Time
7 hours 33 minutes
Difficulty
Advanced
CEU/CPE
8

Video Transcription

00:01
Hello and welcome back to Cy Berries. Cop Tear
00:05
Certified a van Security practice. Ners certification. Preparation course.
00:11
This is, in fact, a continuation off marginal 11 which is title incident with Spun. Let's
00:18
here again are the objectives which encompasses this particular module. Let's not turn out to to order the discussion off section to participate in incident handling.
00:31
Now let's take a look at the loon objectives and the order in which it would be covered during this particular presentation.
00:37
And they are, as follows begin by First are discussing Discovery,
00:42
escalation, reporting and feedback loops,
00:45
instant response and last but not certainly so which implementation off counter marriages
00:52
before we get going with this particular presentation, perhaps, is most appropriate if we will begin by First of all, taking a look at this pre assessment course, too.
01:00
And the question is as follows. What is the first step in instant response is a preparation.
01:07
Be detection,
01:08
See containment, eradication of recovery or D analysis.
01:14
The Christmas ball should have been a preparation.
01:21
Let's not turn out to tour discussion of an instant response policy.
01:25
The response policy is part of the overall Artie security policy for an organization.
01:30
In fact, it into a spaz plan is a systematic and documented method of approaching and Manu situation resulting from Artie. Security incidents
01:40
or breaches is used in an enterprise I t m vomits and facilities to identify with spawn limit and counteract security incidents as they occur.
01:51
The incident was from this policy is in fact, part of the overall Artie security policy for the organization.
01:57
It's ah, high level document. That journal includes all aspects of the organization and all geographical location were very large organization that spang globally diverse countries or that includes independent operating units or division. A number and a response policy might be written to address individual locations or
02:17
corporate requirements.
02:21
This brings us to again taking a look at the very stages which we're gonna take a look at each one of these, ranging from preparation, detection, analysis, containment and eradication of recovery. Then we have post incident activities as well.
02:36
Now the National Institutes standard, or NOUS, is the physical size laboratory and a non regulatory agency of United States commerce. Its mission is to promote innovation and industry competitiveness. Now, within the phase of its response, we have the following that preparation, detection, analysis,
02:53
containment, eradication, recovery and post incident activity.
02:58
The response process has several phases. The initial phase involved establishing and training and
03:04
instant response team and acquired the necessary tools on resource is
03:07
during preparations. Organization also attempts to limit the number incident that will occur by selecting implement a set of controls
03:15
based on the results of a risk assessment. However,
03:20
despite your best effort, you're gonna still have incurred what we call residual risk. We continue possessed after controls are implemented. Detection of security breaches dust necessary to alert the organization whenever instance occur.
03:32
In keeping with the severity of the incident, those this kid mitigate the impact by containing it
03:38
and ultimately recovered from it.
03:40
Doing his face activities often cycle back to detection analysis, for example to see a district hosts are infected by mayor. Well, why eradicating the mayor were instant. Athens is adequately handled. Those this incident report that detailed causing and cause of the incident
04:00
and a step so they should take to prevent future incidents.
04:04
Then we take a look at detection analysis.
04:06
First of all, you determine whether instead has occur. You wanna analyze the precursors and indicators look for correlated information. You will perform your research, our search engines. Other words. Employee what we call knowledge base
04:21
as soon as a handler believes and has a current
04:25
begin the prices of document investigation and gathered the evidence. You wanna prioritize handling the instant based on relevant factors such as a focal impact,
04:34
information impact recovery efforts and so forth.
04:39
You wanna report incident to the pope, internal personnel and external organization as well.
04:45
The next one won't take a look. It's called containment and eradication and recovery.
04:48
Containment is an important is important before instant overwhelms, the resource is or increased damage.
04:56
Most instances require containment so that in an important consideration early in the course of having each incident,
05:02
containment provides time for developing a teller. Remediation of strategy
05:06
and a central part of containment is decision making. Other words shut down the system disconnected from my network disabled certain function. Such decisions are much easier to make. If there are predetermined strategies and procedure for containing the incident
05:23
orders, they should define acceptable risk in dealing with incidents and develop strategies accordingly.
05:30
Then we come to our post incident activities, one of most important pause of an instant response is also most often a minute
05:38
learning and improving
05:40
each isn't response. Team should evolve to reflect new threats, improved technology and also an improbable we call lessons learnt.
05:47
Holding a lesson learned meeting with all involved parties after a major isn't an optional option. In other words, periodically came. Obviously, he can lessen. Instance, as with sources permit and could be extremely helpful. And you improving your security marriages and instant Helen process itself,
06:05
multiple incidents can be covered in a single lesson learned meeting. This meeting provides a chance to achieve other words to review what current, what was done to intervene and how well intervention work. That meaning should also be held within days of the enemy incidents and coarse and should be acid doing that process as well.
