Steps for Incident Handling Part 1

00:00

Hello. My name is David. Welcome to handling incidence. Now we want to talk about steps.

00:08

Yeah, yes, it in you to get

00:10

on. It's important when you are working in the incident responsible to know these steps in to be able to apply them

00:18

during an incident. Now, if you've never been involved in this,

00:23

it's described a variety of different ways. Chaotic.

00:27

Um,

00:29

shocking.

00:31

Uh,

00:33

I'm gonna murderball. Married. Also, his words used it. That been in all the situations when it comes to an incident, I may give me a quick case down here.

00:43

Um, when I was back, working Cybercrime is police officer. I'm walking down the hallway in the police department. One day, a patrol officer stops me. I was in investigations, and he's like, Hey, you know, I just had a case that might interest, like, you know. What's that? He's like, well, local government entity. The C E O K. Man,

01:00

Monday morning and went to do a role which, when

01:04

she logged in to her bank payroll account, was so Liam

01:11

who? That doesn't sound good. Wow. Yeah, I'm not sure what they do. I think they got fired as CEO has a picture stole the money. And yeah, maybe something that you could help with your Okay, so I set up a called CEO interview.

01:26

Um, make a long story short. Um, CEO actually did not steal that money. She was the victim of a fish where in a key logger had been downloaded on her system. And they had monitored her system for well over a month

01:41

and capture her password or organ i d bank information. It was necessary. And then

01:48

the typical payout for payroll. So knowing that Monday warning was a they log in Sunday morning, 3 a.m. And transferred hundreds of thousands of dollars on that account bank any other city on. Then that money was dispersed. From there,

02:07

I get involved. I'm key logger. FBI gets involved. It's numbers that it's actually an international crime ring were in. There are multiple victims throughout the continental United States. Princes where I'm located.

02:20

Any case went from there.

02:23

You need to know their steps because that company had zero steps for incident. Hammond there incident handling was well suspect. The person that has access to the information reinvents the hard drive put back in use and That's exactly what they did. They would never know what it actually happened. Someone else would have stepped it.

02:42

Now it comes to the steps for instant handling their two major standards out their nest is one. And that gives you four steps Preparation, detection, analysis. There's containment eradication, recovery in this post.

02:59

All these air equally important. Really?

03:01

Um, the more time consuming off them are gonna be Your first and last preparations interpreted activity. We'll talk about those more in depth as we go along. But you need to know and be able to identify because they're important when it comes to handling it.

03:21

Now Sands has a slightly difference setup. They have

03:29

preparation, identification, containment. Now you see, they take step three from nests and just break it out. Containment eradication, recovery and then lessons learned or posted.

03:40

Now, thinking back to our episode Will we talk about definitions? Episode two.

03:47

Even moving away from definitions, you can see where you have these different standards.

03:53

Being used could cause confusion, could

04:00

muddy the waters, so to speak when it comes to actually handling. And it's what we need to do what you need to do what your company needs to do is pick one of these and stick.

04:12

That's on. That's my best advice. You pick one of these, stick with it.

04:15

That way you could build your program out. You could design here into the handling stuff you could locate. Identify your tools, put them in place. We could build this process into a sore, and then you're ready to go.

04:28

Let's go. Uh, not that you should want an incident or a breach of a sword, but if one does occur, were let me rephrase that within one does occur. You ready to get on. And that's the important part, Really. Offensive ham is being prepared.

04:46

We have Boy Scouts here, and their motto was Be prepared.

04:49

And that same thing is very true when it comes to cyber security is always be prepared for the worst case scenario.

04:57

So you have missed. You have Sands review them together. It's kind of beyond our scope here is actually going into these another course out there on cyber area where you actually got more in depth into these help. Better clarify and identify which one you choose. Now, some

05:15

business factors actually identified is for you and their documentation were in covering documents so referred to theirs. Will kind of talk about that in our episode of legal

05:29

portion of this. But it's important for you to know even now. No. So when you're stepping into an incident, um, first has declassified, So you need a definition.

05:42

If you don't have a good definition of an incident to work off of classifying, it's gonna be extremely difficult. And there are a variety of ways to do this, too. And I've seen it done. And I've seen a caller coded it up into some numbers. One or

05:58

I've seen it done with names like in this example here whichever way you do.

06:03

And I can't say one's better than enough.

06:06

Uh, it depends on your own internal workforce. Hands on your internal training. It depends on,

06:15

um, blanking out on a good word to use here. Have the historical knowledge of the company that you're working with. Uh, which one's gonna work best for you? I picked this one out just as an example. So you've got two different categories. So

06:32

is it critical? Is it significant? Isn't minor language.

06:38

And again,

06:39

these have been using color codes do, like rent a critical orange for significant yellow for mine or green.

06:47

And it just depends on what the design and what the functionality of its wouldn't be. Now, if you're writing a *** in response report and you're gonna put something like the Senate to help you triage incidents as they come through,

07:02

it helps to have a description of you can call something critical, but without another description of it. It's hard, actually define, so you could use any number of resources to set up a criticality chart.

07:17

I help you classify these incidents as they occur, but it is important that you actually do it. You can use to approaches to triage an incident number one is intelligence driven.

07:30

That's where it's based on information gathered from very sources. Could be from monitoring into. Resource is there are a lot of third party threat intelligence providers out there like recorded future on That actually will give you, say, weekly reports to identify

07:46

threats facing business vector where your business, specifically

07:50

that you can actually begin to triage or analyze incidents occurred that man. Then there's Alan. It's true. This would be more where you say you have a SIM

08:03

set up that is aggregating your logs and monitoring them the rules and notifying you of

08:09

incidents when they occur and then you investigate them. Based on that incident that could be permitted use or complaints, the user gets strange pop up or their mouse is moving on its own. Whatever those are all edited strip. So there's two who approaches. There's intelligence driven

08:26

evidence driven to help you identify incidents and new conductor. Really?

08:31

D'oh! You can look at a variety of different tools for this.

08:37

There's I D s, I. P s there, Sims state of loss protection programs that are out there

08:43

in order to actually analyze this unique work. So

08:46

just having an alert from Sam isn't enough for you to actually declare an incident. You actually need some of the tools. And there's a whole list of logs there that you can actually turn to in order to bear by the information and then also have the threat intelligence sources that you could turn to as well in cases.

09:07

Then you can move to containment. You could block unauthorized access,

09:11

block malware sources said, get have, or something like that closing ports. Password changes, firewall filtering, zbig one. Even isolating systems can be hopeful when it comes to containment. Different strategies should be considered depending on the appetite.

09:28

So you couldn't say if it's, ah, say

09:33

potential damage or theft, you're gonna use a different kind of strategy for that. You might actually don't take the laptop to the desktop keeping still just kind of an example there for you. Those were the first couple steps in the instant handling process. You have any questions?