Time
7 hours 26 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers incident recovery. Recovery for an incident is not just a technical solution, it involves everything about a business from legal representation to HR to IT. Outside entities such as law enforcement and remediation specialists may also be involved. The most important thing in incident recovery is stopping the threat and then keeping it from getting worst. Incident recovery includes the following steps: · Secure the network · Remove Files · Remove devices Finally, a big step regarding incidents are measures to prevent them from even happening in the first place; so education is key.

Video Transcription

00:04
Hello, Siberians, then welcome back to incident response and advance forensics.
00:09
My name is Max Alexander, and I'll be your subject matter expert. Today's course incident recovery.
00:15
So everything that we talked about so far through this course has
00:22
suggested the incident response is not just a technical solution, but it's going to be something that is going to run across all domains within your organization
00:34
and likewise because incident response is not just a technical solution, your recovery process is going to be a purely technical solution as well.
00:46
And recovery is going to essentially in all aspects of your business model.
00:51
And as we looked at the's Sony Hack case, obviously that that particular incident,
00:59
uh, required
01:00
individuals from all facets of the company. So more than likely they had legal representatives. They had their public relations. They had human resource of senior management. I t.
01:15
And probably a lot more individuals in that company. You're trying to help
01:19
resolved and remediation recover from that incident.
01:23
And as we talked about a lot of the
01:26
above, the water line cost are minuscule compared to everything that happens below that one
01:36
having to pay those legal fees. Those attorneys fees, loss of brand reputation.
01:42
So in that incident response process, you're going to have a lot of those people come in and try and
01:49
and restore the company to its former state. And that could be a very expensive, timely,
01:57
uh, process.
01:59
Also involved in that process from outside of your organization could be entities such as law enforcement.
02:07
If it's a criminal matter, such as 70 hat case, they brought in the FBI,
02:13
um,
02:14
to help investigate that, See, you might have to work with those agencies.
02:20
You may also have to work with that. I don't recovery
02:23
and forensics experts,
02:25
especially if you don't have those folks on your staff
02:29
and then, lastly, remediation special. So
02:34
the Sony hack knows obviously, a large acts that they may not have enough staff on hands. Begin that remediation process so they might have had Thio call in outside experts to help them with that are you just don't have them on staff again? That's something you may have to pay for
02:53
eyes, an outside service.
02:57
So what is incident recovery?
03:00
First and foremost, incident recovery is going to mean stopping that threat
03:05
and keeping it from getting worse. So everything that we've done throughout the course so far has been to help identify some of the
03:17
triggers for that threat. Some of the information that we can take away from that so we can formulate some type of plant
03:27
21 stop the prep and then figure out how I got into our system
03:32
and then
03:34
essentially shore up those those weaknesses that we've had.
03:39
So after we've we've stopped that threat and we stop its progression.
03:45
Then we can move on to the remediation and recovery from that incident,
03:50
And the first step in the mediation is to ensure that the bread is removed from your system or a network. No, we want to prevent that from coming back
03:58
so insecure in your network.
04:00
We want to limit the ability of the attacker to access them.
04:05
So by limiting our ability, are removing the ability of the attack sent packets into your network. That should provide a good method to prevent that attack from coming back.
04:20
And that action seeks not only stopped the attack at that one important that we may have identified that it seeks to stop the attack
04:30
network wife
04:31
on the way that we're gonna do that? We're gonna block the I P addresses that are known threats at the edge of the network on our farm.
04:41
Um, also, if we are doing business in certain countries but not doing business in other countries, we could essentially block access to those countries and that would essentially prevent any any traffic going into are out of our network to those countries
05:00
and just provide us another level of protection.
05:04
And then lastly, we would want to deny servers and critical infrastructure the ability to directly communicate with the Internet.
05:13
So essentially nullifying any outbound connections from those devices. And that's just another way we can shore up that network and help prevent the attacks occurring in the future.
05:28
The next thing you want to do is remove the files that essentially corrupted our network.
05:33
So that's kind of a no brainer. We want to get rid of bad Biles.
05:40
Also, we want to identify the application service for the protocol that was presented in the initial vulnerability,
05:47
and what we want to do is modify the shortcomings to prevent future attacks.
05:54
So those actions could include everything from deleting known bad files, disabling unused high risk service is such a cz. Those transmit plain text removing software applications that present little that little business. Use an update here in
06:13
installing
06:14
industry standard and time. Now we're application.
06:16
So the key takeaways for these actions are find and remove. The files is responsible for the attack,
06:25
delete or disabled processes protocols used to launch the attack
06:29
and then, lastly, removed the service for application. That created the vulnerability
06:36
the next step. Action that we want to take a renewed ing the effective devices from our environment.
