WEBVTT

00:07.220 --> 00:12.440
Incident response relies on existing security infrastructure tools such as logging systems, intrusion

00:12.440 --> 00:17.840
and detection and prevention systems, and security information and event management systems to provide

00:17.840 --> 00:20.930
us with a prevention methodology for incident response.

00:20.960 --> 00:27.320
The incident response cycle includes four distinct phases, the first one being prevention.

00:27.320 --> 00:30.560
We want to win all possible to prevent an attack from occurring.

00:30.560 --> 00:32.000
That's our primary goal.

00:32.030 --> 00:36.950
However, as once somebody once said it's not a matter of if we have a data breach, it's only a matter

00:36.950 --> 00:37.700
of time.

00:37.700 --> 00:41.210
We want to detect and analyze any problems in our network.

00:41.240 --> 00:46.040
Obviously, if prevention doesn't work and we have a data breach, we need to be able to detect the

00:46.040 --> 00:47.600
problem as it's occurring.

00:47.600 --> 00:51.860
If we can't detect it while it's occurring, we want to be able to detect it as soon as possible.

00:51.860 --> 00:54.500
This is where a detection analysis comes into play.

00:54.500 --> 01:00.230
We want to be able to detect the problem, how it got in, what vulnerability it exploited, and analyze

01:00.230 --> 01:03.050
what the problem is occurring throughout our network.

01:03.070 --> 01:05.140
Finally, we want to contain the issue.

01:05.170 --> 01:07.300
Once we've contained it, we want to eradicate it.

01:07.300 --> 01:12.520
And then we want to come back to the normal working standard that our system was utilizing before the

01:12.520 --> 01:13.600
incident occurred.

01:13.630 --> 01:18.760
Once that's all been taken place, we need to do an R or an after action review.

01:18.790 --> 01:24.040
During this review process, we're going to identify what we could have done better so that the vulnerability

01:24.070 --> 01:25.720
never got exploited in the first place.

01:25.750 --> 01:28.450
We want to verify could we have done this faster.

01:28.480 --> 01:30.400
Was there certain problems that we saw?

01:30.430 --> 01:34.000
We want to continually I understand that we're not perfect people.

01:34.030 --> 01:38.650
Those problems that exist can be recovered from and bring it up as a learning process.

01:38.650 --> 01:41.020
Within containment we have segmentation.

01:41.050 --> 01:46.270
Segmentation prevents direct communication between hosts of different segments from talking.

01:46.300 --> 01:52.360
This reduces lateral movement by attackers, much like you may see in segmentation for network architecture,

01:52.390 --> 01:55.840
where you need to segment a machine off of our network.

01:55.840 --> 02:01.450
If I have a machine in the HR department or several machines in the HR department that have been infected

02:01.450 --> 02:05.470
with a malware, I need to segment them off my network as quickly as possible.

02:05.500 --> 02:10.990
I don't want them to have communication with other machines either on that segment or cross segment

02:11.020 --> 02:14.800
it into a different department, such as operations or maintenance.

02:14.830 --> 02:20.980
By segmenting the traffic either through VLANs or access control lists, I can thereby restrict traffic

02:20.980 --> 02:24.790
from that machine that's been infected from communicating with other machines.

02:24.820 --> 02:27.070
I can also do what's called isolation.

02:27.100 --> 02:29.890
Isolation takes segmentation one step further.

02:29.890 --> 02:33.850
I can isolate the machine in such a way that I can monitor what's going on.

02:33.850 --> 02:37.570
It has no communication outside of what I allow it to have.

02:37.600 --> 02:41.050
It's the next stage or the next evolution of segmentation.

02:41.050 --> 02:46.450
When you come down to it, I'm isolating that machine or that series of machines, and I'm monitoring

02:46.480 --> 02:48.490
to see what's going on within the process.

02:48.490 --> 02:50.290
What files are they moving?

02:50.290 --> 02:52.030
Are they doing a ransomware attack?

02:52.030 --> 02:53.440
Are they encrypting my files?

02:53.470 --> 02:55.900
Are they communicating with a server offsite?

02:55.900 --> 03:00.970
I want to be able to monitor everything that that machine is going through, so that I can quickly identify

03:00.970 --> 03:06.490
if there was a specific portion of the malware that maybe we hadn't seen through our normal detection

03:06.490 --> 03:07.830
analysis Process.

03:07.830 --> 03:10.260
This is where isolation is really key.

03:10.470 --> 03:12.960
Finally, I want to remove the problem.

03:12.960 --> 03:17.910
Once I've identified all the threat intelligence that I can off that machine, I want to remove the

03:17.910 --> 03:20.130
item from my network as a whole.

03:20.130 --> 03:23.160
This means unplugging it or moving the hard drive.

03:23.160 --> 03:28.620
It could be physically going to the device and logically pulling the plug, or just simply cutting off

03:28.620 --> 03:33.600
the internet connection altogether and not allowing it to proceed forward with any further communication

03:33.600 --> 03:34.620
across the network.

03:34.620 --> 03:37.080
We want to remove the threat from our network.

