Hello, Siberians, and welcome to another exciting course presented by Cyber
Today. We're going to continue with our incident response and advanced forensics course. We'll be discussing incident handling.
So is part of incident handling. It's unnecessary to understand the incident response life's like.
And there are many different ways of looking at this. Some life cycles you'll see, have five stages. Some have six. This particular sought slide, you see has seven on. They've divided that up to security operations and network operations,
and this incident lifecycle shows the identification of the incident
analysis to determine the scope, magnitude and artifacts that may be present within that incident. Going over to gathering that evidence to help understand for the incident and then moving on to the containment, mitigation, eradication and refinement of policy toe hopefully prevent
So that being said, it's also important to kind of understand where the incident response process begins and the slide a very colorful and very busy. But this actually kind of coincides with the cyber killed chain that's presented by Lockheed Martin, so
you might often hear that within circles within the IittIe community. So
the upper portion of this slide is the actual cyber kill chain that Lockheed Martin has created. So goes with reconnaissance phase, the weaponization of whatever type of malware that is being
delivered in that third stage, the exploitation of the computer system
in installation on that computer that leads to eventual eventual commanded control. And then the actions on the objective
and then down below. You see kind of the step process the incident responders should take in order to stop those above processes. So it's going to be the detection of that incident. Nine. The adversary, the ability to conduct that that incident,
disrupting whatever operations that they have.
Degrading ongoing operations,
possibly deceiving the adversary three's plenty nets and then actually destroying our mitigating that type of the incident that they've cost. And then in the middle section, you can see it's broken up into proactive protection and mitigation, and then containment and incident response
that proactive detection and mitigation goes into the pre compromise.
It just kind of been to that compromise stage and then containment an incident response take over from the compromise to the post compromised portion.
So looking at this slide, you can see that the earlier that the incident or event is detected, the easier that it's going to be to contain our eradicate that of them.
So initially, when you're in that reconnaissance or weaponization stage, essentially, proact protection in mitigation might actually be able to interpret it that that event becoming an actual incident that warrants are response from your incident response team.
Once you get that compromise and post compromise stage and it becomes an actual full blown incident, that's going to require
that incident response team to come in. So you actually look at this this incident lifecycle weaken, see, going back to what the incident response team would actually have to do when it becomes a full blown incident.
But obviously an ounce of prevention is worth a pound of pure. So if the earlier that you could detect this in that reconnaissance stage before it actually gets into that exploitation stage, thank the better off you are, we're gonna focus mainly on this talk today
in the compromise post compromise
and then after the exploitation of a system,
so again, as we kind of talked about in the policy portion of the incident response or if you have it, I haven't seen that video yet
The first thing that the incident Response team is going to have to do is to prioritize the incident.
So in prioritizing that incident, that's pretty important because first and foremost, not all incidents carry the same priority or same way. And as we talked about in the previous previous *** regarding policy, obviously a denial are distributed. Denial of service attack was probably going to carry a lot more weight
than a simple spam email.
So the policy should *** take disparity of incidents what steps this team should take in order to prevent that incident. So it's just laying out of central playbook
for that incident response team.
And obviously not all incidents warrant that same response. A CZ we kind of talked about
said responders should follow the policy and comments and common sense when responding to incidents. Obviously, going back to policy policy should dictate your response keeps you legal. It keeps you with compliance of your organization and then using
good old comments sent responding to these incidents. Eyes is also,
So again, who is involved in cyber incident response? We also kind of touched on this policy portion,
depending on your organization. The personnel that are going to be involved in their response may or may not be different. But obviously at the center of this is going to be your computer incident response team, sir Team and then kind of around that you may have individuals from your
operations of your organization he may have legal involved may have. Human resource is public relations.
You may have the system owner involved as well have compliance issues or clients officers. They may be involved. And then, obviously that senior management that's very important because they're gonna have to be kept abreast of the situation. And depending on what type of actions may or may not need to be taken,
probably have to come in and at least approve and or take some of those actions.
So, looking at your team composition, this slide kind of lays out the roles and responsibilities of that computer incident response team.
So the director of the team he's the one that's going to essentially be from senior management have have a link to singer management who has the authority to carry out those incident response activities, and the law often be that person that may or may not do the actual
incident response work. But be that liaison
to to management and be able to help direct the overall incident response
and then below that urine going to have the lead investigator and the lead investigators in charge of kind of the operations aspect
of the incident response activities. And they're going to ensure that the incident response is executed in that right order and processes that followed
just so just kind of overseeing that overall response.
Uh, and then you also have essentially forensics technicians, and they're going to carry out your basic incident response task at the direction of that lead investigators. They're gonna go out, and they're gonna look for the artifacts were going to try and figure out what type of male where may have infected that system and to the extent
You'll also have your incident response handlers, and this is usually the 1st 1 is going to be on scene, and that must react. So depending on the type of organization you have, it may not necessarily be that user, but if you have a large distributed organization,
maybe that first level I t person
that a user can go to say, Hey, if I've noticed this problem with the computer or it may be the I T manager himself that he notices something on his logs i. D. S. That notifies him that there's there's essentially a problem,
Then you'll have it incident handler, That person is essentially going to be maybe that individual that the response handler is going to notify part may. Actually, the responsable may turn into that incident handle
and what they're going to do this, they're going to ensure that the evidence is protected. And they may also gather that evidence at the scene so it could involve maybe doing volatile memory forensics, or at least ensuring that there's no destructive activity taking place on that system.
Lastly, we're gonna have legal advisors. They're going to provide guidance consistent with local state federal laws or policy of your organization because we always want to keep it legal.