so moving on from the respond portion of incident response from they react portion of incident response to respond abortion.
We have principles that essentially correlate to the response and those are contained or mediate and ensure So it's part of the contained portion You want to stop the threat. So quarantine the virus are taking the affected systems off line are informing users to take certain actions like
perhaps maybe changing their passwords.
The next thing that we want to do is part of response is to re mediate that incident so that could be removing the virus are entering unlock codes from our or could be re imaging of system that is infected.
And the next thing they want to do. This ensuring that the incident does not occur again under the same or similar circumstance.
So that could be patching the system for that vulnerability, educating users not to click on every link that they receive in their email or could be reconfiguring our firewall settings
on the moving on from our response force. We're gonna get into the after action.
So during the after action thanks, we're gonna review what happened.
So we're going to essentially start from the very beginning of the incident, we're going to create a timeline and we're going to list steps that we have have taken into responding and mediating that incident and list that central outcome that we we've achieved.
And then we're going to look at what happened after we remediated
remediated that incident. We're going to implement new security policies and procedures as needed.
So we're going to look at why we had an incident occurred. Was it something within our policy, Our procedures that essentially enabled ah, malicious actor to take advantage of some vulnerability that we have our do we need to increase security in some level. So if we do that analysis,
uh, we go back to our policy
looking at the vulnerabilities that we have in the likelihood of something occurring,
how much more security do we need to devote to prevent such an event from occurring in the future?
Then we're gonna document everything that we've done. So we have this for store purposes. So if we have a similar incident in the future, we kind of have a blueprint. Have a respond to that. We're gonna report this, So if you have that separate intelligence team
and they're not already tied into your incident
response. You're gonna want to give them that report of what happened. And also, you may want to share that with the rest of the community. So gonna want to give this to the U. S. Certain Are you work in a a essentially,
hep teams. Or if you have,
cooperation with other organizations with within your community, gonna want to share that information with them so that they may also reciprocate in the future when they have an incident, will provide you information so you could hopefully not have the same thing happened to you
and then last. But you're gonna want to educate your workforce. So if something has occurred particularly if it's it's the problem within the workforce, the June observed, you're gonna want to create those new policies and procedures and educate them on how to prevent this from occurring in the future.
Or if you've determined that something happened because of the policy policy and procedure failure,
and you've had to create a new one, you're gonna want to educate the work force from that new policy and procedure.
So this kind of wraps up our discussion on the basic principles and procedures of responding to an incident. So we talked about that react principle
of reviewing policies and procedures that apply to incident response. After we've had something occur, then we're going to evaluate that situation. So is part of that evaluation. We talked about doing the scientific method to essentially asked good questions
and get answers to our research questions and hypothesis.
We talked about not panicking. So sometimes if we haven't incident, that accursed panicking will actually make the situation worse.
And then collecting information is available so we can formulate the best type of incident response that's impossible and then taking the appropriate step actions.
And then, as we're doing these step actions, we want to make sure that we maintain the integrity of the scene and operational security, something actions that we take and actually tip off. The attack or hacker that has penetrated our networks has cost some type of the action,
so we don't want Thio inform them of the plans that we are hopefully going to take,
and we talked about getting helps. Oftentimes, incidents may be a very large and magnitude and we may not have the expertise that's on staff
to essentially remediated Investigate. This is an incident is required so we may have to go out and get outside help find help from within your own organisation to remediate these incidents. And then lastly, we talked about responding, which essentially covers containing the incident
remediating and ensuring that that incident doesn't happen again.
And to help ensure that that incident doesn't happen, you're going to do an after action review kind of detail ing everything that happened during that incident step actions that were taken were gonna identify the cause of that incident.
And then once you've identified that cause, you may end up having to go in and change policies and procedures to help prevent that from occurring or if you're going to need to go back in and educate your work force on the potential actions that they can take to help the incident
to prevent the incident from occurring again or if you've changed certain policies and procedures,
you may also have to go back in and educate that workforce in those new policies. So this concludes our discussion on the incident response procedures just kind of provides that basic over you. So I hope you've enjoyed the class
and join us on the next topic of stuff discussion, which is the legal aspects
of incident response.