Part 1- Incident Recovery

Video Activity

This lesson covers incident recovery. Recovery for an incident is not just a technical solution, it involves everything about a business from legal representation to HR to IT. Outside entities such as law enforcement and remediation specialists may also be involved. The most important thing in incident recovery is stopping the threat and then keepi...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson covers incident recovery. Recovery for an incident is not just a technical solution, it involves everything about a business from legal representation to HR to IT. Outside entities such as law enforcement and remediation specialists may also be involved. The most important thing in incident recovery is stopping the threat and then keeping it from getting worst. Incident recovery includes the following steps: · Secure the network · Remove Files · Remove devices Finally, a big step regarding incidents are measures to prevent them from even happening in the first place; so education is key.

Video Transcription
00:03
>> Hello Cyberians and welcome back
00:03
to incident response and advanced forensics.
00:03
My name is Max Alexander and I'll be
00:03
your subject matter expert for
00:03
today's course, incident recovery.
00:03
Everything that we've talked about so
00:03
far through this course
00:03
has suggested that incident response
00:03
is not just a technical solution,
00:03
but it's going to be something that is going to run
00:03
across all domains within your organization.
00:03
Likewise, because incident response
00:03
is not just a technical solution,
00:03
your recovery process is going to
00:03
be a purely technical solution as well.
00:03
Recovery is going to essentially
00:03
involve all aspects of your business model.
00:03
As we looked at the Sony hack case, obviously,
00:03
that particular incident required
00:03
individuals from all facets of the company.
00:03
More than likely they had legal representatives,
00:03
they had their public relations,
00:03
they had human resources, senior management,
00:03
IT, and probably a lot more individuals in that company
00:03
trying to help resolve
00:03
and remediate and recover from that incident.
00:03
As we talked about, a lot of the above
00:03
the waterline cost are miniscule
00:03
compared to everything that
00:03
happens below that water line,
00:03
having to pay those legal fees,
00:03
those attorney's fees, loss of brand reputation.
00:03
In that incident response process,
00:03
you're going to have a lot of those people
00:03
come in and try
00:03
and restore the company
00:03
to its former state and that can be
00:03
very expensive, timely process.
00:03
Also involved in that process
00:03
from outside of your organization could
00:03
be entities such as
00:03
law enforcement if it's a criminal matter,
00:03
such as the Sony hack case,
00:03
they brought in the FBI to help investigate this,
00:03
so you might have to work with
00:03
those law enforcement agencies.
00:03
You may also have to work with
00:03
data recovery and forensics experts,
00:03
especially if you don't have those folks on your staff.
00:03
Then lastly, remediation specialists.
00:03
The Sony hack, it was obviously a large hack,
00:03
so they may not have had enough staff
00:03
on hand to begin that remediation process.
00:03
They might have had to call in
00:03
outside experts to help them with that.
00:03
Or if you just don't have them on staff, again,
00:03
that's something you may have to
00:03
pay for as an outside service.
00:03
What is incident recovery?
00:03
First and foremost,
00:03
incident recovery is going to mean stopping
00:03
that threat and keeping it from getting worse.
00:03
Everything that we've done throughout
00:03
the course so far has been to
00:03
help identify some of the triggers for that threat,
00:03
some of the information that we
00:03
can take away from that threat so we
00:03
can formulate some type of plan to, one,
00:03
stop the threat, and then figure
00:03
out how it got into our system and
00:03
then essentially shore up
00:03
those weaknesses that we've had.
00:03
After we've stopped that threat
00:03
and we've stopped its progression,
00:03
then we can move on to
00:03
the remediation and recovery from that incident.
00:03
The first step in remediation is to
00:03
ensure that the threat is
00:03
removed from your system or network,
00:03
and then we want to prevent that from coming back.
00:03
In securing your network,
00:03
we want to limit the ability
00:03
of the attacker to access the network.
00:03
By limiting our ability and removing
00:03
the ability of the attacker to
00:03
send packets into your network,
00:03
that should provide a good method
00:03
to prevent that attack from coming back.