06:27
This brings us to insert response. Planning
06:29
in response plan includes identification, off
06:32
classification off and response to an incident. Our tax classified it isn't if they are directed against your infamous assets, they have a realistic chance of success.
06:43
Could threaten your confident galleon ticket availability of your information resource is and some responses more reactive than proactive. With the exception of planning that must secure to prepare your instant response team to be ready to react to an incident.
06:58
Continue on without incident response planning.
07:00
You also need to have a policy and that possum was identified a following key components
07:05
statement of management, commitment, purpose and objective of the policy scope of the policy. You must also discuss the definition of infinite info, say incidents and related terms.
07:16
You also encompasses organization, structure, privatization or severity. Reading of the incidents performance measures, as was reporting and contact forms.
07:28
Continue our discussion of instant response planning. When you look, at instance, planning because again planning is everything. If you fail to plan, you plan to fail. So when you look at instant planning,
07:39
predefined response is what they do that Abel your organization to react quickly and effectively to Detective Vince. If, for example, though just has an instant response team
07:48
and the older guys can detect the incident,
07:50
you're in some spots. Team consists of individuals needed to handle systems as incidents take place.
07:57
Your instant response plan also has you have to look at the format. The content, the storage as well is testing because no planets good unless of course you have adequately tested the plan.
08:09
Isn't Detective Discovery Most common occurrences complained about technology support, often in liver to the help desk?
08:16
Careful trainers need to quickly identify and classify the incident. Once the incident's been properly identified, Don's just respond and I'll respond. Nansen indicators may also Barry as well.
08:30
Instant reaction consists of actions that got don't they stopped incident, mitigates the impact and provide information for recovery. The action must quickly occur. Other words. You must notify your key personnel. You must also document the incident as well.
08:46
Incident containment strategies. Containment of the instant scope or impact as it should be your first priority. It must then determine which in Mrs system obviously didn't affect it.
08:56
The owners. This can stop incident an attempt to recover through a number of different strategies
09:03
now, before continuing with instant recovery. One since has been contained and call every guy in the next stage. Is recovery
09:09
the first task? Identify him resources that it needed launched him into action. The full extent of the damage must also be assessed. Doing that point in time organization repair, it must also engage in the prices of repairing it vulnerabilities address in in your short comments in the safeguard and restore the data and service is off the systems.
09:30
They may also be a situation where you need to escalate the incident. The Escalation Mansion involves transferring issue to a higher level management a common example among organization. My existence follow you may have within your internal you have. Your senior management may also have to excavate that escalate that situation.
09:48
Too much hard toys, in some
09:50
example, will be online and security. You may have some regulatory agencies that you have that that could impact your say. For example, you could be P. C. I, particularly dealing with credit cards. You might also notify or escalate that to the point where you need to look. Notify law enforcement, as was your customers.
10:09
Imitation counter marriages. When you think about accounting manager is an action taken, the counter offset. A threat weighing our control may be used in a tech oh prevent a threat.
10:20
For instance, a no smoking sign is a control, but a five stinger is in fact a kind of marriages. In other words, kind of medicine go to work after discovery off the threat
10:31
in this case countermeasure used to put in the place as a response to a risk analysis. Some examples here being a router, you can master I P address or other words, the Internet protocol address. You're gonna also implore and fires and I spare where application to beget protect against malicious software. You also engage in what we call behavior techniques.
10:50
They're applied by users to the tour threats, such as suspicious email attachments.
10:56
You have firewalls which again facilitate authorized network access. You can also implore intrusion prevention system as well as detection systems as well.
11:07
This brings us to our post assessment question, and the question is as follows
11:11
All the following choices. What best weapons at all the steps related to instant response? Is it a preparation, detection, analysis, containment, eradication and recovery?
11:22
Or be preparation, containment, detection, analysis,
11:28
eradication and recovery, or C containment preparation, detection, analysis, eradication and recovery?
11:35
Always IT D containment analysis, detection, eradication and recovery.
11:43
If you selected a you absolute correct. It's called preparation, detection,
11:46
analysis, containment, eradication and then you have recovery.
11:52
Not doing this particular presentation we specifically discuss Discovery
11:56
Escalation would also discussed reporter and feedback loops in response and last night. Suddenly so which implementation of countermeasures
12:07
and our upcoming topic would be moving on in this particular model, which is getting margin of 11 by taking a look at section number three. We're just tired. I understand and support forensic investigations. Look forward to sitting in the very next video.

Up Next

CompTIA CASP+

In this course, you will learn all of the domains and concepts associated with the CompTIA Advanced Security Practitioner CAS-003 CASP+ Exam. Through this course you will be fully prepared to sit for your CompTIA A+ Exam!

Instructed By

Instructor Profile Image
Jim Hollis
Independent Contractor
Instructor