Part 1 - An Introduction to Incident Handling

Video Activity

This lesson offers an introduction into incident handling and the first step in this process is an understanding of the incident response life cycle. This can have, on average, 5-7 stages. Ideally, incident response needs to begin before the compromise even happens and continue after it is mitigated. When incidents occur, prioritizing them is key a...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson offers an introduction into incident handling and the first step in this process is an understanding of the incident response life cycle. This can have, on average, 5-7 stages. Ideally, incident response needs to begin before the compromise even happens and continue after it is mitigated. When incidents occur, prioritizing them is key as not all incidents require the same response. For instance, SPAM e mails do not require the same attention as a DDOS attack nor do they require a forensic investigation. Having a good cyber incident response team in place is crucial in the event of a compromise. This team consists of the: · Director · Lead investigator · Forensic technicians · Response handler · Evidence handler · Legal advisor

Video Transcription
00:03
>> Hello Cybrarians, and welcome to
00:03
another exciting course presented by Cybrary.
00:03
Today we're going to
00:03
continue with our incident response and
00:03
advanced forensics course and we'll
00:03
be discussing incident handling.
00:03
As part of incident handling,
00:03
it's unnecessary to understand
00:03
the incident response life cycle.
00:03
There are many different ways of looking at this.
00:03
Some life-cycles,
00:03
you'll see have five stages, some have six.
00:03
This particular sought slide you see has seven,
00:03
and they've divided that up into
00:03
security operations and network operations.
00:03
This incident lifecycle shows
00:03
the Identification of the incident analysis
00:03
to determine the scope,
00:03
magnitude, and artifacts that
00:03
may be present within that incident.
00:03
Going over to gathering that evidence to help
00:03
understand more of the incident and
00:03
then moving on to the containment communication,
00:03
eradication, and refinement of
00:03
policy to hopefully prevent future incidents.
00:03
With that being said,
00:03
it's also important to understand
00:03
where the incident response process begins.
00:03
This slide here, a very colorful and very busy,
00:03
but this actually coincides with
00:03
the cyber kill chain that's presented by Lockheed Martin.
00:03
You might often hear that
00:03
within the circles within the IT community.
00:03
The upper portion of this slide is
00:03
the actual cyber kill chain
00:03
that Lockheed Martin has created.
00:03
Goes with reconnaissance phase,
00:03
the weaponization of whatever type of malware
00:03
that is being delivered.
00:03
In that third stage,
00:03
the exploitation of a computer system,
00:03
and installation on that computer that leads
00:03
to eventual commanded control
00:03
and then the actions of the objective.
00:03
Then down below you see the step process
00:03
that incident responders should take in order
00:03
to stop those above processes.
00:03
It's going to be the detection of that incident,
00:03
denying the adversary the ability
00:03
to conduct that incident,
00:03
disrupting whatever operations that they
00:03
have, degrading ongoing operations,
00:03
possibly deceiving the adversary threes plenty nets,
00:03
and then actually destroying or
00:03
mitigating that type of the incident that they've cost.
00:03
Then in the middle section you can see it's broken up
00:03
into proactive detection and mitigation,
00:03
and then containment and incident response.
00:03
That proactive detection and mitigation
00:03
goes into that pre-compromise and just then to
00:03
that compromise stage and
00:03
then contain metadata incident response
00:03
take over from the compromised
00:03
to the host compromised portion.
00:03
Looking at this slide,
00:03
you can see that the earlier that
00:03
the incident or event is detected,
00:03
the easier that it's going to be
00:03
to contain or eradicate that of debt.
00:03
Initially, when you're in
00:03
that reconnaissance or weaponization stage,
00:03
essentially proactive detection and mitigation might
00:03
actually be able to tell them that that event,
00:03
becoming an actual incident that
00:03
warrants a response from your incident response team.
00:03
Once you get to that compromise and
00:03
post-compromise stage and it becomes
00:03
an actual full-blown incident that's going to
00:03
require that incident response team to come in.
00:03
We actually look at this incident life cycle,
00:03
we can see going back to what the incident response team,
00:03
but actually have to do when it
00:03
becomes a full-blown incident.
00:03
But obviously, an ounce of
00:03
prevention is worth a pound of cure,
00:03
so the earlier that you could detect this
00:03
in that reconnaissance stage before it
00:03
actually gets him at that exploitation stage,
00:03
the better off you are.
00:03
What we're going to focus mainly in this talk today in
00:03
the post-compromise and then
00:03
after the exploitation of a system.
00:03
Again, as we talked about in
00:03
the policy portion of
00:03
the incident response or if you
00:03
haven't seen that video yet.
00:03
The first thing that the incident response team is going
00:03
to have to do is to prioritize the incident.
00:03
In prioritizing that incident,
00:03
that's pretty important because first and foremost,
00:03
not all incidents carry the same priority or same way.
00:03
As we talked about in
00:03
the previous section regarding policy.
00:03
Obviously, a denial of service attack is
00:03
probably going to carry
00:03
a lot more weight than a simple spam email.
00:03
The policy should dictate
00:03
the sphericity of density and what
00:03
steps this team should
00:03
take in order to prevent that incident.
00:03
It's just laying out a central playbook
00:03
for that incident response team,
00:03
and obviously, not all incidents
00:03
warned that same response as we talked about.
00:03
The responder should follow the policy in
00:03
common sense when responding to incidents.
00:03
Obviously, going back to policy,
00:03
policy should dictate your response,
00:03
keeps you legal,
00:03
or keeps you within compliance of your organization.
00:03
Then using good old common sense and responding to
00:03
these incidents is also paramount.
00:03
Again, who is involved in cyber incident response?
00:03
We also touched on this in
00:03
the policy portion depending on your organization,
00:03
the personnel that are going to be
00:03
involved in the response may or may not be different.
00:03
But obviously, at the center of this is going to
00:03
be your computer incident response team or cert team.
00:03
Then around that,
00:03
you may have individuals from
00:03
your operations of your organization.
00:03
You may have legal involved,
00:03
you may have human resources,
00:03
public relations, you may have
00:03
the system owner involved as well.
00:03
You have compliance issues or compliance officers,
00:03
they may be involved.
00:03
Then obviously, that senior management
00:03
that's very important because they're going
00:03
to have to be kept abreast of
00:03
the situation depending on
00:03
what type of actions may or may not need to be taken.
00:03
Senior management probably have to come in and at
00:03
least approve and take some of those actions.
00:03
Looking at your team composition,
00:03
this slide lays out the roles and
00:03
responsibilities of that computer incident response team.
00:03
The director of the team,
00:03
he's the one that's going to
00:03
essentially be from senior management or
00:03
have a link to senior management who
00:03
has the authority to carry out
00:03
those incident response activities.
00:03
They'll often be that person they may or may not do
00:03
the actual incident response work that will be
00:03
that liaison to management and be
00:03
able to help direct the overall incident response task.
00:03
Then below that, you're going to have
00:03
the lead investigator and the lead investigator
00:03
is in charge of the operations
00:03
aspect of the incident response activities.
00:03
They're going to ensure that
00:03
the incident response is
00:03
executed in that right order and the
00:03
processes and followed that
00:03
just overseeing that overall response.
00:03
Then you'll also have
00:03
essentially forensics technicians and
00:03
they're going to carry
00:03
out your basic incident response task
00:03
at the direction of that lead investigators.
00:03
They're going to go out, they're going to
00:03
look for the artifacts,
00:03
they're going to try and figure out what type of
00:03
malware may have infected that system,
00:03
and to the extent of the problem.
00:03
You'll also have your incident response handler,
00:03
and this is usually the first one is
00:03
going to be on the scene and they must react.
00:03
Depending on the type of organization you have,
00:03
it may not necessarily be that user,
00:03
but if you have a large distributed organization,
00:03
maybe that first level IT person
00:03
that a user can go to and say,
00:03
Hey, I've noticed this problem with the computer.
00:03
Or maybe the IT manager himself
00:03
that he notices something on
00:03
his logs IDS that
00:03
notifies him that there's essentially a problem.
00:03
Then you'll have an incident handler,
00:03
that person is essentially going to be maybe that
00:03
individual that the response handler is going to notify.
00:03
Or it may actually, the response handler
00:03
may turn into that incident handler.
00:03
What they're going to do is they're going to
00:03
ensure that the evidence is protected,
00:03
and they may also gather that evidence at the scene.
00:03
It could involve maybe
00:03
doing involve told memory forensics,
00:03
or at least ensuring that there's
00:03
no destructive activity taking place on that system.
00:03
Then lastly, we're going to have a legal advisors.
00:03
They're going to provide
00:03
guidance consistent with local, state,
00:03
federal laws or policy of
00:03
your organization because we
00:03
always want to keep it legal.
Up Next