All right. So one of the first things that we need to think about in planning, for instance, response is we need to think about who's gonna be on their team, and we have several different roles that we need to define. The best time to plan is before the event. So we're going to name a leader, and that's gonna be the director of the incident response plan.
They're responsible for overseeing the plan, making sure the plans were documented, making sure people are trained.
Also, if there are multiple incidences, the leader is gonna be responsible for prioritizing those incidents. Also, usually we're talking about working with limited funding, the prioritization about response and training and all of those elements goes to the leader.
Now the leader usually has an assistant. That might be the that is often called the handler. And the handler often has forensic training and forensics expertise and kind of provides consultation with the leader
to make sure that evidence is collected in such a manner so as not to corrupt the evidence or taint the evidence.
They're usually, ah, almost always representation from technical staff from legal staff again to serve his advisers making sure the policies and procedures are well written, but also that there feasible.
Ah, customer liaison. You know, often we're working with that. We have many business associates out in the field. You know, we recently here in the D. C. Had a breach where a company that provides secure token devices for numerous customers
throughout the D C area. These ah, one time password generators. If you've ever seen them,
they generate a code that changes every 60 seconds. So they provide stronger authentication than just a password. You type in your password. But you also have to know the code on the device so that you can access the system well. The company that created those devices had a breach.
They had to contact all the customers in the area, many
government contractors, military institutions. I was quite a big breach, so they needed a customer liaison to work with individual customers to talk about the scope and limiting the scope of the problem and responding to the incident
Senior management. Ultimately, when it all is said and done, senior management has the ultimate accountability and responsibility. So senior management wants some representatives. Doesn't mean that your CEO is out dusting for fingerprints, but it does mean that you're CEO
has a direct line to the incident Response team, and they have a direct line to your CEO
h R. Because sometimes these incidents come from employees inside and how we respond to incidences and violations from our employees always needs to go through h. R. We're in a point in time where we're very litigious society. We like a good lawsuit,
and we want to make sure that we're treating our employees fairly and according to the law.
And we go to our HR representatives to provide US guidance and then, of course, public relations. Let me tell you an essential piece in dealing with incidents, how we address that with the public. You know, we do not want our employees go into the news and going
who they sure caught us off guard. We didn't see that coming.
And even worse, what if our employees goes to the median says, Yeah, we knew this was gonna happen. It was just a matter of time.
Either way, your employees can open you up to liability. We need to make sure that we have a specific individual or role in our company, whose job it is to talk to the media and we need for everybody else. No, that is not their job. So controlling how we present ourselves to the public
is a very important piece
that's important with disaster recovery. It's certainly important with incident response.
Okay, now just the definition a security incident is a successful attack.
Also, it has to be something of significant impact as well. Where is an event? An event? Really? Now? Honestly, I'm not 100% in line with this definition security event, any activity in place that does not pose a risk to the organization. So the way they're describing a security event is
some sort of attack that doesn't affect you.
You know, I I think that's a very um, and that's fine. That's how calm t. I A defines it. That's fine. I think the important thing to understand is events concerning the incident. Very easily.
There's a new event that exploits of vulnerability with II s, but I have an Apache Web server
so that doesn't pertain to me, doesn't present a risk, all right. But the same individual that's created a new attack to exploit. I I s is probably just around the corner from creating a similar attack to exploit my tachy server. So the point I want to make is the idea that an event doesn't pose a risk to the organization
But we still keep our eyes on security events because it's just a matter of time before it wraps around, becomes relevant, tow us as a company.
events in incidents come from in house or external to the organization, and we must know that the greatest threat to my organization is my internal employees.
Fraud happens inside,
right? That's where the people have the greatest access to information. They know the organization. They're more aware of our vulnerabilities and weaknesses. So we have to check for things that would allow employees to create and to commit fraud.
Employees abuse their permissions. That's why we follow ideas like the principle of Lise privilege and need to know, and we audit our policies. We make sure that employees aren't allowing people to piggy back in on the card swipe. We make sure that employees aren't propping doors open so they can run out to their car
even though they forgot their their cards to swipe in or out.
We make sure that employees don't walk away from their systems while those systems air logged in or while they're smart card is in. The reader we have to monitor employee behavior doesn't have to be a malicious attack for employees to cause damage.
Assets are accidentally lost, of course, and we were talking about their smart devices, the token devices that we can use for authentication. Employees lose those things all the time.
Smart cards to access the building. People leave those behind. They get lost. Well, if I leave a smart card that allows access to my building out in public somewhere now an attacker can easily access the building. We have to have a means of revoking those credentials, re issuing new credentials if necessary
employees violate security policy. You know, that's what we're talking about. One other thing that I would put here that we might want to consider in relation to employees. Certainly we use policies toe limit what our employees do. We implement privilege, leash privilege, and I need to know
along the lines of the principle of least privilege is a problem that's called privilege, creep, privileged creep. And what that means is, let's say that I'm a custodian
and I clean and maintain building a so I get a key to building A. I've done that for six months. They've decided to move me to building B. I get a key to building B and I maintained building B.