00:03
That action seeks not only stop
00:03
the attack at that one endpoint
00:03
that we may have identified,
00:03
but it seeks to stop the attack network wide.
00:03
The way that we're going to do
00:03
that is we're going to block
00:03
the IP addresses that are known
00:03
threats at the edge of the network on our firewall.
00:03
Also, if we are doing business in certain countries,
00:03
but are not doing business in other countries,
00:03
we could essentially block access to those countries,
00:03
and that would essentially
00:03
>> prevent any traffic going into
00:03
>> or out of our network to
00:03
those countries and just
00:03
provide us another level of protection.
00:03
Then lastly, we would want to deny servers and
00:03
critical infrastructure the ability
00:03
to directly communicate with the internet,
00:03
so essentially nullifying
00:03
any outbound connections from those devices.
00:03
That's just another way we
00:03
>> can shore up that network and
00:03
>> help prevent the attacks from occurring in the future.
00:03
The next thing we want to do is remove
00:03
the files that essentially corrupted our network.
00:03
That's a no brainer.
00:03
We want to get rid of the bad files.
00:03
Also, we want to identify the application, the service,
00:03
or the protocol that was presented
00:03
in the initial vulnerability and
00:03
what we want to do is modify
00:03
those shortcomings to prevent future attacks.
00:03
Those actions could include everything
00:03
from deleting the known bad files,
00:03
disabling unused or high risk services,
00:03
such as those that transmit in plain text,
00:03
removing software applications that
00:03
have little business use,
00:03
and updating or installing
00:03
industry standard anti malware application.
00:03
The key takeaways for these actions are to
00:03
find and remove the files
00:03
that's responsible for the attack,
00:03
delete or disable the processes or
00:03
protocols used to launch the attack.
00:03
Then lastly, remove the service or
00:03
application that created the vulnerability.
00:03
The next step action that we want to take is
00:03
removing the affected devices from our environment.
00:03
Removing the infected asset or
00:03
assets and files and returning
00:03
the assets to a known good state is
00:03
a reasonable goal for
00:03
the majority of incident response plans.
00:03
However, I'm going to caveat that
00:03
with an important note that deleting files,
00:03
powering down a system to replace a hard drive,
00:03
or restoring the system to
00:03
a previous version is going to destroy
00:03
any type of forensic evidence that can be used
00:03
to determine the root cause of that incident.
00:03
>> In many cases, capturing that information prior
00:03
to restoring the system is
00:03
the only way to essentially determine what happened.
00:03
>> If you can't do it, the forensic
00:03
>> collection process should be done first.
00:03
>> As that's the cornerstone for any and
00:03
all legal action to take as a result of the attack.
00:03
Some key takeaways for this are to
00:03
collect the images of the volatile system data,
00:03
the RAM, and the hard disk,
00:03
if at all possible.
00:03
Then power off the device
00:03
and disconnect it from that network,
00:03
again only after imaging it.
00:03
Then lastly, restore the effective devices to
00:03
a known-good state via backups or snapshots.
00:03
After we've done this remediation process and
00:03
we've gotten the files off our system,
00:03
we've got new computers online,
00:03
we essentially shorn up our firewall,
00:03
we then come to the question of,
00:03
do we share this information with others?
00:03
Ideally sharing is going to
00:03
provide the indicators that we
00:03
saw and the TTPs that we
00:03
solve to other professionals in the field.
00:03
Sharing information is going to create
00:03
a reciprocal relationship with
00:03
whomever we've shared that information with.
00:03
If I'm working at a commercial big bank
00:03
and I see some type of attack,
00:03
and I want to share that with
00:03
my buddies in other commercial big banks.
00:03
Ideally, we're going to be
00:03
creating an information-sharing consortium.
00:03
That way that's going to help me understand what
00:03
they're facing and will understand what I'm facing,
00:03
and we can protect each other.
00:03
Likewise, if you share that with the federal agencies,
00:03
they will also in turn generally share some information
00:03
to you from attacks that they have
00:03
seen that are ongoing and reoccurring.
00:03
That information sharing throughout
00:03
the community only helps to make everyone stronger.