03:37.080 --> 03:40.680
Once we've gathered all the Intel or data that we possibly can.

03:41.760 --> 03:44.340
That brings us to our next phase of eradication.

03:44.340 --> 03:46.650
I want to be able to remediate the problem.

03:46.650 --> 03:48.930
Once I've identified everything that's occurring.

03:48.930 --> 03:54.840
I want to remediate the core problem within the machine and the vulnerabilities that it utilized.

03:54.840 --> 03:59.820
The vulnerability could be a simple patch, or it could be a singular issue with a phishing email where

03:59.850 --> 04:04.890
somebody clicked on a link, whatever it is, whether it's an antivirus program to remove malware off

04:04.890 --> 04:09.720
the machine from a phishing link or it's a vulnerability that an attacker may have exploited, I want

04:09.750 --> 04:12.830
to go through and remediate the problem as best I can.

04:12.860 --> 04:17.690
However, sometimes remediation isn't always possible through a preferred means.

04:17.690 --> 04:20.660
There may be financial constraints or business constraints.

04:20.660 --> 04:22.340
It could be a lack of technology.

04:22.370 --> 04:24.110
It could be any number of things.

04:24.110 --> 04:28.310
If that's the case, I may want to use something called compensating controls.

04:28.340 --> 04:34.940
Compensating controls allow for resource constraints such as budget personnel availability to take place

04:34.940 --> 04:37.310
and bring the same level.

04:37.310 --> 04:44.750
And I want to repeat that the same level of remediation to the problem without spinning the original

04:44.750 --> 04:45.230
idea.

04:45.260 --> 04:50.690
I may have a device that 100% is the problem, and I just plug it in and it fixes the issue.

04:50.720 --> 04:54.080
Something like a firewall if I need an access control list to be in play.

04:54.110 --> 04:59.960
However, if that's not possible due to these constraints, I can use compensating controls to limit

04:59.960 --> 05:05.480
the structure and perform the same principle that the original device or the original fix would have

05:05.480 --> 05:06.260
occurred.

05:07.220 --> 05:09.560
I also want to do vulnerability mitigation.

05:09.560 --> 05:14.890
Once we recover from the incident, we want to restore the system to pre-incident state, but also ensure

05:14.920 --> 05:17.050
similar disruptions don't occur in the future.

05:17.050 --> 05:22.090
We want to mitigate those problems by eliminating the root cause of the event or the incident once we've

05:22.090 --> 05:23.620
identified what occurred.

05:23.650 --> 05:29.740
This vulnerability mitigation fixes the core root of the problem and identify specific vulnerabilities

05:29.740 --> 05:35.290
in order to remediate those specific issues that allowed the incident to occur in the first place.

05:35.950 --> 05:37.690
Finally, I want to sanitize.

05:37.690 --> 05:43.120
Once we talk about sanitization, we're referring to rendering access to the data or the event media

05:43.120 --> 05:45.100
infeasible for future use.

05:45.100 --> 05:50.410
If I have a piece of malware that I just can't get rid of on an antivirus program, the best thing may

05:50.410 --> 05:55.180
to be just to overwrite the data with zeros and ones and reimage the device.

05:55.210 --> 05:59.320
Eradication when we talk about sanitization can mean overwriting the data.

05:59.350 --> 06:04.030
It could also mean encrypting the data so that somebody doesn't have access to it before degaussing,

06:04.030 --> 06:06.370
or even destroying the data as a whole.

06:06.400 --> 06:13.060
Any one of these items to sanitize the data to ensure that it cannot be reutilized or used by an attacker

06:13.060 --> 06:16.090
in the future, is what we call sanitization.

06:17.170 --> 06:20.290
Finally, I want to recover or reconstruct the issue.

06:20.320 --> 06:26.620
When we talk about reconstruction or reimaging the device, we often refer to a device or a problem

06:26.620 --> 06:30.820
that's had an issue and we just can't fully 100% get past it.

06:30.820 --> 06:34.180
This is where reimaging or reconstructing take place.

06:34.180 --> 06:39.340
When I re-image a device, I'm literally wiping the drive and putting the brand new operating system

06:39.340 --> 06:40.060
on top of it.

06:40.090 --> 06:46.030
It's not uncommon if I've got a piece of malware inside of a lone client, and that client is causing

06:46.030 --> 06:50.830
some issues just to wipe the drive, re-image it and hand it back to the employee as a fresh, brand

06:50.830 --> 06:51.700
new machine.

06:51.700 --> 06:53.980
This is what's referred to as Reimaging.

06:53.980 --> 06:56.530
However, I may sometimes have to reconstruct it.

06:56.530 --> 07:00.640
Maybe it's a server where I've got one little issue that I just can't get past.

07:00.640 --> 07:07.000
I can reconstruct the entire system in such a way that it ignores that one piece of malware, and then

07:07.000 --> 07:10.300
I can rewrite or destroy that piece of malware.

07:10.300 --> 07:12.220
It's the long about way of doing it.

07:12.250 --> 07:17.140
Unlike an antivirus, uh, protocol, but it still does the same job.