Hello, Siberians, then welcome back to incident response and advance forensics.
My name is Max Alexander, and I'll be your subject matter expert. Today's course incident recovery.
So everything that we talked about so far through this course has
suggested the incident response is not just a technical solution, but it's going to be something that is going to run across all domains within your organization
and likewise because incident response is not just a technical solution, your recovery process is going to be a purely technical solution as well.
And recovery is going to essentially in all aspects of your business model.
And as we looked at the's Sony Hack case, obviously that that particular incident,
individuals from all facets of the company. So more than likely they had legal representatives. They had their public relations. They had human resource of senior management. I t.
And probably a lot more individuals in that company. You're trying to help
resolved and remediation recover from that incident.
And as we talked about a lot of the
above, the water line cost are minuscule compared to everything that happens below that one
having to pay those legal fees. Those attorneys fees, loss of brand reputation.
So in that incident response process, you're going to have a lot of those people come in and try and
and restore the company to its former state. And that could be a very expensive, timely,
Also involved in that process from outside of your organization could be entities such as law enforcement.
If it's a criminal matter, such as 70 hat case, they brought in the FBI,
to help investigate that, See, you might have to work with those agencies.
You may also have to work with that. I don't recovery
and forensics experts,
especially if you don't have those folks on your staff
and then, lastly, remediation special. So
the Sony hack knows obviously, a large acts that they may not have enough staff on hands. Begin that remediation process so they might have had Thio call in outside experts to help them with that are you just don't have them on staff again? That's something you may have to pay for
eyes, an outside service.
So what is incident recovery?
First and foremost, incident recovery is going to mean stopping that threat
and keeping it from getting worse. So everything that we've done throughout the course so far has been to help identify some of the
triggers for that threat. Some of the information that we can take away from that so we can formulate some type of plant
21 stop the prep and then figure out how I got into our system
essentially shore up those those weaknesses that we've had.
So after we've we've stopped that threat and we stop its progression.
Then we can move on to the remediation and recovery from that incident,
And the first step in the mediation is to ensure that the bread is removed from your system or a network. No, we want to prevent that from coming back
so insecure in your network.
We want to limit the ability of the attacker to access them.
So by limiting our ability, are removing the ability of the attack sent packets into your network. That should provide a good method to prevent that attack from coming back.
And that action seeks not only stopped the attack at that one important that we may have identified that it seeks to stop the attack
on the way that we're gonna do that? We're gonna block the I P addresses that are known threats at the edge of the network on our farm.
Um, also, if we are doing business in certain countries but not doing business in other countries, we could essentially block access to those countries and that would essentially prevent any any traffic going into are out of our network to those countries
and just provide us another level of protection.
And then lastly, we would want to deny servers and critical infrastructure the ability to directly communicate with the Internet.
So essentially nullifying any outbound connections from those devices. And that's just another way we can shore up that network and help prevent the attacks occurring in the future.
The next thing you want to do is remove the files that essentially corrupted our network.
So that's kind of a no brainer. We want to get rid of bad Biles.
Also, we want to identify the application service for the protocol that was presented in the initial vulnerability,
and what we want to do is modify the shortcomings to prevent future attacks.
So those actions could include everything from deleting known bad files, disabling unused high risk service is such a cz. Those transmit plain text removing software applications that present little that little business. Use an update here in
industry standard and time. Now we're application.
So the key takeaways for these actions are find and remove. The files is responsible for the attack,
delete or disabled processes protocols used to launch the attack
and then, lastly, removed the service for application. That created the vulnerability
the next step. Action that we want to take a renewed ing the effective devices from our environment.
So removing the infected asset or assets files and returning the assets to unknown good state. It's a reasonable goal for the majority of incident response plans. However, I'm gonna caveat that with with an important note that deleting files
powering down a system to replace the hard drive are storing the system to a previous version is going to destroy any type of forensic evidence that could be used to determine a cause of that incident.
And in many cases, capturing that information
prior to restoring the system is the only way to essentially determine what happened.
if you can do that, the forensic collection process should be done first. That's the cornerstone for any and all legal action to take is a result of the attack.
So some P takeaways for this or to collect the images of volatile system data the ram in the hard disk is at all possible.
Then power off the device and disconnected from the network again on Lee after images
and then, lastly, restored the effective devices to unknown good state, be it backups for snapshots.
So after we've done this remediation process, we've gotten the files off our system. We've got new computers on line. We essentially shoring up our firewall. We then come to the question of
Do we share this information with others
on? Ideally, sharing is going to provide the indicators that we saw on the teaching piece that we saw the other professionals in the field
and sharing information. It's going to create a reciprocal relationship with whomever we've shared that information with.
So if I'm working at a commercial big bank and I see some type of attack
and I want to share that with my buddies, other commercial big banks, ideally we're going to be creating an information sharing consortium, and that way that's going to help me understand what they're fixing, will understand what I'm facing and we can protect each other.
And likewise, if you share that with the federal agencies, they will also in turn generally share some information to you from attacks that they have seen that are ongoing re occurring.
So that information cheering throughout the community only helps to make everyone stronger.
And then the sharing of the information also helps provide a more proactive threat. Intelligence team.
So if you have essentially individuals set within your incident response team that are doing some intelligence work early, sit outside your response team
any information that you can provide them for indicators of compromise
tee tee pees that were used in this this incident that's going to help them provide better tactical information to the cyber security professionals. And that way,
those individuals could take proactive steps to help protect the network and hopefully prevent the incidents from occurring, period.
And this is just an overview of that intelligence cycle. So if you do have one of these threat intelligence units within your organization, threat intelligence cycle will essentially start at the top of requirements. That's just going to be asking questions.
What does make this hurt? Um, what causes this? What do we see when something happens?
So it's that initial asking of the question
then that goes out to the collection of individuals who are trying to find answers to that question on a lot of times for incident response that's going to be your incident responders. Often times it may not be that they have a requirement. It's the collection may occur before there's a requirement,
and then that's going to essentially
drive the rest of this intelligence cycle.
But once you collect that information,
somebody needs to do something with it.
It doesn't actually become intelligence until it's been processed and evaluated and analyzed. So there are a couple of steps in that
when you do get the information and the indicators of the compromise on you, write your report. You're going to send that to your analysis shop, and they're gonna look at that
and they're going to process that information determined, yes, this match of some things that we've seen. Yes, we've seen this I p address before. Yes, we've seen this technique used, and they can package that together a CZ they should have that bigger picture of things that are going on
and after they package that information up,
they can then begin to disseminate that information
and to the individuals who may have asked those questions or two other teams who are going to take actions to help prevent future attacks occurring.
And then that dissemination of information should draw feedback. Yeah, we like this information we already saw. This are no, this is not relevant to us. And then the cycle essentially will repeat itself so that it's just an example how information sharing
that intelligence cycle to make your process is better
And then lastly, after we have done the analysis of that information, we've seen some trends that hurry.
We want to educate the work force to make them better.
And essentially, smarter users make smart choices. Ah, lot of times we take for granted that we have a lot of I T. Education, training and experience on. We forget that many users did not have formal computer training. Our have not had training in a long time.
Ideally, you want some type of
annual refresher training to remind your employees of some basic security awareness procedures,
and hopefully that would prevent a lot of these incidents from occurring
Keep in mind, I read a study,
I think, a couple weeks ago that showed many users you're gonna click on links in their e mails, regardless of the content within the email message.
So that's something that we
failed at a zoo hole in the computer security realm. On community, we have to educate these users on
on proper ways in proper protocols of computer usage. Otherwise, we keep getting
drawn back. The same incidents, same problems, and we could spend more time educated users on proper protocols. We might actually have to spend less time on certain incidents. So ideally, the more that you know about something, the better. You can defend against that.