Time
7 hours 36 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers the REACT Principle. In the wake of an incident, it is important to figure out if it is over, what is involved, assess any damage and examine any changes to your site. Using steps in the scientific method, you can answer questions in the evaluation process should an incident occur. Using this method can answer a number of why and what questions such as why is my machine slow and what do others have to say about slow systems? Finally, do not panic if an incident happens as this will impede necessary action.

Video Transcription

00:04
so everything that we just finish talking about covers the our portion of the reactor principle. So after we've done that, the next portion of reactors to evaluate.
00:16
So in evaluating on incident, one of the first questions that you want to ask us is the incident over which helps kind of focus the sense of urgency.
00:26
If something has already happened and it's no longer a threat to your system, you still may want to investigate that the sense of urgency may or may not be there. So evaluating
00:38
if the incident is over, what type of incident that occurred
00:42
which goes into the next portion of the incident is
00:46
what major assets were involved?
00:48
Is this something that is just isolated to one? Computer systems are, as the span multiple computer systems has its span, multiple geographic areas, eyes very important to consider. And the next thing is to evaluate what type of damage was caused.
01:04
So essentially you have a fishing incident
01:08
and it was isolated. No one clicked on the link or if you've had a virus detection,
01:17
but your virus software was able to essentially quarantine that virus than the incident. For all intents and purposes. It's likely over at cost little to no damage
01:29
S O that will help Taylor. The actual response that you're going to provide to that incident
01:34
and then is continued operation possible are required. So, uh, if this is going to impact your business continuity, if it's going to shut down operations, obviously that's going to be something that's going to take that incident in, place it at a higher level of authority.
01:53
And then it's time for grasses and you're gathering more information. You want to do a re evaluation of any and all relevant changes to your site's configuration. So you're essentially trying to rule out bad configuration, bad assumptions and operator air.
02:10
So is part of that evaluation process. Ah, method that I like to use, essentially the scientific method. So because of science, were able to
02:20
answer some of these questions in our evaluation process.
02:24
So the first step of the scientific method
02:28
is essentially to ask a question.
02:30
Why,
02:31
um
02:32
so doing that doing that. Asking that question well, essentially hope to help you come up with answers to that question so soon as you pose that initial question for research, you're gonna do some background research. What have others said? What indicators might I see if I were to expect something to happen
02:52
on, then we're going to construct that hypothesis. Some essentially a statement that is going to answer our research question.
03:00
So I think someone has infiltrated my network. Has someone infiltrated my network?
03:07
I might do a little bit of background research to see what those indicators of compromise what might look like Based on the limited amount of evidence that I have, I will construct that hypothesis that I do, in fact believe someone has infiltrated my network.
03:23
I'm going to essentially test that with an experiment
03:25
s so I'm gonna gather up all of the available data that I have one to conduct my investigation,
03:32
that I'm going to analyze those results. What do they tell me? It was someone able to actually penetrate my network. Still, if that hypothesis essentially was proved true, I can then go ahead and report those results.
03:49
And I could essentially start taking steps to, uh
03:53
to mitigate that incident. However, if I find that my hypothesis was false and they're partially true, I might want to go back and construct another hypothesis, It does not necessarily mean something didn't happen. I just may be incorrect on what I essentially guest
04:12
the first time.
04:13
And I may want to go back and test yet one more time for something else. So essentially, that scientific method helps us evaluate and ask the right questions so hopefully we can come up with the right answer.
04:26
So then we kind of talked about that scientific method. Another example of that scientific method in action is theat asking of the question, Why is my machine slope
04:36
and then we're gonna do that Initial research. What do others say about slow systems? What indicators can I look at it?
04:45
We may do a cursory examination of that system together. Some slight indicators to help us formulate a better hypothesis. So based on the observable information that we've come up with about slow systems and about what other people have said about slow systems, we hypothesize that I have a virus.
05:03
The virus is therefore causing my system to be slow.
05:08
So in order to test that hypothesis,
05:11
I'm going to run a bio scanner. I'm going to the examined suspicious files on. We'll get into some of this a little bit later in our malware analysis
05:19
and then, based on the hypothesis, testing on the evidence that I have from testing that hypothesis.
05:27
Is the hypothesis confirmed, or is it unconfirmed?
05:30
If I'm able to confirm that hypothesis, I can report the results. But sometimes the results have been unconfirmed hypothesis. There just is important.
05:39
So if I have confirmed that I have don't have malware, that's just as important as the fact that I do that.
05:46
But also, if the hypothesis is unconfirmed on, it's slightly fuzzy as to whether or not I do or don't have a virus. And I haven't answered. The question is to why my machine slow. I may want to go back and conduct another
06:03
tasked reform late. Another hypothesis to help answer additional
06:08
questions as to why my machine slow.
06:11
And it could be that there may be more than one causes to wind machine slow. So just because I found an answer to one question
06:20
are to one hypothesis. It doesn't necessarily mean that that's the only thing that is making my machine. So the scientific method helps us answer these questions in a logical fashion in order to prevent us from spinning our wheels
06:40
and going in 50 different directions.
06:44
So now maybe that we've answered some of the questions or having answered some questions using the scientific method, we can go on to the other essential elements of response. That is, don't pen.
06:57
So if we figure out something has happened and we kind of formulated what we think may have heard, the next thing we want to do is not panic. So if we've discovered elements of an incident, the first that we want to do is not to trash the crime scene,
07:13
not to trash all of the evidence that way we may have
07:16
in order to help us re mediate that end or take this case to prosecution if we really need to. So not trashing the crime scene. Preserving that evidence is a very key step in doing.
07:30
We also want to practice good operational security.
07:33
So if this is something that we want to essentially investigate on, not tip off, the potential Attackers, hackers are potential criminal actor that has caused this incident
07:48
panicking, taking actions violate operational security that is sexually notify, uh, the
07:57
the perpetrator of this act that we're investigating it can lead them to stop taking actions or two. They might actually start start destroying evidence and knowing our limitations. So if we go into a scene and we're nervous or were scared
08:15
about responding to this incident,
08:18
if we don't know how to properly respond to this, we can actually make the situation for so is plenty, Eastwood said. A man's got to know his limitations so very important aspect when responding to incidents.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor