Part 4 - The REACT Principle
Video Activity
This lesson covers the REACT Principle. In the wake of an incident, it is important to figure out if it is over, what is involved, assess any damage and examine any changes to your site. Using steps in the scientific method, you can answer questions in the evaluation process should an incident occur. Using this method can answer a number of why and...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lesson covers the REACT Principle. In the wake of an incident, it is important to figure out if it is over, what is involved, assess any damage and examine any changes to your site. Using steps in the scientific method, you can answer questions in the evaluation process should an incident occur. Using this method can answer a number of why and what questions such as why is my machine slow and what do others have to say about slow systems? Finally, do not panic if an incident happens as this will impede necessary action.
Video Transcription
00:04
>> Everything that we just finished talking about covers
00:04
R portion of the React principle.
00:04
After we've done that,
00:04
the next portion of React is to evaluate.
00:04
In evaluating an incident,
00:04
one of the first questions that you want to ask is,
00:04
is the incident over?
00:04
Which helps focus the sense
00:04
of urgency and something's already happened and
00:04
it's no longer a threat to
00:04
your system you still may want to
00:04
investigate that the sense of
00:04
urgency may or may not be there.
00:04
Evaluating if the incident is over what type of
00:04
incident occurred which goes
00:04
into the next portion of the incident,
00:04
what major assets were involved?
00:04
Is this something that is just isolated
00:04
to one computer system or
00:04
has to span multiple computer systems it
00:04
has to span multiple geographic areas,
00:04
it's very important to consider.
00:04
The next thing is to evaluate
00:04
what type of damage was caused.
00:04
If essentially you have
00:04
a fishing incident and it was isolated,
00:04
no one clicked on the link,
00:04
or if you've had a virus detection,
00:04
but your virus software was able
00:04
to essentially quarantine that virus.
00:04
The incident for all attentive purposes it's
00:04
likely over and it caused little to no damage.
00:04
That will help tailor
00:04
the actual response that you're going to provide to
00:04
that incident and then is
00:04
continued operation possible are required.
00:04
If this is going to impact your business continuity,
00:04
if it's going to shut down operations, obviously,
00:04
that's going to be something that's going to take
00:04
that incident and place it at
00:04
a higher level on our priority.
00:04
As time progresses and
00:04
>> you're gathering more information,
00:04
>> you want to do a re-evaluation of any and
00:04
all relevant changes to your slides configuration.
00:04
So you're essentially trying to
00:04
rule out bad configuration,
00:04
bad assumptions, and operator error.
00:04
As part of that evaluation process,
00:04
a method that I like to use is
00:04
essentially the scientific method,
00:04
because of science we are able to answer
00:04
some of these questions in our evaluation process.
00:04
The first step of the scientific method is
00:04
essentially to ask a question, why?
00:04
Asking that question will essentially hope
00:04
to help you come up with answers to that question.
00:04
Soon as you pose that initial question for research,
00:04
you're going to do some background research.
00:04
What have others said?
00:04
What indicators might I see
00:04
if I were to expect something to happen?
00:04
We're going to construct that hypothesis essentially as
00:04
a statement that is going to
00:04
answer our research question.
00:04
I think someone has infiltrated
00:04
my network or has someone infiltrated my network?
00:04
I might do a little bit of background
00:04
research to see what
00:04
those indicators of compromise might look like,
00:04
based on the limited amount of evidence that I have,
00:04
I will construct that hypothesis
00:04
that I do in fact believe someone has
00:04
infiltrated my network and
00:04
go test that with an experiment.
00:04
I'm going to gather up all of
00:04
the available data that I have,
00:04
I'm going to conduct my investigation,
00:04
then I'm going to analyze those results.
00:04
What did they tell me?
00:04
Was someone able to actually penetrate my network?
00:04
If that hypothesis essentially it was proved true,
00:04
I can then go ahead and report
00:04
those results and I can essentially start taking
00:04
steps to mitigate that incident.
00:04
However, if I find that
00:04
my hypothesis was false and was partially true,
00:04
I might want to go back and
00:04
>> construct another hypothesis.
