1
00:00:00,260 --> 00:00:01,780
<v ->Well, it seems like these days</v>

2
00:00:01,780 --> 00:00:03,240
you can't turn on the evening news

3
00:00:03,240 --> 00:00:04,850
without hearing about some company

4
00:00:04,850 --> 00:00:07,320
who just suffered yet another data breach.

5
00:00:07,320 --> 00:00:08,900
And that's when it hits you,

6
00:00:08,900 --> 00:00:10,680
you're in the information security business.

7
00:00:10,680 --> 00:00:12,590
That means one day, it could be you

8
00:00:12,590 --> 00:00:15,060
who's trying to conduct an instant response and recovery.

9
00:00:15,060 --> 00:00:17,150
Well, try as we might, we can never

10
00:00:17,150 --> 00:00:19,540
make our systems 100% secure.

11
00:00:19,540 --> 00:00:21,320
And that means eventually you're going to have to

12
00:00:21,320 --> 00:00:24,170
perform an instant response and recovery operation.

13
00:00:24,170 --> 00:00:26,380
Now, it's important to realize that how you decide

14
00:00:26,380 --> 00:00:28,610
to handle this issue during that critical time

15
00:00:28,610 --> 00:00:32,050
is going to determine how bad that incident truly becomes.

16
00:00:32,050 --> 00:00:34,620
Personally, I've led numerous incident responses,

17
00:00:34,620 --> 00:00:35,790
and they have not been something

18
00:00:35,790 --> 00:00:37,880
that you should be looking forward to doing yourself.

19
00:00:37,880 --> 00:00:38,940
They are stressful.

20
00:00:38,940 --> 00:00:40,500
They include days without sleep.

21
00:00:40,500 --> 00:00:41,990
The constant threat that the bad guy

22
00:00:41,990 --> 00:00:44,270
is one step ahead of you and that you may not

23
00:00:44,270 --> 00:00:45,610
have fully routed them out.

24
00:00:45,610 --> 00:00:48,160
But, I digress, and I'm getting a little off topic,

25
00:00:48,160 --> 00:00:50,340
so let's go back to the topic at hand.

26
00:00:50,340 --> 00:00:52,130
Let's talk about some basic definitions

27
00:00:52,130 --> 00:00:54,120
around this topic of incident response.

28
00:00:54,120 --> 00:00:56,560
First, what is an incident response?

29
00:00:56,560 --> 00:00:58,930
Well, an incident response is a set of procedures

30
00:00:58,930 --> 00:01:01,140
that an investigator follows when they're examining

31
00:01:01,140 --> 00:01:03,420
a computer security incident.

32
00:01:03,420 --> 00:01:05,000
These incident response procedures

33
00:01:05,000 --> 00:01:06,810
are part of your organizations overall

34
00:01:06,810 --> 00:01:09,460
computer security incident management program.

35
00:01:09,460 --> 00:01:11,250
This program should consist of the monitoring

36
00:01:11,250 --> 00:01:12,800
and detection of security events

37
00:01:12,800 --> 00:01:15,020
on a computer network and the execution

38
00:01:15,020 --> 00:01:17,730
of proper responses to those security events.

39
00:01:17,730 --> 00:01:19,860
Now, every organization has their own way

40
00:01:19,860 --> 00:01:21,260
of doing incident response.

41
00:01:21,260 --> 00:01:24,590
But, a basic six step procedure looks something like this:

42
00:01:24,590 --> 00:01:27,640
Preparation, identification, containment,

43
00:01:27,640 --> 00:01:30,780
eradication, recovery and lessons learned.

44
00:01:30,780 --> 00:01:33,440
For the exam, you want to know these six steps

45
00:01:33,440 --> 00:01:35,370
and you want to know the right order,

46
00:01:35,370 --> 00:01:37,437
because you're going to get questions that look something like:

47
00:01:37,437 --> 00:01:39,600
"What is the third step of an incident response?"

