a breach? What is an incident for your organization
On the screen, you'll see a few different definitions, one for n'est, the other from cyber
An incident is an occurrence that actually or potentially jeopardizes the confidentiality, integrity or availability of your information systems
or the information that system processes, stores or transmit.
It could also constitute a riel or potential policy violation.
Cyber Ray has their definition as well.
It's an incident. Is unplanned disruption or degradation of a networker system service
that needs to be resolved?
We'll keep off immediately because that's up to your business. I recommend within your organization you define. Wouldn't incident is
before we go too much further in discussing the incident response plan,
I want you to be aware of the incident response process On your screen is the process as defined by NIST in their document SP 861 their security incident handling guy.
These are the steps I mentioned earlier. Keep these in your mind As you're thinking about your plant,
we'll discuss each of these steps in detail. In Part two of this video,
you can see I like to use nest as an authoritative source
not only for incident response in handling, but really anything dealing with information security
on the screen now is their definition of an incident response plan.
According to nest in the incident response plan is the documentation of a predetermined set of instructions or procedures to detect, respond to and limit the consequences of
a some type of a malicious attack or policy violation that could harm your organization,
organizations, information systems or just organizational data.
Please see the Incident Response Guide for more information.
It provides guidance on the exact elements to include Mission Strategies, goals,
senior management approval for the your Incident Response plan,
approach to Incident Response
Team Communication's metrics for measuring response capabilities,
a road map for understanding your maturity when it comes to incident response
and how the I R plan fits within your organization.
It's a great reference. I highly recommend,
according to the Comp TIA Security Plus Certification exam Objectives
thes air different elements of the incident response plan. You should be aware of that. You're preparing for that exam.
It's documenting that the incident types categories rules, responsibilities and the cyber Incident Response Team's reporting requirements exercises.
Let's talk about each of these in detail
you should define in your incident response plan. Your incident types, as I mentioned early, have your definition of incident
on the screen. Here, you see a few the different general categories. An incident could be a natural occurrence. So fire flood a weather related event
could be human, mechanical, malicious or policy violation.
Mechanical technical. So hard drive failures. An example.
Accidental human error
looking on a link that turns out to be fishing,
an avenue through a firewall that maybe shouldn't be open.
Malicious is to compromise of confidentiality, integrity or availability. Those air those intentional breach is militias could beat internal or external
and then policy violations.
People who may be knowingly or unknowingly violated policy
would be considered. An incident within your organization needs to be defined within your i. R. P.
Your incident response plan should also grant clear authority for actions taken during the incident. Who's responsible? Who are the decision makers who takes which actions
I recommend, including that as part of a checklist in your I. R P. That way, when there's a problem, there's clear definitions. Who does what
When you're walking through your I. R P. You want to have this fine? Who does incident alert it?
Is that your service desk for help desk
all employees who could be involved? Maybe a security operation center.
Next is who does the identification of the incident in triage.
So let's just say someone notifies your help desk. They might just take that initial look to know whether to escalate or not
doing that. Triage is to determine potential impact. And what's going on is crucial step in incident response
decision making usually done at a manager level. Who decides what actions to take?
Did we do some cleanup?
Do we track the incident maybe to define who was conducting, say a breach
If their requirements are for evidence collection,
grab gathering equipment.
That's also a step that needs to be defined. Who will do this, by the way? You don't want to allow just any employee to collect evidence. We'll talk about it in digital forensics section about that chain of evidence that may be required.
Maintaining the integrity of any equipment
Who conducts forensics? Do you have expertise in house or not?
Maybe you need to outsource that to a trusted third party who's knowledgeable in the technical details of digital forensics
repair recovery? Who's gonna conduct that?
Reporting Reporting should be conducted through out each of these steps
and then communicating also done throughout but particularly who talked outside the organization.
Maybe that's your marketing or PR department or legal are the only ones who've been mentioned. That's outside the organization.
the reputation of your organization,
walk through these roles and responsibilities. Make sure you're aware of them not only for the security plus Exam but as a security professional
often included as part of roles and responsibilities for incident. Response is the definition of specific teams.
For example, a computer emergency response team
cert a computer incident response team C I R T shirt
computer security incident response team. These are all similar names for what you may see within an organization.
These could be formalized. Standing
where the team members are readily to find or could be ad hoc, where you pull in team members as needed
internal employees or external. Maybe you need to pull in some expert
ideas from outside your organization.
to the organization or distributed to pull from different area areas of the organization.
It concludes your systems network application administrators, Those who are familiar with the technologies
legal is often involved in assert
because of compliance issues or if you may have to take this to court.
Human resource is if you're dealing with saying internal employee who violated the policy, each arm must be involved, get them involved early
and then executives and management. The decision makers.
All of these groups should be part of a defined computer emergency response team.
Another part of your incident response plan should be the reporting requirements. How do you escalate?
So we need to make sure you document document document,
write everything down, capture everything is part of your incident response. This will be important. Also, with digital forensics
might just want to use a segregated system to protect the integrity of your documentation.
You can do this often within a help desk system.
Often an incident will be initially reported on help to your help desk so you can utilize that software to help document what's happening with your incident.
You also want to show what evidence was collected. When, where, why and how.
Who has access to that evidence? Who had access to it as well. Where is it being currently stored
and then reporting and disclosing? Who do you have to talk to about the incident
with an internal to the organization? Your management Legal
other affected organizations. So if this is touching third parties or your supply chain
may be required to disclose to that
if it's a breach of personally identifiable information, you may be required to report to clients or customers
might also want to report this, say to other organizations, like certain certain that or or the Internet Crime Complete center. I see three dot org's
last idea to think about. This is where you want legal involved and management is your insurance company. You have cyber insurance you may be required to report in. Your insurance company can help you walk through your incident.
Once you've established your incident response plan. You need to test it, make sure it's gonna work.
You do this through exercises through training tabletop scenarios, where you all meet in a conference room, go through some likely scenarios. For example, we have a huge weather event that comes through wiping out our facility.
What steps do we take or there's a beat? A breach?
Walk through it with your teeth.
The idea is to be prepared.
You want to prepare each roll. Each member of the team will have different responsibilities. Make sure they know what to d'oh.
Learning how to handle an incident while you're going through one. It's not a good idea.
You want to be thoughtful in your process rather than reaction or
to mention there's different ways to accomplish this. The idea with testing is to find potential shortfalls or issues with your incident response plan.
Fix it, and that way you're prepare
when the inevitable failure occurs,
this concludes Part one of Section 54 on incident Response
in Part two will cover the incident response process