Part 7 - The Respond Part of Incident Response
Video Activity
This lesson covers the respond aspect of incident response which consists of: · Contain · Remediate · Ensure Following action, take the following steps: · Review · Implement New Security Policies/Procedures · Document/Report · Educate
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lesson covers the respond aspect of incident response which consists of: · Contain · Remediate · Ensure Following action, take the following steps: · Review · Implement New Security Policies/Procedures · Document/Report · Educate
Video Transcription
00:04
>> Moving on from the respond portion
00:04
>> of incident response,
00:04
>> or from the React portion of incident response,
00:04
the respond portion, we'd have three principles that
00:04
essentially correlate to the respond portion
00:04
and those are contain, remediate and ensure.
00:04
So as part of the contained portion,
00:04
you want to stop the threat so quarantine the virus,
00:04
or taking the affected system offline
00:04
or informing users to take certain actions,
00:04
like perhaps, maybe changing their passwords.
00:04
The next thing that we want to do as part of
00:04
respond is to remediate that incident.
00:04
So that could be removing the virus,
00:04
or enter unlock codes from malware,
00:04
or it could be re-imaging of system that
00:04
is infected and the next thing we want
00:04
to do is ensuring that the incident
00:04
does not occur again under
00:04
the same or similar circumstances.
00:04
That could be patching the
00:04
>> system for that vulnerability.
00:04
>> Educating users not to click on
00:04
every link that they receive in their e-mail.
00:04
Or it could be re-configuring our firewall settings.
00:04
Then moving on from our response portion,
00:04
we're going to get into the after action.
00:04
During the after action phase,
00:04
we're going to review what happened.
00:04
We're going to essentially
00:04
start from the very beginning of the incident.
00:04
We're going to create a timeline and we're
00:04
going to list the steps that we have
00:04
taken into
00:04
responding and remediating that incident
00:04
and list that central outcome
00:04
that we've achieved.
00:04
Then we're going to look at what happened after
00:04
we remediated that incident.
00:04
We're going to implement
00:04
new security policies and procedures as needed.
00:04
We're going to look at why we had an incident occur?
00:04
Was it something with our policy
00:04
or procedures that essentially
00:04
enabled a malicious actor to
00:04
take advantage of some vulnerability that we have.
00:04
Or do we need to increase security in some levels.
00:04
So if we do that analysis,
00:04
would go back to our policy.
00:04
We're looking at the vulnerabilities that we have
00:04
and the likelihood of something occurring.
00:04
How much more security doing it to
00:04
devote to prevent such an event
00:04
from occurring in the future.
00:04
Then we're going to document
00:04
>> everything that we've done.
00:04
>> We have this for historical purposes.
00:04
If we have a similar incident in the future,
00:04
we have a blueprint on how to respond to that.
00:04
We're going to report this.
00:04
So if you have that separate threat intelligence team
00:04
and they're not already tied
00:04
in to your incident response,
00:04
you're going to want to give them
00:04
that report of what happened and also
00:04
you may want to share
00:04
that with the rest of the community.
00:04
You've got to want to give this to the US CERT team.
00:04
Or if you work in a essentially have teams or if
00:04
you have cooperation with
00:04
other organizations within your community,
00:04
you're going to want to share that information
00:04
with them so
00:04
that they may also
00:04
reciprocate in the future when they have an incident,
00:04
they'll provide you information so you can hopefully
00:04
not have the same thing happen to you.
00:04
Then lastly, you're going to want
00:04
to educate your workforce.
00:04
If something has occurred,
00:04
particularly if it's the problem within
00:04
the workforce that you observed,
00:04
you're going to want to create those new policies and
00:04
procedures and educate them
00:04
on how to prevent this from occurring in the future.
00:04
Or if you've determined that something happened because
00:04
of the policy and procedure failure,
00:04
and you've had to create a new one,
00:04
you're going to want to educate
00:04
the workforce on that new policy and procedure.
00:04
This wraps up our discussion on
00:04
the basic principles and
00:04
procedures of responding to an incident.
00:04
We've talked about that react
00:04
principle of reviewing policies and
00:04
procedures that apply to incident response
00:04
after we've had something occur and we're
00:04
going to evaluate that situation.
00:04
As part of that evaluation,
00:04
we talked about doing
00:04
the scientific method to essentially ask
00:04
good questions and get answers
00:04
to our research questions and hypothesis.
00:04
We've talked about not panicking.
00:04
Sometimes if we have an incident that occurs,
00:04
panicking will actually make the situation worse.
00:04
Then collecting information that's available,
00:04
so we can formulate
00:04
the best type of incident response that's possible.
00:04
Then taking the appropriate step actions
00:04
and then as we're doing these step actions,
00:04
we want to make sure that we maintain
00:04
the integrity of the scene and operational security.
00:04
Some of the actions that we take and actually tip
00:04
off the attacker or
00:04
hacker that has penetrated
00:04
our networks or has caused some type of action.
00:04
We don't want to inform them
00:04
of the plans that we are hopefully going to take.
00:04
Then we talked about getting help.
00:04
Oftentimes, incidence may
00:04
be very large in magnitude and we may not have
00:04
the expertise that's on staff to
00:04
essentially remediate and investigate
00:04
this as an incident as required.
00:04
We may have to go out and get outside help or find
00:04
help from within your own organization
00:04
to remediate these incidents.
00:04
Then lastly, we talked about responding,
00:04
which essentially covers containing the incident,
00:04
remediating and ensuring that
00:04
that incident doesn't happen again.
00:04
To help ensure that that incident doesn't happen,
00:04
you're going to do an after action review,
00:04
detailing every thing that happened
00:04
>> during that incident,
00:04
>> the step actions that were taken,
00:04
and we're going to identify the cause of that incident.
00:04
Then once you've identified that cause,
00:04
you may end up having to go in and change policies and
00:04
procedures to help prevent that from occurring.
00:04
Or if you're going to need to go back in and
00:04
educate your workforce on
00:04
the potential actions that they can take to help
00:04
the incident or to
00:04
prevent the incident from occurring again.
00:04
Or if you've changed certain policies and procedures,
00:04
you may also have to go back in and
00:04
educate that workforce on those new policies.
00:04
This concludes our discussion on
00:04
the incident response procedures.
00:04
Just provides that basic overview.
00:04
I hope you've enjoyed the class and join
00:04
us on the next topic of discussion,
00:04
which is the legal aspects of incident response.
Up Next
Similar Content
