Hello, My name's David and welcome to pre incident response.
Welcome back, Siberians Thio Incident, response and
Because that's what you're gonna be doing. An incident response work with on. And that's where we get down to the nitty gritty to the hands click keyboard and move the mouse team members. Now, In our last episode together, we looked at different models for the team.
Um, we talked about having a centrally located team. We talked about having a distributed team. We talked about possibly utilizing third parties to provide instant responsible for you.
Now, if you're going to have your own internal t.
So that's where the rubber sort of meets the road. Were you when it comes down to team members because you need to have the right team members, uh, on a SWAT team of Special weapons and Tactics team in the law enforcement world, not just anybody
can't sign up and be a member of a swell.
You have certain physical requirements that you have meat. You have to be physically fit. You have to be stone. You have cashed up. Yes, that could cardio, blah, blah blah.
But beyond that, you also have an answer technical skills. You have no weapons. You have to know the law so that you are illegally pursuing criminals, search warrants and breaking along yourself. Yes, on the contrary to what the media tells you the police after obey the law to. And if they don't? Then they're back. I'll just tell you that up front.
Um, so let's talk about team members here quickly.
in the big, larger scope of incident response is a lot of people involved.
You have your answer response Director were slash manager. You have infamous act, um, or cyber security or whatever you wanna call it. And again, these terms change. So don't get hung up on firms so much. Just know what they say and for legal is gonna be involved. Your legal department.
Um, your corporate i t. Your human resource is
now under in for a sec. You're gonna have a group of people
working together, conducting incident response, security analyst, forensics analyst. Our analysts sock analysts,
the list could go on and become rather lengthy under that intersect bubble.
But you need to kind of remembers all of these corporate units are going to be coming together during an incident.
So I'm gonna drop in a little bit here for my own past experience. Don't wait till an incident occurs to bring these people together, do it beforehand. Conduct exercises together. We used to call them tabletops. I'm assuming that term still used out there in the other world
hold semi annual or annual tabletops where you actually and what my favorite is as you bring the people together. Physical
it's not have done virtual ones where we got all *** and a screen share, talked on the phone for an hour to four hours and went through the process. And those were good in their place. But don't forget to bring them together in person, even take him out to dinner. Um,
if need be so that they can spend some time together and get to know each other as people and not just the voice on the thing. Now let's drive in a little bit deeper to your team.
Now, in cyber security, an incident response, your industry, your company, your business is going to face different threats. So you need to bring these threats into a skill matrix, so speak. Ah, and use that skill matrix in order to pick
the right team members.
Um, that's kind of important to do.
Um, I put one together here myself. Um,
looking back on a couple of customers that I'd worked with One of their biggest concerns was their sim. Um, they're alerting mechanisms their security incident, even management. Think Q radar. They, um,
blanking out on some names of different sims that are floating around out there *** and could be considered one. Um,
but these are those aggregating systems that create alerts out of logs that are being sensitive. So some businesses rely heavily on since in order to but identify and investigate incidents and events as they commit. So that could be a big priority in this. A bigger box
Fishing is another huge one
father in the world with a most
breeches. And incidents are caused by a phishing e mail that comes in with a piece of malware attached to it, or a malicious u r l A. D and user clicks on and causes a breach so
you can look at your environment. Look at your sprat matrix
to begin to identify the kind of skills that you want to have on your instant response in ransom, My response bigger and some companies and others. Ransomware is big right now in the health industry because Attackers are going after hospitals and medical facilities with Ransomware because there
brow with the easy targets
on here. Lately, of course,
in 29 thing, we're seeing a lot of government entities getting hit with ransomware. So if you're working in a government entity than ransom, where might move up and take the place of SIM
in size? And you can adjust these however you want so that you know how you want to test in way, um,
the people that come and apply for your job And you can see I put in some different attack vectors that you may want to consider. You know, the one customer I told you about they Web hosting, so loved effacement would have been a bigger one for them because that really affects their business.
Here's some ideas for you to take along. Remember selection. You want appropriate skills for your environment. And again, you could kind of rely on crafting something like the skill matrix in order to help identify the skills that you need in your environment identify what kind of tools you have in your environment
and then ask your candidates
if they're familiar with. Um um, I've been interviewed numerous, numerous times
for different positions in the incident Response field, and I've hit everything from incident response in office. 3 65 to memory. Forensics to registry. Forensics to Network. Francis.
So you need to know what is going on in your environment, what tools you have in order to be able to ask the right questions of the candidates that come to you.
Now. Communication skills to me is huge.
But in the I T world, it's often overlooked
but really in incident response. It is vital to be able to communicate with others because you're gonna be dealing with a lot of external contacts. You may be dealing with that alone. Course you may be dealing with local law enforcement may be dealing with the i t. Help. This may be dealing with end users. Um,
you may be dealing with system admin. Zor exchange Agnes. It's
so you've got to speak almost a different language to each level people that you talk to and you need to do in a polite, respectful and professional way. Um, so, um,
pretty important, communications goes thio writing reports, um, is a communication skills to talk than ever. Look, there are some courses coming out on report writing, which is good, so you may want to explore some of those as well. Um helped build your team out in the right way.
you may also need to identify different tears in your cybersecurity program. And there's some here just as examples. For instance, you may need a level one sock analyst somebody who's dealing with the alerts from the sim as they come in and discount in seeing, investigating and then discount mincing
the low level alerts. And then if they come across one that may be more important
running it up the ladder to the level two. Level three saw candles. If you have a full blown incident, you may need digital forensics. Um, somebody they can handle. Bad aspect of job. Um, you may need a SIM specialist. Somebody that knows que radars, inner workings, inside and out.
Threat intelligence, um, is a up and coming career field. Ah, lot of companies were looking at threat intelligence as a standalone portion of their cyber security slashes response programs to keep those all mine, too. When you're searching,
make sure you carefully and completely identify the necessary skills in your appointment at
the job. Hunt is a maze out people,
and some of the ones that I've read or horrible. Make sure also
that you craft a practical test to use after candidates given a writing test. Stop short, I think in ah, interviews before where I actually had to provide a writing sample to to make sure that I could actually communicate written rather than just verbally.
And it's too important not to say it again. Here, you need your executive level. Mayors would buy into higher the white people they need to be supporting you and your decisions, proving, uh,
your process is in your testing procedures so that they know that they're getting the best, and they know that their data is protected.
And again, why you're something different. Examples. Real quick. Baltimore Ransomware Attack millions upon millions of dollars gone
small businesses. Community College of Allegheny County data breach
Facebook date exposure again. That's that
There's a key logging device that was put in by an insider to talk about later.
Tallahassee $500,000 City payroll wiped out.
That's why you need a good incidents on team. Any questions day be 135 Cy Berry. Happy to talk to you. Have a great day.