Time
7 hours 36 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson discusses the role of communication with law enforcement officials and how it ties into responding accordingly to an incident. Following an incident, only certain specifically appointed people should be permitted to communicate with law enforcement and not contact multiple agencies as this could result in miscommunication and conflict. In addition to communication with law enforcement, organizations might need to communicate with outside parties such as: · ISPs · Owners of attacking addresses · Software vendors · Other incident response teams · Affected External Parties

Video Transcription

00:05
So here's an example of what essentially,
00:09
someone might consider to be a very simple question.
00:13
However, the answer to the question doesn't necessarily turn out to be the best
00:21
when it comes to establishing your world view. I was curious what newspapers and magazines did you regularly read before you were tapped for this, to stay informed, to understand most of them again with a great appreciation for the press, for the media. What specifically, I'm curious,
00:40
all of them, any of them that have
00:43
been in front of me over all these years. I have a vast variety of sources where we get our news to Alaska isn't a foreign country where it's kind of suggested. It seems like How could you keep in touch with rest of Washington? D. C, maybe thinking and doing when you live up there in Alaska?
01:03
Believe me, Alaska is like a microcosm of America.
01:07
So obviously that wasn't the best response that she could have possibly given. I'm sure that Sarah Palin has
01:18
talk to the media at least once or twice in the past. I kind of know some of the questions that they might be asking so it could have been good for her. To maybe prepare a statement ahead of time, or at least think of some of the questions that could be asked and also
01:34
essentially was a very simple question that turned out to have a long and drawn out answer
01:41
that didn't really cast her in the best possible life. So essentially, Katie Couric was just asking for Sarah Palin that name one newspaper, any newspaper, and
01:52
maybe she was flustered, but she wasn't able to ride an answer didn't didn't make her look the best.
01:57
So, uh,
01:59
living on communicating with law enforcement might also be something that organization would have to do, depending on the type of incident that you're going to encounter.
02:13
So law enforcement should also be contacted through designated individuals in a manner consistent with the requirements of the law enforcement agency and the organization's procedures.
02:23
You may also want to have a designated person. Does this again like the media, someone who was familiar with contacting law enforcement, someone who knows the questions that law enforcement asked
02:35
on. It just helps build relationships. So many organizations prefer to appoint one incident response team members primary point of contact with law enforced.
02:46
And this person should be familiar with the reporting procedures for all relevant law enforcement agencies and prepared to recommend which agency, if any, should be contact.
02:55
And note that the organization typically should not contact multiple agencies because doing so might result in jurisdictional conflicts.
03:05
So again, it's just important to have in that policy who does contact law enforcement. When should they contact law enforcement, and what issue should they report? So that's essentially just going back and making sure that's codified in your instant response policy.
03:22
So communicating with outside parties, we've talked about the media. We've talked about law enforcement organizations. There may be other entities that you're going to have to communicate with
03:34
outside of organization.
03:37
One of the first ones will be your I S. P. So an organization may need assistance from its I S P and blocking a major network based attack and or tracing its signal
03:47
so it would be common someone within the Incident response team passed to communicate with the I S P. So it might be beneficial to the organization to figure out points of contact for that I s P for certain types of events that led it streamlines the process for dealing with
04:08
the incident
04:09
and then owners of attacking address so often times.
04:14
Uh, when the organization is attacked, it may not be
04:17
from within the organization. Probably be from outside of the organization.
04:23
So essentially they're going to have to communicate with maybe another organizations SP so the tax are originating from an external organizations i p. Address Space incident. Hand birds may want to talk to the designated security kind tax for your organization
04:39
to alert them to the activity or toe. Ask them to collect evidence.
04:43
It is highly recommended to coordinate such communications with us. Cert
04:47
Oh, are some other type of entity that deals with incident response. So
04:53
whoever your organization designates to report to coordinate with, it's important to get with that entity in order to help coordinate that response for an external SP.
05:08
You may also want to talk with software vendors. Incident handlers may want to speak with a software under about suspicious activity that they're seeing within software.
05:16
This contact could include questions regarding the significance of certain log entries are known false positives for certain intrusion detection, six signatures,
05:26
minimal information regarding the incident may be needed. Our need to be revealed.
05:30
More information may need to be provided in some cases, for example, that the server appears to have been compromised. Unknown Software Vulnerability You would want to go back to that software vendor to see if they may be new at the vulnerability. Are there some type of patch that you can implement
05:48
on? Software? Vendors may also provide current information, such as never threats to help organizations
05:55
understand her threat environment. So, essentially just building that network. Obviously, if you could go out and talk to the software vendors before you had an incident, that would generally be the best way to handle that.
06:08
You may also want to talk with other incident Response Team's ESO organization may experience an incident that it's similar to the ones handled by other teams. So by proactively sharing this information that facilitate a more effective and efficient incident response handling procedure, so
06:27
talking to other teams can provide advance warning that could increase your preparedness
06:30
helps you develop some type of situational awareness. So groups such as the form of incident response that security team's first are the government form of incident response and security teams. G first and then the anti phishing working group are Common Incident Response Team's,
06:49
and they promote information sharing among
06:51
each of the groups.
06:54
So you may also have to communicate with external effective parties on an incident may effect external parties directly. For example, an outside organization may contact your organization and claim that one of three organizations uses is attacking them, so
07:12
that may be something that you'll have to deal with as well.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor