Time
7 hours 36 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson discusses the composition of the cyber incident response team (CIRC) which consists of: · Team leader · IR Team member · Incident manager · Local IT · Forensics · Admin Included in this team are dispatchers who work the Incident Response hotline and respond to calls accordingly. Best practices for the entire team include: · Awareness · What do we do now that we know? · React · Review policies and procedures

Video Transcription

00:04
so kind of moving on from this slide. We have another visual here That kind of lays out that certain team composition again, Depending on your organization. It may or may not very from this, but at the center of that, you're gonna have that team leader.
00:19
Uh, then you'll have that incident manager, your forensics person
00:24
Local I t support I t administrators. Maybe that your system spans many geographical regions. And then your incident response team members
00:38
also kind of included in this incident Response team is going to be a dispatcher and dispatchers air going to essentially man that incident response hot
00:50
so they may or may not be actual part of that team. But if you have ah, ticketing system similar to maybe Ark site, they might be the person who receives that initial call and put the ticket in the system that says, Hey, we've had some incidents.
01:04
So essentially their responsibilities Heir to receive distress calls from clients are employees and they provide general information about the various incident Response service is
01:15
we'll fill out. The reports will essentially assign a tracking numbers, even keep track of that incident, and they'll connect clients with the appropriate incident response team personnel for further assistance. And then typically this function is going to be conducted around a clock. A cz Many organizations have 24 7 up time,
01:36
especially if they're large
01:37
global organizations.
01:40
So kind of another aspect are looking at this incident response,
01:47
incident response Totality is the awareness of something occurring.
01:53
So that's going to be the first level of incident response that something happened
01:59
and that we may or may not know what happened, but we want to know, how do we know that this occurred? And then we're looking for these indicators, so indicators may come in various forms. Could be something from IGs. Maybe you've got a ping or something that someone has tried to
02:17
who do something to your network
02:21
and you need to go investigate that. Forget exactly what that waas.
02:24
Maybe you've had someone who was cruising along the Internet or they've opened up some type of file on their email on all of a sudden, you have this
02:32
virus skinner alert pop up and say that your system is either infected and door that your buyer scanner has quarantines,
02:42
and that would warrant some type of incident response.
02:46
The next indication you might have is a violation of acceptable use policies. So if you're monitoring traffic on your network and you're seeing boys go thio certain websites that they're not supposed to if you see them using a computer for other than its intended purpose.
03:05
But that might be something that you want to investigate. Figure up
03:07
further what exactly happened, why they're doing what they're doing.
03:12
And they also have firewall notifications that something's happening. Are someone's trying to get into your network or something is trying to escape your network. Shouldn't you could also have self reporting. So maybe a user has opened up that email attachment
03:29
and they noticed that they're now infected with Ransomware. Or maybe they've lost the laptop with mobile devices connected to you
03:38
network, and they're calling the dispatcher to report that.
03:43
And then lastly, hopefully this doesn't occur. But it has, in fact, to several organizations is that you get a report on the news that you've been hacked and you don't know about it. Are you having to now respond to this? This reported back in the news so you're definitely behind the power curve,
04:02
so moving on after the awareness state essentially have to question that. Now that we know something happened, how do we know?
04:12
So we're going to identify what happened. The who? What, When, where? How will we asked ourselves the question. Is this actually an incident?
04:21
Often times of this may happen, and they may not may not rise to the level of something being an incident. So does the event violate any principle of that? See a triad of that confidentiality integrity, your availability of data on your network,
04:40
and hopefully those things will be laid out in your incident. Response.
04:44
Pause. But if not, it's important to ask those questions.
04:47
And then what? You determined that it is an incident that it does violate some principle of that CIA triad.
04:56
You have to ask yourself how serious of a problem is that incident? So if it's fishing with no data loss, it may just war. Essentially blocking that sender's email address.
05:10
AARP. It's Adidas attack that shuts down your network. You're obviously gonna have to spend up a lot more of your incident spots
05:16
personnel to essentially deal with that, and you'll probably calling your I S P provided to essentially have some assistance in blocking that large amount of traffic that's coming into your network.
05:30
And then, obviously, once you're starting to respond to these incidents, it's important to follow your organizational procedures and policies as required.
05:43
So after we've kind of figured out that plan of action, the next thing that we're gonna have to do is to react to that incident. So been reacting to that incident with kind of proven that down into simple, easy to remember
05:59
process is the first step that are is to review the policies and procedures. Keep hammering on that
06:05
policy and procedures, and that just shows the necessity and the importance of having good policies and procedures in place. So after you've done that, we're going to evaluate the situation determined. Given what we talked about, who, what, when, where, why, how
06:25
of the situation?
06:27
The next step is to avoid panic so often times with when something happened such a very serious incident. Ah, lot of people want to panic and make rash rash decisions. Eso avoiding panic thinking through the process. Logically, coming up with a good solution
06:46
is a very, um,
06:47
sporting step.
06:48
Collecting information is obviously going to help us come up with that solution to the problems, just like G I, Joe said. Knowing is half the battle, the Maur information that you've been collecting them, or information that you know about an incidental help. Taylor that response to the incident.
07:09
And lastly,
07:10
after you collect that information and you haven't understanding of the exact situation it's occurring. You'll want to take the appropriate action.
07:18
But obviously, if you don't follow the aforementioned steps and reviewing your policies and procedures, knowing and understanding the situation, not panicking and not collecting any information about the incident, it's very difficult to come up with the appropriate action and take. So it's very important to follow that react
07:39
principle
07:40
in that step action that's out.
07:44
So looking at the reactor principle a little more in depth.
07:48
Don't talk about the first process, which is reviewing the policies and procedures.
07:54
So any time that there is an incident,
07:56
you want to locate the policy that addresses incident response
08:00
and then you wanna look at the incident response procedures.
08:03
So in those different procedures,
08:05
it should stay what is and what is not allowed. It should kind of get the playbook. Who to call or not to call, especially if you've got a large enterprise. So maybe if you're in the United States, you've got someone in Mongolia. Are you got someone in China?
08:24
There may be other individuals that you're gonna have to call in a part of that incident response
08:30
plan of reaction. So knowing who to call, knowing what what policies and procedures toe access are very important
08:39
on. And then the question is, what if you don't have any incident response policies and procedures? What do you do at that point in time? And who you calling who can make make some type of decision in order to start beginning to work this incident on remediated?

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor