Part 7 - What does an Incident Response team do?

00:04

So, lastly, we're gonna talk about what does this incident Response team do? We've covered quite a bit of topics throughout this throughout this section

00:14

of the course. So essentially an incident response team at the first level is going to be responsible for intrusion detection.

00:22

So that first hear an incident response team often assumes the responsibility for that intrusion. Detection

00:30

on the team generally

00:32

benefits because it should be poised to analyze incidents more quickly and accurately

00:37

based on the knowledge gains of intrusion detection technologies. So that's at the very lowest first year level.

00:44

So after there's already been an incident detective,

00:48

the response and remediation process would come next. And that's where the team would essentially go in and respond to that incident. Become aware of it, investigate what's going on and then determine how the incident should be remediated in order to keep it from spreading. Are getting wars

01:07

the next kind of phase that the Incident Response Team would be response before his advisory distribution.

01:15

So a team may issue advisories within the organization regarding new vulnerabilities threats so automated methods should be used whenever appropriate to disseminate information. So, for example, the National Vulnerability database provides information via XML. Our access feeds

01:34

with new vulnerabilities were added to it,

01:36

so advisers are often most necessary with new threats are emerging, such as high profile social or political events. So celebrity wedding that Attackers were likely going toe leverage and social engineering.

01:49

Only one group within the organization organization should distribute computer security advisories

01:55

to avoid duplicated effort. Conflicting information. So, depending on how your team was organized,

02:00

you may have an incident response team that is also charged with these advisory distributions are you may have, like a threat intelligence aspect separate from your incident response team. That regard was that that entity that sends out this information should be coordinated

02:19

on it should be coming out from one person. So

02:22

again, the policy should state who within the organization, his response.

02:25

Oops.

02:28

The other aspect of what incident Response team's our response before education and awareness. So education awareness, essentially our resource multipliers. More users and technical staff know about detecting reporting, responded to incidents, the less grain that there's going to be.

02:46

I just read an article the other day that about 40% of people who received some type of fishing

02:52

email click on the link, regardless of whatever is in the email, so still involves educating those employees because that 40% out there, that's that's we're probably gonna spend 90% of your time, if not more so. Getting those individuals educated about what to do

03:12

is very important.

03:14

And lastly, information share

03:15

So Incident Response Team's often participate in information sharing groups such as Saca's or regional partnerships. According according the incident Response Team's often manage the organization's incident response sharing efforts.

03:31

They made aggregate information related to incidents and share that information with other organizations

03:38

and ensure that pertinent information is shared within the enterprise. So we'll go into that a little bit later. A CE faras threat, intelligence and information sharing and reporting. But overall, I knew this was a was a long section, but it's a very important section.

03:53

Obviously, people just want to start diving into the incident response, but

03:58

important to have that policy established first.

04:00

If you don't have that policy in place, they often do something wrong, may violate policies or the law. Or you may put the company organization our interview that you're working for at risk, so it's very important to have this policy codified. Everyone in the Incident

04:19

Response team be aware of

04:21

policies, rules of regulations that they're supposed to follow an order to ensure a cohesive incident. Response.