Incident Response Steps

00:00

Hello. My name is the adviser

00:03

and welcome to incident response steps.

00:08

Hello again. Welcome back to larger to where we're talking about It's your response Steps re laid the groundwork in our last episode together on talked about incident response being a

00:24

yes process. We talked about the need to

00:29

yes, prepare

00:32

so that you aren't missing steps so that you have adequate resource is at hand. Whole host of things come into plan in preparation Now, sad to say in, uh, these episodes, we won't be able to dig too far into preparation step

00:51

of the incident response process. But you'll hear me bring it up again and again and again because I find it to be the most important step in the entire incident. Response arena s so to speak. And if you don't plan and prepare properly,

01:07

you're not going to be able to respond properly.

01:11

So I do want to kind of make that clear, because I'm a firm believer in number one here. Feeling to plan is planning to fake those are words to live by in the field in which you're you're either entering or are currently working on. And,

01:29

uh, from my own experience in and I did my intro in our last episode together. But I want to tell you I didn't come into this out of the I t world.

01:38

Uh, I'm actually rather old,

01:41

and I grew up in a world before the, uh when the phone was still attached to the wall. So I had to come into this out from outside the world of I t

01:52

*** what I've learned. It's kind of like the picture there, which I love this picture.

01:57

Um, because it's kind of like networks and incident response in cyber security in the world today, the sandwich was made.

02:07

They realized they needed cheese on the sandwich. So what do you do? Slap it easily outside? It's kind of what the cyber security response has been.

02:16

The network's revealed,

02:19

um, programs were instituted. Data was aggregated all those good things, and then

02:24

they began to realize they needed cyber security and a slap things onto the outside. And unfortunately,

02:31

that is the reality of the world, as you'll find it in

02:37

the cyber security slash incident response

02:39

area.

02:40

But you're here, which is great because you want to start doing things the right way, right?

02:46

Yes. You don't wanna fail. Nor can we afford to deal with so much data floating around out there on the Internet.

02:53

Our job, our responsibility,

02:57

is to protect that data. An incident response is one of the first places that this comes into play. One of the most important ones. Actually,

03:06

man

03:07

put together a little chore for you here on. As you can see, it's kind of wide ranging, but it should look kind of familiar to you if you saw that one.

03:17

So in the broad arena out there in the world, you see the preparations

03:23

and again it ISS because when that incident occurs at the bright red explosion, sign all of your preparations going to come into play because you're going to go into the incident response process.

03:37

You're gonna make that first step, which is detection and identification. And don't think too far ahead. You're We are going to delve into these steps deeper as we go through our episodes together. But right now it's just an introduction, so to speak.

03:53

Then you go to containment,

03:54

then hopefully you're able to contain the that actor, the attacker, once they get access to your network

04:01

pray that they don't get access. But unfortunately, in today's day and age, there are multiple holes.

04:08

Uh, that if you fail to prepare properly, are gonna be there, and the Attackers will find in the mistake about it

04:15

on. Then, after your containment, uh, you moved to eradication where you try to get the attacker out of your network. You try to remove their tools. You look for backdoors. It may have been a soldier open and close those shutters down on and hopefully, uh,

04:31

get that attacker

04:33

out of the network, or at least restricted somewhat in what they can actually do within the network. Now,

04:43

in some incidents and some networks environments, there's kind of a running dialogue, a running study as to whether you want to immediately move to containment and eradication, where if you want to allow the attacker,

04:59

just think that they that they are on exams and allow them to

05:05

do what they came to do on and then hopefully

05:10

catch them in the act, so to speak that that is dangerous

05:14

on. Unless you guys talk to your team. Unless you've got a lot of preparation in place, you can actually cause yourself a lot more damage. If you allow that kind of thing happen,

05:26

then it Finally we move over to recover where trying to get your programs back up, drank its data restored. Say it's a ransom or attack or something like that on get your network back one day to day putting on activity. And then

05:42

you've got the aftermath,

05:44

which is often times as much of remote, is the preparation stage. But is almost, if not just as important,

05:51

do the entire incident response process. Now, there are two major styles

05:57

when it comes to answer response. I mentioned this. People work sands in this. These were kind of major ones. There are others like F f I C a p C I. D. S s.

06:08

They all deal with incident response. But sands in this kind of break it down and you can see Sands breaks it down into six steps in This breaks down into four.

06:18

I can't say I'm a proponent of either one being better than the other one, because, really, they're quite similar to each other. You got preparation, but

06:27

detection analysis. You've got under identification percent. Just sort of a

06:31

name change really? On, then containment eradication recovery nest

06:38

are taken by Sands and broken out into individual steps

06:43

which is viable is something to consider.

06:48

Ah, and as an incident response player,

06:51

you need to be able Thio, identify each of these steps, discuss it

06:59

knowledgeably

07:00

and make recommendations as to whether we should go with Sands with nets. Now, some companies mandate

07:08

we are going to use the new standards for all of our processes, procedures, others. They allow the team, the members of the team to make a decision and more democratic manner.

07:20

I not sure what you're going to deal with, but

07:24

you're going to be a subject matter expert. So you need to know these steps, be able to identify them, articulate them and make recommendations regarding,

07:33

uh, moving on. N'est talks about post incident activity,

07:39

whereas sands cause it lessens work again. It's a issue of semantics here.

07:45

Either one can

07:47

convey the idea that you're trying. They cover the steps that need to be covered.

07:54

It just depends on yeah, uh,

07:58

the social mei loo in which we're working when it comes to incident response. Really? Um, those are adequate. Are complete.

08:05

Both can provide you with what you need in order to conduct good instant response process. Now, this is coming straight from the NIST special Publications. The link there is at the bottom of the screen. It will also be included in the resource is

08:20

document with this module.

08:24

Now, with preparation again, you want in depth ***.

08:28

Um, which is a wide range. We're not going to hit it here.

08:33

Are moving into detection analysis again. You need to be able to identify different attack vectors. Be able to identify signs of the pack, Um, in order to respond to them, which is incident responds.

08:46

Then you need to move into the next step, which is containment eradication, uncovered about good strategy. Identify different types of threats and attacks and crafted getting coverage plan. And finally, again, your post incident activity, which covers a whole host of areas that we will strike into more in depth.

09:05

For now, this is from Sands

09:07

pulling out of their documentation. You've got preparation

09:11

got identification containment flowing into eradication, blowing into recovery flowing in the lessons learned. Now I kind of have to apologize with multitude collars here, but I kind of hoped that it wakes you up and grabs your attention, Posey n this is sans This is next

09:28

only slight variations, only slight differences

09:33

that they're good.

09:35

That can help.

09:35

You need to make the determination on which one you're going to adopt and stick with it so that you have a good standard on which to rely.

09:45

Now, now we've gone over the sands and then this morning, death will continue to go down this learning avenue that we're on, uh,