06:42
So removing the infected asset or assets files and returning the assets to unknown good state. It's a reasonable goal for the majority of incident response plans. However, I'm gonna caveat that with with an important note that deleting files
06:58
powering down a system to replace the hard drive are storing the system to a previous version is going to destroy any type of forensic evidence that could be used to determine a cause of that incident.
07:11
And in many cases, capturing that information
07:14
prior to restoring the system is the only way to essentially determine what happened.
07:18
So
07:20
if you can do that, the forensic collection process should be done first. That's the cornerstone for any and all legal action to take is a result of the attack.
07:30
So some P takeaways for this or to collect the images of volatile system data the ram in the hard disk is at all possible.
07:39
Then power off the device and disconnected from the network again on Lee after images
07:45
and then, lastly, restored the effective devices to unknown good state, be it backups for snapshots.
07:53
So after we've done this remediation process, we've gotten the files off our system. We've got new computers on line. We essentially shoring up our firewall. We then come to the question of
08:07
Do we share this information with others
08:11
on? Ideally, sharing is going to provide the indicators that we saw on the teaching piece that we saw the other professionals in the field
08:20
and sharing information. It's going to create a reciprocal relationship with whomever we've shared that information with.
08:28
So if I'm working at a commercial big bank and I see some type of attack
08:33
and I want to share that with my buddies, other commercial big banks, ideally we're going to be creating an information sharing consortium, and that way that's going to help me understand what they're fixing, will understand what I'm facing and we can protect each other.
08:50
And likewise, if you share that with the federal agencies, they will also in turn generally share some information to you from attacks that they have seen that are ongoing re occurring.
09:05
So that information cheering throughout the community only helps to make everyone stronger.
09:13
And then the sharing of the information also helps provide a more proactive threat. Intelligence team.
09:20
So if you have essentially individuals set within your incident response team that are doing some intelligence work early, sit outside your response team
09:31
any information that you can provide them for indicators of compromise
09:35
or
09:37
tee tee pees that were used in this this incident that's going to help them provide better tactical information to the cyber security professionals. And that way,
09:50
those individuals could take proactive steps to help protect the network and hopefully prevent the incidents from occurring, period.
10:01
And this is just an overview of that intelligence cycle. So if you do have one of these threat intelligence units within your organization, threat intelligence cycle will essentially start at the top of requirements. That's just going to be asking questions.
10:18
What does make this hurt? Um, what causes this? What do we see when something happens?
10:26
So it's that initial asking of the question
10:30
then that goes out to the collection of individuals who are trying to find answers to that question on a lot of times for incident response that's going to be your incident responders. Often times it may not be that they have a requirement. It's the collection may occur before there's a requirement,
10:50
and then that's going to essentially
10:52
drive the rest of this intelligence cycle.
10:54
But once you collect that information,
10:58
somebody needs to do something with it.
11:01
It doesn't actually become intelligence until it's been processed and evaluated and analyzed. So there are a couple of steps in that
11:13
when you do get the information and the indicators of the compromise on you, write your report. You're going to send that to your analysis shop, and they're gonna look at that
11:22
and they're going to process that information determined, yes, this match of some things that we've seen. Yes, we've seen this I p address before. Yes, we've seen this technique used, and they can package that together a CZ they should have that bigger picture of things that are going on
11:41
and after they package that information up,
11:43
they can then begin to disseminate that information
11:48
and to the individuals who may have asked those questions or two other teams who are going to take actions to help prevent future attacks occurring.
11:58
And then that dissemination of information should draw feedback. Yeah, we like this information we already saw. This are no, this is not relevant to us. And then the cycle essentially will repeat itself so that it's just an example how information sharing
12:18
can help dr
12:20
that intelligence cycle to make your process is better
12:24
incident response.
12:26
And then lastly, after we have done the analysis of that information, we've seen some trends that hurry.
12:35
We want to educate the work force to make them better.
12:39
And essentially, smarter users make smart choices. Ah, lot of times we take for granted that we have a lot of I T. Education, training and experience on. We forget that many users did not have formal computer training. Our have not had training in a long time.
12:56
Ideally, you want some type of
12:58
annual refresher training to remind your employees of some basic security awareness procedures,
13:07
and hopefully that would prevent a lot of these incidents from occurring
13:11
to begin.
13:13
Keep in mind, I read a study,
13:16
I think, a couple weeks ago that showed many users you're gonna click on links in their e mails, regardless of the content within the email message.
13:24
So that's something that we
13:26
failed at a zoo hole in the computer security realm. On community, we have to educate these users on
13:37
on proper ways in proper protocols of computer usage. Otherwise, we keep getting
13:46
drawn back. The same incidents, same problems, and we could spend more time educated users on proper protocols. We might actually have to spend less time on certain incidents. So ideally, the more that you know about something, the better. You can defend against that.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor