SOC Case Management 101 Part 3

00:12

welcome to management. John Gomez and I have been with you for this journey through in case an incident management.

00:25

And, um,

00:27

as I told you in the last Montreuil, if you have not completed module one and two and I recommend you go back and finish those before you go forward with Montreuil three

00:37

for those of you that have completed those two modules and you're ready to go for

00:41

before we get started, there's a couple of things that I do want Thio kind of highly when it comes thio

00:49

this module. So it is really difficult for us to kind of

00:54

tell you how you should support incident response operations in cybersecurity as an analyst, because it's gonna be different for every organization. Every organization's gonna have its own instant response plans, and it's a response. Teams, typically the security analyst

01:11

in the sock, will support those efforts but not be directly

01:15

leading them a t least not in terms of the front line analysts.

01:19

So it's really important that you understand how your incident response program works for wherever you may be working and then follow those procedures. Goal in this Montreuil, though, is to kind of give you a very high level overview of incident response and

01:38

hopefully give you some skills and some some tactics that you can use to kind of better position yourself as you kind of continue to evolve your analyst career. So with that, let's just

01:52

kind of go ahead and dive into, um,

01:55

this program on module three. So the first thing I want to talk about it's just high level incident planning. So your success and managing an incident any any organization, success and managing an incident cyber security incident is going to depend on your incident response planning what planning you do before the incident.

02:14

So if you don't have an incident response plan within an organization,

02:16

you really should get one in place and you take the time to get that put in place because it's gonna be directly related to the success of how you respond to incidents. Remember by incidents, we mean there's an attack going on.

02:32

Um,

02:35

most insert response plans are not designed to deal with today's cybersecurity threats and challenges. We, as an organization, do a lot of instant response planning. We have a program called the Tactical Incident Response Program And we did that because we saw that most plans are based on techniques from 57 years ago,

02:53

and today we have very fast moving attacks that are highly destructive.

02:58

And we see those attacks taking place not just in government or health care or critical infrastructure. But we see them happening in small companies, mid size companies on GC, that destructive you mean that computers are being destroyed, assets have been destroyed, people's lives are being put at risk,

03:15

so really important that you make sure the plan is reflective of today's threats and continues to evolve in the future.

03:21

But most importantly, whatever plan is in place, you should make sure that there is the ability to take action quickly without oversight. Now, what I mean by that is that people who are on the front line, your security analyst, your help desk teams that they're able to take action without asking permission. And we see that a lot of plans have these chains of command

03:40

really based on emergency management approaches to incident response,

03:45

not cyber security, not immediate action. And so it's important that you, as an analyst, understand what are you allowed to do without asking permission. If you see an attack, do you just raise your hand and say, Hey, there's an incident or can you actually start taking steps? You need to understand what's permitted within your organization.

04:03

So let's talk a little bit about the incident action plan or the immediate action plan. You're going to see those terms used interchangeably. And so the Incident action plan basically says, Hey, we have an incident. We're under attack. Here's what we need to do for that type of incident

04:19

and so specific to the type of incident. There's typically three things that you're going to need to know as part of the action plan. The action plan should tell you what the objectives of this plan for this type of incident. What are the activities that you should embrace, that you should carry out that you have authority to do when you see this type of incident

04:40

and

04:40

you have a time period on operational period, right, that if you see this incident occurring within this time frame again here, the activities in the exits, right. So that's what the incident action plan is basically a plan that tells you what to do with this type of incident.

04:59

Now, the next piece years in here, I'm using the term immediate action plan. Like I told you, it's interchangeable with incident action plan. And so I just kind of wanted to give you a a graphical representation. Have this Looks right. So you have your incident action plan that's specific to an incident. You have a time frame as to when this should be put in place

05:16

reigns within the first few minutes of an attack

05:18

within the first few hours within the first few days. Depends on one. This is the timeline again. This is why we gather this information to triage. And then you have protocol and immediate action roles, which were your your activities that you're gonna take now protocol on immediate action drill. Your protocol is kind of like standing orders. A list of things that

05:38

you should be carrying out procedurally

05:40

and immediate action drills are here. The immediate thing you need to do to contain and stop this attack.

05:46

And so these terms, I will tell your specific to Sensodyne. Like I said, we invented this entire concept of a tactical incident response for cyber security

05:54

and So we used these terms and these twos and these techniques because they're really effective in dealing with fast moving, destructive attacks that we see today as well as non destructive, non fast moving attacks. In any case, you will come across similar terminology just trying to give you a baseline

06:11

so that you get more involved in this. You'll have some concepts that you have under your belt that you can talk to and kind of use and embraces. You go forward.

06:19

So

06:20

when you declare incident right, we talked about this concept of deciding. Is that an issue, or is an incident would actually do you need to know you've declared an incident, meaning that you've done your triage. You determined that this is an attack that's occurring rain. So when we go to a rapid triage workflow,

06:38

first thing we ask is, Hey, is there an attack and is it occurring right now?

06:42

So let me just take a moment. You should feel really, really proud that you know what I'm talking about right now, right? Because you've gone through the other modules and you learn this stuff. And now you're able to talk about rapid triage and other things. In any case,

06:56

what we do during a triage is what we doubted. The fax, right? And the fact that we gather tell us what type of incident this is.

07:02

So based on triage, you should be able to declare whether there's a fast moving attack. And by that I mean, this thing is traversing across the network. It is moving very quickly. You know, this is not somebody who's access the database and his ex export trading data. This'd is really moving quickly.

07:20

And so is it fast moving or other? Secondly, is it destructive?

07:27

There are a lot of attacks that are not destructive and destructive. We need truly destroying computer assets

07:32

beyond repair, destroying, totally taking him down, taking them off line, or is it impacting human life? Is this thing potentially going to hurt someone or kill someone? So you need to know if it's destructive or not. And then, lastly, is it an internal attack? Meaning it's only affecting internal assets,

07:48

External meeting, external facing, I PS and addresses and assets,

07:53

Or is it a hybrid attack that's affecting everything, including cloud environments?

07:58

What is the attack doing? What is this thing actually doing? Is it encrypting files? Is it shutting is creating a denial of service situation? Is that stealing credentials? We just saw one attack recently that all it did was catalog

08:09

information and basically what I mean, that is a catalogue and inventoried your computing assets and network infrastructure. So what's it doing? What's the attack? Severity.

08:20

And what's the criticality of assets again? You should be really proud, because by now you should know what I mean. We're gonna say severity and criticality. You should know the point system. We use the scale we use rather 1 to 5. All of that, a lot that you've learned in a very short amount of time. You should be really proud of that.

08:35

Okay? And so let's talk about managing an incident.

08:39

Two things. I'll give you some advice on when it comes to managing an incident. And by managing an incident, I do not mean you're going to be leading the incident response again. As an analyst, you're contributing to an incident Response team. And maybe besides taking some immediate action to help contain the attack, the overall response is gonna be managed by

08:58

entire security team and other assets.

09:01

But in any case, two things you should be really concerned with and regardless of what rolling plain one is avoid singularity.

09:09

Don't get so focused on this Attaf that you're not looking around right, zooming out when we talk about zooming in and zooming out, zooming out to make sure that there's not other attacks occurring since Otto is a company were very attack focused. We look at everything of one Attackers perspective. We're really, really good attacking and breaking into things.

09:28

And I can tell you one of the things we do is a diversion right where we will go out and create an attack. Get the Security Operations team to focus on that, and then we will create another Attackers their primary objectives while they're trying to figure out this attack on you know that First launched were already using another attack that

09:48

they don't even realize because they've become tunnel vision and focused on the first attack.

09:52

Don't do that. Look for new issues, new alarms, new alerts, new indicators of compromise, other things that could be happening. So don't get tunnel vision. Avoid singularity to focus on containment

10:03

contained the attack. That's job one right.

10:07

Get the tact that you do see under control. We're still monitoring for others. Don't worry about forensics. To see so many security analyst teams get worried about forensics, it's not part of the responsibility. While there's an attack coming on,

10:20

you got to get to a known state. You gotta make sure everything's okay. You're gonna make sure things are being locked down and that you contain the attack. That's your first responsibility. Second, don't get focused on the singularity stuff. We just talked about

10:35

what? The key takeaways from this module Incident response is typically managed by the I. R team. You will probably contribute to that team, but the analysts should not be the team that's doing in Senate response. And if you are there, special skills that you should probably have in place from an incident response perspective.

10:52

No, your role and the authority to respond. You need to understand what you can do when there's an incident.

10:58

What you can't do. What's your chain of command, where you have the Do you have the ability to take action without requesting permission?

11:05

No. The basics of declaring an instant attack type Yes, asset criticality tax severity. What the attacks Doing all those pieces of information.

11:13

Don't assume it's the only attack. Keep monitoring. Keep looking around.

11:18

Avoid singularity and containing the attack is extremely critical. Can't contain it? The attack will spread and more more assets will be blown into play, which is not a good thing for the organization.

11:31

So