Incident Response Steps Breakdown

00:00

Hello. My name is the adviser.

00:03

And welcome to incident response steps.

00:07

What standards did we focus on an episode,

00:11

Sands and missed

00:14

those we reviewed. Ah, very high level. Now, what I would like us to do is continue our travels together

00:22

and take a little closer look at each one. Now again, Have no fear. Despite this being, um, still sort of high level, we will start digging into

00:34

They're the depths of the steps. Um,

00:38

I know in my own experience, learning these out, made to review them again and again and again, and then build on the knowledge on I know that

00:48

some people don't like to do it that way. I, however, do you have a preference for that? So I'm sharing that with you here at the beginning of episode three, which is really part two of the breakdown of the different steps that we're talking about with Mist and Sands.

01:03

So step one preparation, and you've heard me harp on this and you're gonna continue to hear me harp on this. It is kind of

01:10

something close to my heart.

01:11

Um, because

01:14

in my time as a consultant, I saw how important preparation Waas. In my time as a criminal investigator, I saw when the lack of preparation

01:25

nearly destroyed businesses and companies.

01:29

Uh, case in point, I'll share one with you here. Briefly.

01:33

I'm walking down the hall. The police station? One day. Ah, a patrol officer

01:38

walks by and says How? Hey, uh, hey, uh, you like computer crime stuff, right?

01:45

Yes. Uh, run forensics lab. But I'm kind of into that kind of thing. Yeah, we had this case a couple of days ago Where government entity lost that all their payroll. And, you know, they're talking about firing, yo, and because they think she sold the money and I'm like,

02:06

that doesn't sound right. Yeah, that sounds like something that maybe we should be involved in. So I call get an interview. Go ever.

02:13

Uh, what happened? We're not sure.

02:16

Our i t staff eyes unable to tell us. Yeah, They took my hard drive and wiped it on and formatted it reinstalled the operating systems. Everything should be good now. Yeah, if you have any experience in cyber security, you know that's not true.

02:35

Uh, CEO isn't tears because the CEO is being pulled on board that she was probably gonna fire because she did this. Well, I get hold of i t. And my y'all wouldn't happen to have,

02:47

um, that hard drive was. Oh, yeah, We still gotta behave. We formatted it. There's nothing areas you could use, and I'm gonna take it anyway. Change custody. Take the hard drive through an image of it. And if I'm losing you here, stick with us. You hear these terms used again?

03:06

Uh, find out that actually phishing e mail come in diode Inefficient email downloaded a key log. He longer had been on the system for at least 30 days. They had discovered when payroll was going to go. They also captured whose user name and password banking information

03:25

payroll rode around on a Sunday morning. They logged in. They transferred the entire payroll to a bank out of Georgia

03:35

and then had mules distribute the money from their contact. Yeah, Yeah, I get involved. It was a Russian cyber crime organization that they already had active cases on. Ended up over in Russia.

03:46

CEO managed to save her job. Ah, and we actually intervened in two other cases that were very similar in our local area. that had received the exact same e mail with a drop of

03:59

and we were able to help them secure their network. But total lack of preparation for cyber incident response process. They're just total lack had no security policy. They didn't have an incident response team.

04:11

They didn't have procedures and processes or responding to a cyber security incident like that.

04:17

Ah, and of course, without an i R team, they didn't have training for the Iowa tea and lines of communication zero. All they had was two people on their ikey staff that worked this help desk individuals

04:31

and they were actually there Incident response on. And that was it.

04:36

If you're not prepared for this like we said before, planning, failing to plan is planning fail, and they practically failed that entire thing. I never did get their money back. So some of the steps here in preparation on lay out for you on the street have a policy in place

04:54

having your incident response team procedures and processes laid out in a structured format,

05:00

having good training and a good incident response team identified and in place. And then, of course, lines of communication. Do you call. They call the police department. They've got a patrol while serving. Was like me back in today. Grew up in the world without the Internet. Had zero interest in cybercrime, Had no idea.

05:18

Ah, and assume that you have CEO. Probably stole the money and hid it away somewhere. And that was the end of it.

05:26

Very sad on. Hopefully that will happen to you when you get here into the incident response world that's gonna step to identification.

05:33

This includes Apollo.

05:35

And whereas there all laid out for you here, you as the incident response subject matter expert should be. What? Identify them, utilize them. In order to identify this,

05:47

you have to have a proper alerting tools. There are a host of them out there. Need a sim.

05:54

Ah, you need, uh if I've IRS need in point the detection and response to lt's impossible. And on and on that list can go.

06:03

If you don't have the proper alerting tools,

06:05

you're not gonna be able to identify An incident when it occurs is a long after, and that

06:12

my fellow cyber security travelers is considered a failure.

06:17

Then you also need to be able to analyze the alerts or the events that you receive from your tools,

06:25

uh, the same walls that we use. An instant response for use by system admin is network at is

06:31

all kinds of people in i t.

06:33

The difference is focus

06:38

and training.

06:39

We look for different things, say they'll log in attempts,

06:43

say, the downloading of a delicious piece of, uh, code during a Web dry Web drive by download.

06:55

Um, we would identify those, whereas this is and then probably wouldn't even look twice and enough shorting sys admin, zor Network admits. But that's not what they're trying to do. They're trying to keep things running.

07:06

They're not trained to look for signs of back

07:10

years, and it's a response analysts must be able to identify,

07:13

be able to classify them and also make notification. Who do you call? Um, how do you move this up the chain? How do you help? It? Could be internal. The external, um, you don't want to be James Bond sitting there all by yourself.

07:27

The movies. Do you like to portray that kind of thing where the lone guy can solve the world's problems? But in reality that very Austin

07:35

isn't true,

07:36

you will be part of a team, rely on your team, help the team and think like he

07:43

number three containment thes can be in a sort of along, depending upon the type of intrusion of reach on Again. I can also depend upon how much preparation has been done. If there's been zero preparation than you can, tape could be extremely difficult at long

08:01

can be handled by on site teams, but sometimes it can also be external consultants. Assisting, helping

08:09

gives you control over the problem basically wants you

08:13

identified the problem, then this is fixing the problem, and

08:20

you will be. Part of that process is in its response, analysts as well.

08:24

It could also encompass evidence collection, which will cover in another episode. But it is also very, very important not to be overlooked.

08:33

And the big thing here is to think stop of lead in first aid combat training. One of the first things you check is subject bleeding. Same thing's true with network intrusions.

08:46

What's bleeding and how do we stop the

08:50

the data, the information, it resides on your network. It's the blood and it is being extracted by the attacker and you have to stop. It was basically all containment is, and again, with between sands and this. We have

09:03

containment eradication of recovery under ness than one step. However, sayings breaks it out

09:11

up to you, to your company, up to your employer on how you do that. I will leave that up to you. But you do need to know that those three steps are there.

09:20

Post incident activity really quick. It's too often overlook. It can include everything from reports, but verbal and written team meetings can include table tops.

09:31

The big thing here is what you're trying to do is improve

09:35

your security posture

09:37

and protect against similar attacks in the future.

09:41

You don't want to fall victim again to the same kind of