48
00:01:39,600 --> 00:01:42,330
Or, "You've just done X, Y and Z actions,

49
00:01:42,330 --> 00:01:43,840
which step are you in?"

50
00:01:43,840 --> 00:01:45,330
Or, "Rearrange these steps

51
00:01:45,330 --> 00:01:47,460
into the proper order for incident response."

52
00:01:47,460 --> 00:01:49,190
And you'll have to move little blocks around

53
00:01:49,190 --> 00:01:51,390
to put them in order from one to six.

54
00:01:51,390 --> 00:01:53,910
Now, first, you need to conduct preparation.

55
00:01:53,910 --> 00:01:55,670
And this is the preparation phase.

56
00:01:55,670 --> 00:01:57,720
It's during this phase that your organization

57
00:01:57,720 --> 00:01:59,500
is going to insure that it has a well planned

58
00:01:59,500 --> 00:02:02,820
incident response procedure, a strong security posture

59
00:02:02,820 --> 00:02:05,427
and a knowledgeable chief information security officer

60
00:02:05,427 --> 00:02:07,910
who's able to limit the damage to data

61
00:02:07,910 --> 00:02:11,129
and the companies reputation if an incident response occurs.

62
00:02:11,129 --> 00:02:12,950
Now, we aren't waiting for something bad

63
00:02:12,950 --> 00:02:14,270
to happen without preparing.

64
00:02:14,270 --> 00:02:15,400
We can't do that.

65
00:02:15,400 --> 00:02:17,540
Much like a disaster recovery plan that we have

66
00:02:17,540 --> 00:02:19,750
for a fire or a flood, we need to be prepared

67
00:02:19,750 --> 00:02:21,590
before the incident occurs.

68
00:02:21,590 --> 00:02:23,150
If you wait until the incident happens

69
00:02:23,150 --> 00:02:24,900
to start planning and reacting,

70
00:02:24,900 --> 00:02:27,740
you're already going to be so far behind the bad guy.

71
00:02:27,740 --> 00:02:28,750
It's going to take you forever

72
00:02:28,750 --> 00:02:30,740
and you're going to have lot of damage.

73
00:02:30,740 --> 00:02:33,050
Second, we have identification.

74
00:02:33,050 --> 00:02:35,350
Identification is the process of recognizing

75
00:02:35,350 --> 00:02:37,560
whether an event is actually going to be categorized

76
00:02:37,560 --> 00:02:38,970
as an incident or not.

77
00:02:38,970 --> 00:02:40,300
There are a lot of events that happen

78
00:02:40,300 --> 00:02:42,040
on a network on a daily basis,

79
00:02:42,040 --> 00:02:45,030
and some of them are minor, and some of them are major.

80
00:02:45,030 --> 00:02:46,780
Your security analysts are responsible

81
00:02:46,780 --> 00:02:48,475
for determining if something is an event

82
00:02:48,475 --> 00:02:52,560
or a larger issue that we would categorize as an incident.

83
00:02:52,560 --> 00:02:55,100
If it's an incident, we then move into our third phase,

84
00:02:55,100 --> 00:02:56,580
which is containment.

85
00:02:56,580 --> 00:02:59,470
Containment is focused on isolating the incident or problem.

86
00:02:59,470 --> 00:03:01,320
For example, if we had a data breach

87
00:03:01,320 --> 00:03:02,890
and it was being conducted actively,

88
00:03:02,890 --> 00:03:04,470
somebody's currently stealing information

89
00:03:04,470 --> 00:03:06,720
from our organization, I want to contain that.

90
00:03:06,720 --> 00:03:09,110
I want to stop them from taking more data out.

91
00:03:09,110 --> 00:03:10,560
And so, that will prevent it from spreading

92
00:03:10,560 --> 00:03:12,600
further and creating more damage.

93
00:03:12,600 --> 00:03:14,350
Similarly, if you have an incident

94
00:03:14,350 --> 00:03:16,120
where you have malware on your system,

95
00:03:16,120 --> 00:03:18,520
you want to be able to terminate the network connection

96
00:03:18,520 --> 00:03:19,670
to prevent it from spreading out

97
00:03:19,670 --> 00:03:21,930
to other machines on your network.

98
00:03:21,930 --> 00:03:24,620
Your fourth step is what's known as eradication.

99
00:03:24,620 --> 00:03:25,630
And this is the phase where

100
00:03:25,630 --> 00:03:27,670
we're going to remove the threat or attack.

101
00:03:27,670 --> 00:03:29,750
For example, going back to my virus example,

102
00:03:29,750 --> 00:03:31,320
let's say I have a virus on the server,

103
00:03:31,320 --> 00:03:32,690
I want to be able to eradicate it,

104
00:03:32,690 --> 00:03:34,060
which means I'm going to clean it out

105
00:03:34,060 --> 00:03:35,390
and remove it from the system,

106
00:03:35,390 --> 00:03:37,880
and make sure the bad thing is gone.

107
00:03:37,880 --> 00:03:39,653
That brings us to out fifth step.

108
00:03:39,653 --> 00:03:41,390
And our fifth step is recovery.

109
00:03:41,390 --> 00:03:42,840
Recovery's focused on making sure

110
00:03:42,840 --> 00:03:45,200
we do data restoration, system repair,

111
00:03:45,200 --> 00:03:47,080
and re-enabling and servers or networks

112
00:03:47,080 --> 00:03:49,321
that we took offline during our incident response.

113
00:03:49,321 --> 00:03:51,370
Basically, I want to get everything back

114
00:03:51,370 --> 00:03:53,150
to a normal operating condition like it was

115
00:03:53,150 --> 00:03:55,150
before we had the incident, except,

116
00:03:55,150 --> 00:03:56,320
I also want to make sure I add

117
00:03:56,320 --> 00:03:58,260
some additional security so that the bad thing

118
00:03:58,260 --> 00:04:00,110
that happened doesn't happen again.

119
00:04:00,110 --> 00:04:01,910
Our sixth and final step is known

120
00:04:01,910 --> 00:04:03,960
as the lessons learned process.

121
00:04:03,960 --> 00:04:05,750
Lessons learned is a process that we use

122
00:04:05,750 --> 00:04:07,970
to document the incident response process

123
00:04:07,970 --> 00:04:09,900
and we make any changes to the procedures

124
00:04:09,900 --> 00:04:11,340
and the processes that we used

125
00:04:11,340 --> 00:04:13,570
that we want to make sure we do better next time.

126
00:04:13,570 --> 00:04:15,770
Basically, we all gather around a big table

127
00:04:15,770 --> 00:04:17,760
in a conference room, and we start at the beginning.

128
00:04:17,760 --> 00:04:19,230
We say: What caused the incident?

129
00:04:19,230 --> 00:04:20,460
What was the route cause?

130
00:04:20,460 --> 00:04:21,530
How did we detect it?

131
00:04:21,530 --> 00:04:23,000
Did the detection work well?

132
00:04:23,000 --> 00:04:24,000
How did we respond to it?

133
00:04:24,000 --> 00:04:25,290
Did we respond to it well?

134
00:04:25,290 --> 00:04:26,650
How did things go during the cleanup?

135
00:04:26,650 --> 00:04:27,780
How about the recovery?

136
00:04:27,780 --> 00:04:29,330
How about bringing it all back online?

137
00:04:29,330 --> 00:04:32,059
Now, based on that, what can we do better next time?

138
00:04:32,059 --> 00:04:34,400
After all, there are no regrets in life,

139
00:04:34,400 --> 00:04:36,750
there are just lessons learned.

140
00:04:36,750 --> 00:04:39,238
(soft electronic music)