00:03
Then the sharing of the information also helps
00:03
provide a more proactive threat intelligence team.
00:03
If you have essentially individuals that sit within
00:03
your incident response team
00:03
that are doing some intelligence work,
00:03
where we sit down aside your incidence response team.
00:03
Any information that you can
00:03
provide them or indicators of
00:03
compromise or TTPs that were used in this incident,
00:03
that's going to help them provide
00:03
better tactical information to
00:03
the cybersecurity professionals.
00:03
That way, those individuals can take proactive steps to
00:03
help protect the network and hopefully
00:03
prevent the incidents from occurring, period.
00:03
This is just an overview of that intelligent cycle.
00:03
If you do have one of
00:03
these threat intelligence
00:03
>> units within your organization,
00:03
>> the threat intelligence cycle will
00:03
essentially start at the top with requirements.
00:03
That's just going to be asking the question.
00:03
What does make this occur?
00:03
What causes this?
00:03
What do we see when something happens?
00:03
It's that initial asking of the question.
00:03
Then that goes out to
00:03
the collection individuals who
00:03
are trying to find answers to that question.
00:03
A lot of times, for incident response,
00:03
that's going to be your incident responders.
00:03
Oftentimes it may not be that they have a requirement,
00:03
it's that the collection may
00:03
occur before there's a requirement.
00:03
Then that's going to essentially
00:03
drive the rest of this intelligence cycle.
00:03
But once you collect that information,
00:03
somebody needs to do something with it.
00:03
It doesn't actually become intelligence until it's
00:03
been processed and evaluated and analyzed.
00:03
There are a couple of steps in that when you do
00:03
get the information and the indicators of
00:03
the compromise and you write your report,
00:03
you're going to send that to
00:03
your analysis shop and they're going to look
00:03
at that and they're going to process that information,
00:03
determine, "Yes, this matches
00:03
some things that we've seen.
00:03
Yes, we've seen this IP address before.
00:03
Yes, we've seen this technique used",
00:03
and they can package that together as they
00:03
should have that bigger picture
00:03
of things that are going on.
00:03
After they package that information up,
00:03
they can then begin to disseminate
00:03
that information to the individuals who may have
00:03
asked those questions or to other teams who
00:03
are going to take actions to
00:03
help prevent future attacks from occurring.
00:03
Then that dissemination of
00:03
information should draw feedback of,
00:03
"Yeah, we like this information.
00:03
Oh, we already saw this".
00:03
Or "No, this is not relevant to us".
00:03
Then the cycle essentially will
00:03
repeat itself over and over again.
00:03
That is just an example of how
00:03
information sharing can help drive
00:03
that intelligence cycle to make
00:03
your processes better in incident response.
00:03
Then lastly, after we have done
00:03
the analysis of that information and we've
00:03
seen some of the trends that are occurring,
00:03
we want to educate the workforce to make them better.
00:03
Essentially smarter users make smart choices.
00:03
A lot of times we take for granted that we
00:03
have a lot of IT education,
00:03
training, and experience,
00:03
and we forget that many users do not have
00:03
formal computer training or
00:03
have not had training in a long time.
00:03
Ideally, you want some type of
00:03
annual refresher training to remind
00:03
your employees of
00:03
some basic security awareness procedures.
00:03
Hopefully, that would prevent a lot of
00:03
these incidents from occurring, to begin with.
00:03
Keep in mind, I read
00:03
a study I think a couple of weeks ago that showed
00:03
many users are going to click on links in their emails
00:03
regardless of the content within the email message.
00:03
That's something that we failed at as a whole
00:03
in the computer security realm and community.
00:03
We have to educate these users on
00:03
proper ways and proper protocols of computer usage.
00:03
Otherwise, we keep getting
00:03
drawn back in the same incidents,
00:03
the same problems,
00:03
and if we could spend more time educating
00:03
users on proper protocols,
00:03
we might actually have to spend
00:03
less time on certain incidents.
00:03
Ideally, the more that you know about something,
00:03
the better you can defend against that.
Up Next
Course Assessment - Incident Response and Advanced Forensics
Assessment
30m