Incident Response Steps Introduction

00:00

Hello. My name is the adviser.

00:03

And welcome to incident response steps

00:08

Brief over. You

00:09

getting into it here. We're gonna talk about some of the steps involved in the incident response process. But before we get there, let's talk about me.

00:18

Um,

00:19

I don't know about you, but talking about yourselves, never the most comfortable thing in the world to do. But because we are going to be learning together, it helps for you to know a little bit about me. A name? Just a visor on me Day, David. Hey, you or what? Your name doesn't matter. I am currently an instant response engineer in

00:39

private industry deal.

00:41

In the past, I've been a penetration tester,

00:44

and I've conducted malware analysts analysis over the years, but officially and unofficially, I love being outdoors. I love to do things, which is kind of what led me into this field in the first place. Um,

01:00

and anyone that's worked in cyber Security or I d is aware of that

01:06

I spent in my prior life 10 years is a criminal investigator, which got me into the realm of cyber security cyber crime.

01:14

I hunted tal pornographers for a while on and and as the Internet grew and criminals expanding their enterprises, I got into thefts and frauds and investigating, Reaches testified in court.

01:29

A multiple level state Opal in federal also

01:34

now retired on And I Spent two years, is an instant response consultant

01:38

for a managed security service's provider and mess. SP. And I left that field and got into the private industry as its response engineer on. That's a little bit about me. Hopefully, we can learn together as we go on. Cheers. Knowledge.

01:57

So what do we want to talk about? Incident. Response?

02:00

Um, it's glamorous. It's on build. It's exciting.

02:07

But in order to do it properly, you need to have what's known as a plan.

02:13

Uh, if you don't have a plan, things can go very much a rock.

02:17

Ah, and unfortunately, when I spent time as a cyber security or incident response consultant, I got to see that on many levels in many different industry, that

02:30

so hopefully part of what we'll learn. Going through these modules on incident response is

02:35

the need for plan. How did to document your plan, how to put it in place I tested and all those happy accompaniments that go along with it. You don't want to be missing step story, and it's in that response. Just do a little bit of reading a little bit of searching out on the Internet.

02:53

Read up on some large breaches that occurred,

02:57

uh, in which many hind steps were missed

03:00

during the response process which led Thio further damage or alleged missed evidence off school.

03:07

Um

03:08

uh, all kinds of things that can go wrong. So we in this module here are going to take a look at something steps that could help you out in that. Now,

03:20

excuse me, As we get through this, you're going to see that there are a lot of resource is out there available. Thio um, there's n'est there. Sands of the f f I C. There's hip, amongst others

03:32

that

03:34

but govern and regulate cyber security across a broad range of industries. Our focus just so you're aware will be on this standards and incorporating some of the sands processes as well in order to

03:52

but word and gives a practical guidance into how to implement these kinds of

03:58

things into your incident response program.

04:00

Uh, and

04:02

if you, uh

04:04

oh are working as a consultant or in a company that's just starting this process. This will hopefully get you started down that road as well.

04:13

Now I mentioned before Did you process? It has steps.

04:17

This is a little diagram put together from the mist standards to kind of lay that out for you. And this basically follows these four steps preparation,

04:29

action and analysis,

04:30

containment, eradication and recovery and then post incident activity.

04:35

As a consultant, we pushed

04:39

the post incident activity

04:42

working internally. Oftentimes that post incident activity can be overlooked and it shouldn't be. And I just want to stress that here, you hear me say it again as we get through. Um,

04:55

in some cases, these are expanded and set into separate categories, which you get to see is Well, um,

05:02

preparation is extremely important. And when I hit that here just shortly as well, because sometimes it's overlooked.

05:11

Ah, and preparation leads to a failure in every step after.

05:15

This is kind of where the robbers gonna meet the road, eh? So you need to really be prepared. Um

05:24

always be systematic and organized across the board. You have to act quickly. Of course, if you have an active intrusion. You don't wantem lurking in your network doing all times of nastiness. Of course, you've got to fix the problem which falls into containment, eradication of recovery and then a worse.

05:43

You want to learn from your mistakes or learn from the lessons that you learned Hopefully

05:47

not too many mistakes in there and then make improvements on the entire process As you go.

05:55

Sands has, uh, connection with the critical security controls, which is a good resource that you couldn't go out to on the Sands website as well, both for preparation and also for working through on. I just pulled a quick screen shot out from your incident response advantage Mint article Night King

06:14

in There's Control Siris.

06:16

And as you can see, you need a written incident response procedure that is encompassing. You need to have everybody sure of what they're doing. Their jobs, their sign duties, management personnel need to be identified a cz well, and then across the organization.

06:34

Aah! These standards need to be in place, trained up

06:38

two and then imposed from the top down

06:42

in order for them to provide proper and adequate standards that you need in order to conduct a good incident response

06:50

you need thio. Make sure that in your preparation you've identified this third party contacts that can help, whether it's an M S, S p, whether it's saying antivirus company, it could be a law enforcement agency, the FBI, our homeland security and here in the United States overseas.

07:10

It could be

07:12

Interpol or someone like that. Whoever whoever you have contacts with should be clearly identified then that contact information needs to be kept up to date.

07:21

Publish it again. Make sure that everybody knows that you haven't answered response plan, conduct at least annual training zone. It's everybody's aware of what they have to do. Unfortunately, AA lot of companies like that slide they look at the bottom line, which is the almighty dollar

07:40

here in us again, I could be any

07:43

other denominations overseas on. And

07:46

unfortunately, cybersecurity sometimes gets the axe instead of the sport in the way that it should be.

07:53

And that is just a kn introduction. Clearly steps process that we are going to be going through together. Um, play late. A little bit of a foundation for you here, talking about Mr Sands