Hello. My name is David. Welcome to handling incidence. Now we're talking about eradication, and these aren't necessarily in the steps that you will follow up. Uh, clarify that you have been through numerous incidents on depending on the type of incident
the threat intelligence that was gathered
some of these year overlap or changed positions, depending upon that kind of inspiration.
If you have an activity underway where actually data is being stolen from your network right now,
you aren't going to be very interested in just a triage sports. You're gonna move immediately remediation
on those tour. But it's going to be going on.
it's good to see these on block Former. Each one is set out. Agnes, in its poor little colored blocks, stands. It's six. However, in the real world, as with most things that are gonna happen, these can overlap and change positions depending upon the kind of attached to be aware of that. Now, when it comes to eradication,
the main goal is to eliminate key components
and these very again, depending on the fact that you're so, um, 100.
So if it's malware, you made you
some steps for Torey eradication talk about yours, Morley. That's a phishing email in a different form of eradication. They just need to purge that email and change your users passport so it can be your very broad.
It could affect the entire corporate. Now, work where could be for a short narrow. Just one use
to keep that in mind here is Well,
um, some steps for this step
steps within steps. It's always fun, isn't it?
Some things that you do need to remember when it comes to eradication. You do need to identify all the defectives.
If an attacker has been inside your network for 206 days,
you've got a big problem because they could be anywhere.
you know anything about ethical hacking or penetration testing? You know
that once you've established your foot hole,
you always troopers, you always knew because you know that eventually they're gonna locate your foothold in Iraqi,
and you don't want them to get you out of that look. So you're gonna move somewhere else, then you're the incident handler. You've got to be able to hunt this attacker through the network and then perform your mediation on machines in order to eradicate.
You could include Mauer and outs this year. Uh, if you've identified
particular pieces of malware that are being utilized by the attacker, can create indicators compromise and then use an endpoint detection on school to search across your environment. Looking for these indicators. Compromise now Analysis could do a lot now
our different ways. You can do that. You could do it internally where you have your own assigned malware, Alice, where you could do it externally and say use website like hybrid analysis or any run to do your own and pull your indicators compromised from those reports.
Look and see as you're moving through your application process, what the attacker is doing if they're still active on your network
and they see you closing airports, clothes blocking their I P addresses, blocking their remains,
isolating systems, they're gonna be active to. Every action produces an equal or opposite reaction. That's true physics. It's true. Here is wet. If they are alive in your network and they see that you know they're there,
they are going to start moving too.
Do you need the ability and the tools to be able to monitor S O. They start trying to jump systems to hide their presence. You can identify that I've ever been
the tax document and where an attacker realized
that eradication was underway and remediation was underway. So they switched
their malware and totally changed their indicators. Compromise footprints, so to speak and became harder to find. Eso definitely need to keep that in mind if you're going to get it. Is handling and, of course, continue continuance continuous bunch
for any new symptoms of an infection or attack. If an attacker
has gotten in your network on, Dunn said successfully and you successfully then eradicate them, they're probably going to try to come back. They may have a lot of information about your network of your internal processes policies your please. Even
so, be on the alert for you. Social engineering attacks, phishing attacks,
those times. That way
you can keep him from getting back in. Hopefully
now for recovery. The primary action here is to return operations normal again. You'll see a relapse here while you're moving to the Iran intention of Asia. I T staff may be moving in the recovery things, so you're gonna be holding hands throughout this process, hopefully working together.
There are some issues here
that you have to keep in mind for recovery. What is? You have to make sure the remediation is successful.
Um, if it's not, then your recovery is not your complete war. You'll think you've recovered everything in the Attackers of surface
causing problems. It involves rebuilding, storing or recreating information, data systems. And again, part of the recovery process is ensuring your containment and your dedication have been successful as well.
Now, some things to remember
went down with this step is if you're gonna read on the backend systems, do it from clean sources.
Uh, gold standards are pretty well known in the 19 world. On hopefully those systems haven't been infected too. And you need to make sure that in one incident that I've worked on a company was France aware,
Um, they went through the entire process, eradicated, stored, and they forgot that they have one day to day sitting on their network that on the surface didn't look like it had been effective in France, where they used that as their source to rebuild. And the ransomware was in that back up to,
and they got leave. So keep that in mind?
Uh, compromise file should be replaced. If any kind of constraints were put in and containment, they need to be removed at this point. Thio, allow the recovery again in the one walk our patients, password reset, should be finished by now. Patching. And of course, testing should be done in order to confirm
the integrity of the systems that happened. Sword.
A very important part of the process. Right there. I am sad to say I've seen next that skip
in the past on and that causes problems of its own that you do not want me. Now lessons learned
this is one of the most important to me, but also one of the most overlooked steps in the incident. Hamlin process. It should be part of the process to help you,
um, to build your security and make it strong.
Uh, that's why I kind of struggled with seeing company. Skip this. That
because this is the opportunity to take what happened and learn from that experience. S o. How do we do? These could be team meeting reviews for se mire incidents and over the process, identify gaps,
update your process, your procedures and your jewels.
If it's a large incident than every single stakeholder that was involved, these be included in the lessons learned our after action section of the incident. Human process. Well, um, and this section should just be asked, fully documented as any of the other steps that, you know,
I've seen auditors come in from a variety of different,
um, companies and ask after an incident. Where is your documentation for your lessons learned
on? Hopefully you can actually produce that. Use the lessons, learned the craft, an action plan on, then when you've got that action plan ready to go, each project or initiative, whether or non technical should be about so it should be assigned to an individual and a completion date a sign and then follow ups done
to ensure that the steps that were identified
bone up on and done finished You completion and again, auditors. We're gonna ask for this documentation. What? See it after this. So don't skip this.
Any questions? Um, once I bury Davey 135 be happy. Lucky in shares of war war stories, I'll talk to you soon