Time
1 hour 2 minutes
Difficulty
Intermediate
CEU/CPE
1

Video Transcription

00:00
Hello. My name is David
00:03
and welcome to managing it. We will be continuing our journey together, talking about incident eradication,
00:12
compromised backups and rebuilding after the disaster.
00:19
One of the strengths of humanity is the ability to recover from disastrous
00:28
consequences. We've done it throughout the course of our history.
00:32
So this is not a hopeless step in the incident response process. Yea, celebrate with me. Right. Sad to say though, it can be extremely difficult. And if we would have taken some steps
00:49
in the incident response process early on and in the eyes of the world early on,
00:55
we wouldn't have the, uh, daunting task of rebuilding women rolls around. Just saying something to consider For anybody watching the video
01:07
when we come into the round Mother of recovering Roman is that basically is the broad term for all these different topics. Eradication, of course, comes to mind right away. We first of all have to get the data out of the network
01:25
and make sure that nothing is left behind
01:29
that would allow the attacking Thio get back into the network. If we fail to do the eradication step in all of our recovery efforts will be for not now. This can range from the simple, which is simply removing a piece of malware off one system.
01:45
Thio disabling an entire range of user accounts that have been breached buys a password spray
01:53
where it could be the entire rebuilding of the server form.
01:57
It could be massive.
02:00
It shouldn't be daunting depending upon your preparation on if you have actually managed to do a good job of being prepared. Three important part of eradication is making sure that when you went through your incident response process,
02:16
you managed to actually identify all of
02:22
the infection vectors and the infected host s so that they can be properly lead.
02:29
If you missed something during the incident response process, even one small hose the possibility exists that your attacker could continue to compromise you. And unfortunately, you may not.
02:45
Um, because you think I got everything done right. So this is important.
02:50
As part of the Incident Response team. You have a duty to speak to this if the necessity arise, So don't be that person who's worried and doesn't say anything because you don't want to be.
03:06
And then there's a troublemaker or whatever you do need to step up here and speak to this. If you see something on this, I just
03:17
sit in the corner and not say anything because you're the new person. Whatever. You have to speak here in order to help protect the network. Or you'll find yourself in, say, six months in the middle of another incident, realizing that something was missed in the first incident
03:32
and this could have been avoided on some incidents, eradication is not necessary or is actually performed during the recovery process at the same time, it just depends on the type of incident uh that you're dealing with.
03:47
I say it's a fishing incident. Piece of Mauer was delivered. Be a phishing email. You intercept that your email protection program. Say it was Proof Point
03:55
intercepted it and alerted you to. A user didn't get the opportunity to even open the malicious email. It was deleted and purged. Then the domain was blocking and you did a long review and found that new other users went to. That was just a main. Your eradication has already happened, Um, thankfully,
04:15
but what you do need to do is continue. Follow up on that on make sure that the eye of seas were interferes. Compromise are added to your firewall and teary antivirus ing our
04:27
to your SIM so that any future events can be alerted on and handled immediately, rather than overlooked or dying.
04:36
Do not enter. You don't want your attack or getting back into your network. Do not allow it. Make sure that your eradication is complete in school and covered. Or you will have issues
04:49
some things you could do. When it comes to eradication, you can reset the effective user. The affected systems basically rebuild them from scratch, and you have to go images, which we'll talk about your shortly. Um, changing user passwords is a very common one out there.
05:10
So
05:12
if you have the means to do that easily, great if you don't, that could be problematic. Um, service passwords of huge. What password is used for your admin accounts?
05:24
These don't say, and these they ended. Unfortunately, that's quite common in Attackers Know that. So you used to make sure that even your service passwords are
05:38
changed. That's extremely important and often overlooks. I wanted to drop in here for you. Update your security programs, whether it's anytime our A live virus.
05:48
Your I. D s. I p s
05:50
make sure that the new indicators of compromise you got from your forensic evaluation of the examination from your Bauer reverse engineering are added to your security programs and
06:02
a new scan is run.
06:05
I can't tell you how many times working with third party MSs peas, we provided customers with a new eye disease and they did nothing with them and we were called back in months later because they thought there was a new breech. Thankfully, there there wasn't. But
06:24
we learned that they had failed to update our security programs with this new information follow through on it. That's why you have a long book. Remember, backup episodes we talked about at the beginning of yours, a response for steps to start the long boat
06:39
identifying it's an April quarter over somebody who's gonna make sure that all these sepsis follow through on. And then during the after action lessons Warren section, which is coming up in another episode and module, you'll cover that
06:54
correct vulnerabilities that were used during the attack. Hopefully, you identified how the hacker got in so that you can correct these
07:01
the worker rounds or two updating systems. Whatever is necessary. Clean registries scan for memory resident malware. Its final is now. Where is the sort of the catch phrase in the industry, But it does exist. It's not new, for the problem is
07:20
it was over. What Nobody really talked about it. Nobody wanted to talk about it.
07:25
But it's there. So if it's a piece of memory resident malware and you're not scanning your memory on your systems, then you're missing things. So don't miss things of data again with new signatures and cares. Compromise. If you're going to rebuild,
07:42
uh, re install your operating systems form what's called goldie images.
07:46
Standard images that have been created a bubbly post incident have been updated and upgraded to prevent a reinfection or with Hans of the attack, segment your critical data and increase your auditing on the system so that you know
08:01
if somebody is doing something really bad. Wannacry was huge, was an example of destructive malware.
08:09
It was first thought to be ransom where I was later learned that he was actually destructively, and its only purpose in life was to destroy the operating systems and information that were infected a cz you could see it was pretty global on its impact. Um, every
08:28
nearly every country in the world suffered from it. There were a few that missed out on the excitement. However, as you can see from that here on, you can find these on multiple different reports out there.
08:43
Um, it actually get every calling that on the globe on. A lot of companies were caught unprepared because he didn't have good backups. And in Hample images, they didn't have a recovered process in place to help them recover and eradicate.
09:00
Are you recovered? Sandy, of course, does rely on the security of backups. So if they were compromised, were infected during the incident right out of big old screen and decided you gotta build from scratch. Sad to say, a lot of companies open through
09:18
when they're testing processes and procedures and get caught
09:22
Architecture change eyes. Another item that comes into play here. Don't build it out about cake. Ah, uh, a lot of times after the attack, company may decide to change their architecture, which can be daunting and expensive, but sometimes it is something that you have to do because it was originally built without security in mine.
09:41
So you're gonna properly rebuild. You have to incorporate security into it.
09:46
That they ran without is the thing that I'm new stuff. In my wondering eyes. In the cyber world, a lot of networks were built without security in mind. And when they are rebuilt, you have to do it the right way. That comes operating systems and eradication, all things that we talked about coming through this this episode
10:05
pause here and re beauties. Make sure that you understand what you're doing and how you can properly respond.
10:13
Vinyl butts system integrity checks after the restore for everything that has been restored.
10:18
Scared the entire network again with the new AI zis to confirm eradication and recovery and confirmed that all systems and service's have been restored to normal in order to perform a full recovery.
10:31
You have any questions? I'm Oh, cyberia today. Big 135 Forward to hearing from you have a great day

Implementing an Incident Response Plan

In Implementing an Incident Response Plan, David Biser describes how an incident response team must take action when an incident occurs. He touches upon the incident identification and the incident management process, as well as what must be done to recover from an incident.

Instructed By

Instructor Profile Image
David Biser
Incident Response Engineer at Iron Mountain
Instructor