Time
10 hours 32 minutes
Difficulty
Beginner
CEU/CPE
11

Video Transcription

00:00
Welcome to the cyber. A video. Siri's for security plus 5 +01 Certification and exams.
00:07
I'm your instructor. Wrong, Warner,
00:09
This is part two of section 5.4 on incident response
00:15
In part one, I talked about the importance of an incident response plan.
00:20
Part two is about the incident response process.
00:25
As I mentioned in part one, you should refer to the nous documentation on incident handling SP 861
00:33
on your screen. You'll see their process very well defined in that document
00:39
process is actually very well laid out. Starting out with preparation
00:43
in the incident detection analysis of the incident,
00:47
containment of the potential issue eradication,
00:51
recovery, getting back to business operation and then, lastly, post incident activity.
00:58
Let me talk about each item in detail.
01:02
Step one.
01:03
Creating your incident response plan.
01:06
Every organization should have an I. R. P should be in a readily
01:11
found location
01:12
because when you're going through an incident, you wanna wanna have to be searching for your i r p. Where did we put those documents?
01:19
This step talks about how to create the ai RP, which I covered in Part one.
01:26
How do you initiate those communications howto be prepared.
01:30
Do you have your hardware ready? So, for example, you have a hard drive failure, A system failure. Do you have that hardware available
01:38
or those applications? If you need to conduct digital forensics, you have the applications to do that readily available
01:45
your communications plan.
01:48
Many organizations may have a jump kit.
01:51
Basically, this is your preparation taken from the military. It's you're ready back.
01:57
I need this. Also for your i R P. It could be on the thumb drive, by the way, that you store in a safe,
02:04
fireproof safe. Preferably
02:06
this way. You have your plan and all of your tools at the ready.
02:09
You want to go through your testing, evaluation and exercises as discussed in Part one.
02:16
Then you need to use checklists.
02:19
Checked technical checklists for your help desk. What steps to date do they go through?
02:24
Technical checklist for your systems and network administrators
02:29
procedures for anybody who may be involved in your C E R, T or C I R T
02:36
and then contact lists,
02:38
who do you call when there's an incident?
02:39
Have all of those at the ready and make going through an incident so much easier.
02:46
We talked about in part one. What is an incident? And I
02:51
recommend you define an incident for yourself within your organization
02:55
just then. Based on that definition, how do you detect that incident?
03:00
Is it through alerting of some type with logs? You could have your network logs and intrusion detection system or Security incident Event Management system or A s I. E. M.
03:12
Anti virus may also alert you to a potential issue.
03:16
Humans are also often part of that alert chain. They'll call into the help desk with an issue
03:23
you don't know. It's really an incident until you begin to investigate.
03:28
Why you also want to go through your incident triage, where you identify and analyze what happened, where it happened. Who had happened to
03:37
potential impact. We're having experience. An incident response is very valuable.
03:44
What is the incident? Risk Ope.
03:46
Who is involved?
03:46
What systems are affected? Is it limited to just say one computer? Or is it a group of systems? Is its servers?
03:55
Where does it happen? Document all of this in your tracking system.
04:00
The number of systems
04:02
what data was affected, who was affected in terms of personnel
04:08
document document, document. And then you analyze what is the impact of the event and then recommendations for recovery.
04:16
How do you recover? Do you track the incident?
04:19
How do you escalate?
04:23
These are all part of incident detection, identification and analysis
04:28
planned for your incident. Document your steps.
04:31
Makes life so much easier.
04:36
Okay, so you're going through an incident. Say you have a data breach from somewhere outside your network.
04:44
Maybe that's where you want to contain it.
04:46
You put those systems in quarantine. Often, an anti virus will do this as part of its service.
04:54
The idea is to ensure the incident doesn't continue or spread
04:59
ransomware. Great example. You quarantine those systems? Maybe by pulling the plug,
05:04
you secure the scene, you limit the access and this could be done physically
05:10
through networks through access control.
05:14
Then you gather the evidence.
05:15
What systems were affected? Maybe that's where we're talking about digital forensics. You make a copy of the image
05:23
to be able to investigate for later on you. If you
05:28
if it's an internal employee who has been doing things they shouldn't. Maybe you're taking their computer from that,
05:35
making sure the evidence stays Perse T.
05:39
This is all part of the incident. Containment
05:44
eradication
05:45
Getting rid of whatever is causing the problem. It could be virus clean up. It could be someone who, externally, is accessing your systems. Who shouldn't be
05:55
By removing their access,
05:57
you find the root cause. You eliminate the root cause,
06:01
removing elements of the incidents such as malware. So the midget auto,
06:08
as I mentioned, different ways to do this antivirus cleanup,
06:12
patching or updating the software So it's known vulnerability You playa patch may be a way to eradicate the issue,
06:19
re imaging the systems often the quickest, easiest way, particularly with workstations
06:26
then restoring from a backup.
06:28
So
06:29
going back to a known good state, these were all different ways of eradicating
06:33
the issue is part of incident response.
06:39
The whole idea of having a good incident response process to go back to business as usual.
06:46
That's the idea with incident recovery. It's the process of restoring and returning affected systems and devices
06:53
back into your business environment again in case of malware,
06:58
eradicating the malware, getting back into production as quickly and easily as possible,
07:03
mentioned in the previous life, different methods to do this including restoring from backup
07:10
using anti virus patching,
07:12
hardening the system through baselines.
07:15
Access control. So someone who's externally accessing your systems. Who shouldn't
07:19
strengthening access control from the exterior of your network
07:24
than authentication? Maybe changing passwords is another way to respond to the incident
07:30
could include also procedural changes
07:33
through all of this, though, make sure you're documenting the steps that you are taking an including part of your incident response process
07:44
after your incident.
07:45
You shouldn't just stop. You should take the opportunity to learn from the incident, creating this lessons learned document. Improve your incident response plan.
07:55
Walk through what went well with the incident where you stand for improvement
08:00
and then other types of lessons learned.
08:03
Haven't after actions meeting with anybody involved
08:07
when you capture actions such as the cause of the incident costs associated with recommendations to prevent future types of incidents.
08:16
If you have any regulatory or legal requirements that may also be include included with this post incident report.
08:26
Taking the time to think about and learn from your incident will greatly ease the next time. A similar type of incident may occur
08:35
in part one, and part two of this video on section 5.4 incident Response. We went through the incident Response Plan. An incident response process.
08:45
Let's work through some sample test questions.
08:50
Question one.
08:50
According to Gnashed, which is not not a listed step in the incident response process
08:58
preparation, documentation, eradication or detection.
09:03
The answer is B documentation
09:05
after be included in every step.
09:11
Question two on incident response
09:15
The following is n'est ce definition of what term?
09:18
An occurrence that actually are potentially jeopardizes the confidentiality, integrity or availabe availability of an information system where the information the system processes stores or transmit
09:31
the answer is D
09:33
incident.
09:37
This concludes part one and part two of section 5.4.
09:41
Given a scenario, follow incident response procedures.
09:46
Walk through these not only to help you when you're walking
09:52
this concludes section 5.4 Given a scenario, follow incident response procedures recovered insert response planning and then the steps you should include in your written incident response procedure.
10:05
This is Ron Warner

Up Next

CompTIA Security+

CompTIA Security Plus certification is a great place to start learning IT or cybersecurity. Take advantage of Cybrary's free Security+ training.

Instructed By

Instructor Profile Image
Ron Woerner
CEO, President, Chief Consultant at RWX Security Solutions LLC
Instructor