Six months later, I moved building. See, I get a new key. I only need a key for building C because that's where I'm currently working. But what happens is when we add privileges and we don't go back and re evaluate existing privileges. Sometimes what we're doing is just adding on, adding on adding onto user accounts,
and they're able to do more and more and more and more on the network.
Often when we add a set of privileges, there's maybe a set of privileges that need to be revoked. If you're doing a new job, I don't just add the privileges of your new job. I remove the one from your old job so privileged creep. It's just that idea of we continue to add privileges without re evaluating,
and that could be another way that employees have too much access.
Now, external incidents come again from a wide variety of areas. You know, external communications. You know, we talked a little bit earlier about social media and sharing confidential information, phishing schemes and fishing. Is the course spelled with a pH? And the reason it's called fishing
is the idea that in phishing attacks, most people
that are are conducting these attacks through a very wide net. Because if I threw my wet my net wide enough, I'm gonna catch some fish. So I'm going to send out an email that asks you for $500. If I send that to enough people, somebody's going to send me some money. And that's the origin of the term fishing.
So external communications, which we can eliminate we have tohave
can certainly provide means for incidents. Now, when we do have an attack, how are we going to deal with it? Do we call law enforcement? You'd be surprised at the number of companies that have compromises that do not report those compromises.
Now. Certain industries required that you do so financial industries,
and it's also, you know, in my opinion, unethical requirement that if there's a breach it gets reported to the appropriate parties. Companies don't want to do that because of a loss of reputation. We need to know what our process is when there's a breach. What agency of law enforcement, If it all do, we contact
how that's handled with the media, how we talk about, uh, this with our customers and our business partners. But also knowing that, you know, some of these elements can create their own compromises and then social engineering. You know, we've discussed all right, very important and very testable
the stages of incident response.
Now, this could be a little bit weird, because what's the first stage of responding to an incident? Well, the answer they want. It's preparation. And and I've seen this question not on the actual exam but on test prep software. The reason that this is in my mind is I had a student make a very good argument of saying,
prepare after the incident. If you tell me I'm responding to an incident I should have already prepared.
That's somebody that's overthinking the question I hear you that makes perfect sense. But when they say, what's the first step of incident response. 123456 That's what they want, and that's what you give them. So the first step of responding to an instant an incident is to prepare.
But of course, preparation is best done before the incident. Okay, I hope that was clear. The way I said it Don't overthink the questions when they're asking you a question about the first step for the third step, this is what they want in exact order.
So we prepare. We pull our incident response team together, we have a documented set of procedures to follow. There's no room for for flexibility and incident response. It needs to be a centralized, well controlled, well documented step set of steps and procedures,
identification and investigation. How are we gonna identify ah that an attack has happened? We sometimes referred. That is, violation analysis. Violation analysis simply means step back what's happened. Sometimes what appears to be an attack could be just a incidental network activity.
Could be something that was an accident.
It could be something that we weren't aware off. But that's legitimate. Could be a pen test. So we have to figure out how are we gonna identify the fact that an incident is actually happening. And how do we conduct our investigations?
Containment triage. Let's stop the bleeding. Let's limit the scope of this attack. You know, if there's an attack on this particular system, I want to make sure that that attack doesn't spread throughout the network. So how do we contain it? How do we cleanse this system? How do we eradicate the attack? Restore or recover
and the document Document document. Now again, we need very well documented procedures on how each of thes pieces happened. We need to make sure that as a matter of incident response, we don't do things that would destroy data. That's one of the foundational principles of forensics.
Is you collect evidence in such a way so it's not too corrupt or contaminate the evidence.
So we need to make sure that thes stages are well documented and that the process is Aaron place to pass this test. You don't have to be a forensics expert, but you do need to know you know the basics, the essential pieces, lessons learned. Let me tell you, there is never a time when documentation is the wrong answer.
If you see that as an answer on the exam, you're probably gonna want to choose that.
And that's really one of the most important steps. If we don't learn from past compromises, we lead ourselves wide open for the compromise again.
You know, if you follow the news, we saw the awful tragedy that was Hurricane Katrina. We saw the loss of life. We saw loss of business. We saw the catastrophic results of that hurricane. So surely after watching what happened with Katrina,
we're nowhere near experiencing the same degree of loss.
Except if you looked at Hurricane Sandy or if you looked at the response to the floods in Vermont or the floods in Nashville or and the only reason they weren't on a larger scale is because the hurricane wasn't on the same scale a TTE the same area. But the point I'm trying to make is we see the same problems
happen again and again and again.
People deep down believe all that's not gonna happen to me
or, well, that's not gonna happen to me again,
you know, And we have to learn from the past and the way we learn from the past. We bring our staff together. We debrief our staff. We document what we've learned and we go back again. You know what happens here with lessons learned is we go right back into preparing again and we modify our policies.
If the mitigating strategies we have in place didn't work, why?
And we figure out how we can improve.