Incident Response

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> Now let's talk a little bit
00:00
about what we're going to do if
00:00
our monitoring indicates that
00:00
negative events have occurred on the network.
00:00
That would involve an incident response and
00:00
sometimes it can lead to forensic investigations.
00:00
With the incident response process,
00:00
you have four basic steps
00:00
and they need to happen in order.
00:00
One preparation, two identification,
00:00
three containment eradication and
00:00
recovery and four lessons learned.
00:00
Regarding preparation, the best thing to
00:00
prepare for an incident is before it happens.
00:00
As obvious as that seems,
00:00
it doesn't always go that way.
00:00
But this is where we get our policies and
00:00
procedures and order and
00:00
train our incident response team.
00:00
On the test you could see the abbreviation IRP,
00:00
which refers to as incident response policies.
00:00
You could also see see CIRT,
00:00
which is computer incident response team.
00:00
There are various other acronyms that are
00:00
related to these same concepts.
00:00
Before the test, I think you will most likely
00:00
see CIRT team and IRP.
00:00
Regarding identification,
00:00
when we talk about things that occur on the network,
00:00
it's important to understand that
00:00
an event is simply a change in state.
00:00
It's not necessarily negative or positive.
00:00
But if an event or
00:00
multiple events have a negative impact on the network,
00:00
that's when it becomes an incident.
00:00
An incident is always negative and
00:00
only after we identify an event as being an incident,
00:00
then we will move on to containment,
00:00
eradication, and recovery,
00:00
and then lessons learned.
00:00
Now, I'll just mention for identification
00:00
earlier when we talked
00:00
about implementing security controls,
00:00
we mentioned KRIs,
00:00
which are key risk indicators.
00:00
We talked about that way in
00:00
the beginning when we talked about risk management.
00:00
We said that when we implement a control,
00:00
we need to have various alerts in place to make us
00:00
aware that a risk is going to materialize.
00:00
For example, when I see
00:00
network utilization go about 50 percent
00:00
for a sustained period of time,
00:00
that might be an indication of denial
00:00
>> of service attack.
00:00
>> That's the KRI. One of the things that
00:00
makes incident response successful
00:00
is to know what we're looking for,
00:00
and then to set up those KRIs and map them to
00:00
alarms or triggers to let us
00:00
know where there is an incident.
00:00
Also, we have our IDS and IPS,
00:00
incident detection system and
00:00
>> incident prevention system.
00:00
>> We have a lot of tools that we can use
00:00
to determine if there has been an incident.
00:00
But it's all about using them
00:00
together and using them effectively.
00:00
Once we've prepared an identified an incident,
00:00
what do we do?
00:00
We contain the problem.
00:00
This means isolating it and preventing the spread of
00:00
malware or any infection from one host to another.
00:00
You want to isolate the systems and quarantine them.
00:00
That doesn't mean powering off the systems
00:00
unless that is the only choice you have.
00:00
If you have to power down the system,
00:00
you might be getting rid of evidence that you'll want
00:00
later, so you want to avoid that.
00:00
Isolate the system in
00:00
the least disruptive manner that you possibly can.
00:00
Now with eradication, we want to
00:00
get whatever is on the system off a bit,
00:00
whether it's malware or some infection.
00:00
But essentially, we want to
00:00
remove the source of the problem.
00:00
Then recovery means we're going to
00:00
get back to full operations.
00:00
An incident isn't over until
00:00
you are back up and running completely.
00:00
Then after that, we're going to
00:00
document what happened and what we learned.
00:00
It's always critical to document your lessons
00:00
learned so you can apply them for the future.
Up Next