00:04
>> It does not necessarily mean
00:04
something didn't happen I have just
00:04
maybe been incorrect on what I
00:04
essentially guessed the first time.
00:04
I may want to go back and
00:04
test yet one more time for something else.
00:04
That scientific method helps us
00:04
evaluate and ask the right questions.
00:04
Hopefully, we can come up with the right answer.
00:04
So again, we've kind of talked
00:04
about that scientific method.
00:04
Another example of that scientific method in
00:04
action is the asking the question,
00:04
Why is my machine slow?
00:04
We're going to do that initial research of,
00:04
what do others say about slow systems?
00:04
What indicators can I look at?
00:04
We may do a cursory examination
00:04
>> of that system together,
00:04
>> some slight indicators to help us
00:04
formulate a better hypothesis.
00:04
Based on the observable information that
00:04
we've come up with about slow systems and about
00:04
what other people have said about slow systems
00:04
we hypothesize that I have a virus.
00:04
The virus is therefore causing my system to be slow.
00:04
In order to test that hypothesis,
00:04
I'm going to run a virus scanner,
00:04
I'm going to re-examined suspicious files.
00:04
We'll get into some of this
00:04
a little bit later in our malware analysis.
00:04
Based on the hypothesis testing and
00:04
the evidence that I have from testing that hypothesis,
00:04
is the hypothesis confirmed,
00:04
or is it unconfirmed?
00:04
If I'm able to confirm that hypothesis,
00:04
I can report the results,
00:04
but sometimes the results of
00:04
an unconfirmed hypothesis are just as important.
00:04
If I've confirmed that I don't have malware,
00:04
that's just as important as
00:04
the fact that I do have malware,
00:04
but also if the hypothesis is
00:04
unconfirmed and it's slightly fuzzy as to
00:04
whether or not I do or don't have a virus and I
00:04
haven't answered the question as to
00:04
why my machine is slow.
00:04
I may want to go back and conduct another test,
00:04
reformulate another hypothesis to help answer
00:04
additional questions as to why my machine is slow.
00:04
It could be that there may be
00:04
more than one cause as to why my machine's slow.
00:04
Just because I found an answer to one question,
00:04
or to one hypothesis,
00:04
it doesn't necessarily mean that that's
00:04
the only thing that is making my machine slow.
00:04
The scientific method helps us answer these questions
00:04
>> in a logical fashion in order to prevent
00:04
>> us from spinning our wheels and
00:04
going in 50 different directions.
00:04
Now maybe that we've answered some of the questions or
00:04
haven't answered some of the questions
00:04
using the scientific method,
00:04
we can go onto the other
00:04
>> essential elements of response.
00:04
>> That is Don't Panic.
00:04
If we figure out that something has
00:04
happened and we've kind of formulated
00:04
what we think may have
00:04
occurred the next thing we want to do is not panic.
00:04
If we've discovered elements of an incident,
00:04
the first thing we want to do is not to trash
00:04
the crime scene or not to trash all of the evidence
00:04
that we may have in order to help us remediate that
00:04
and/or take this case to
00:04
prosecution if we really need to.
00:04
Not trashing the crime scene,
00:04
preserving that evidence is
00:04
a very key step in doing that.
00:04
We also want to practice good operational security.
00:04
If this is something that we want to
00:04
essentially investigate and not tip-off,
00:04
the potential attackers, or hackers,
00:04
or potential criminal actor
00:04
that has caused this incident.
00:04
Panicking, taking actions to
00:04
violate operational security that essentially notify
00:04
the perpetrator of this Act
00:04
that we're investigating it can
00:04
lead them to stop taking action or
00:04
they might actually start destroying evidence.
00:04
Then knowing our limitations.
00:04
If we go into a scene and we're nervous or we're
00:04
scared about responding to this incident,
00:04
if we don't know how to properly respond to this,
00:04
we can actually make the situation worse.
00:04
As Clint Eastwood said,
00:04
a man's got to know his limitations,
00:04
a very important aspect when responding to incidents.
Up Next
Similar Content
