1 00:00:00,260 --> 00:00:02,050 Incident response planning. 2 00:00:02,050 --> 00:00:03,660 In this lesson, we're going to discuss 3 00:00:03,660 --> 00:00:06,490 some of the different portions of an incident response plan. 4 00:00:06,490 --> 00:00:07,460 We're going to talk about things like 5 00:00:07,460 --> 00:00:10,130 the incident response team, communication plans, 6 00:00:10,130 --> 00:00:11,800 and stakeholder management. 7 00:00:11,800 --> 00:00:14,470 Let's get started with incident response teams. 8 00:00:14,470 --> 00:00:16,950 Now, what exactly is an incident response team 9 00:00:16,950 --> 00:00:18,310 and who is on that team? 10 00:00:18,310 --> 00:00:19,920 Well, your incident response team 11 00:00:19,920 --> 00:00:22,000 is key people that are going to be available 12 00:00:22,000 --> 00:00:24,530 to respond to any incident that meets the severity 13 00:00:24,530 --> 00:00:26,530 and priority thresholds that are set out 14 00:00:26,530 --> 00:00:28,330 by your incident response plan, 15 00:00:28,330 --> 00:00:30,470 because not everything that you run into 16 00:00:30,470 --> 00:00:31,590 is going to require you 17 00:00:31,590 --> 00:00:34,150 to activate your incident response team. 18 00:00:34,150 --> 00:00:36,830 Some things can just be handled by your incident handlers 19 00:00:36,830 --> 00:00:38,840 and you don't need the full team to do it. 20 00:00:38,840 --> 00:00:40,310 But if you have a big issue, 21 00:00:40,310 --> 00:00:42,700 like an ongoing data breach or something like that, 22 00:00:42,700 --> 00:00:45,520 you're going to want the entire incident response team. 23 00:00:45,520 --> 00:00:47,080 So what type of positions 24 00:00:47,080 --> 00:00:49,300 are on this incident response team? 25 00:00:49,300 --> 00:00:50,670 Well, first you're going to have 26 00:00:50,670 --> 00:00:53,220 an incident response manager or team lead, 27 00:00:53,220 --> 00:00:55,600 this person is going to oversee and prioritize actions 28 00:00:55,600 --> 00:00:56,730 during the detection, 29 00:00:56,730 --> 00:00:59,180 analysis and containment of an incident. 30 00:00:59,180 --> 00:01:00,040 This is a position 31 00:01:00,040 --> 00:01:02,190 that I have personally filled numerous times. 32 00:01:02,190 --> 00:01:04,660 And I can tell you, it is a difficult position 33 00:01:04,660 --> 00:01:06,690 that requires a lot of good soft skills 34 00:01:06,690 --> 00:01:09,750 in addition to those traditional in depth technical skills 35 00:01:09,750 --> 00:01:12,090 that some other positions are going to require. 36 00:01:12,090 --> 00:01:14,740 This is because your incident response manager or team lead 37 00:01:14,740 --> 00:01:17,280 is going to be responsible for conveying information 38 00:01:17,280 --> 00:01:19,350 about the response and recovery efforts 39 00:01:19,350 --> 00:01:22,540 to the executives and management within your organization. 40 00:01:22,540 --> 00:01:25,370 And oftentimes, they also could be thrust into the role 41 00:01:25,370 --> 00:01:28,300 of being the public face of the company to the media 42 00:01:28,300 --> 00:01:31,540 or law enforcement during an incident response. 43 00:01:31,540 --> 00:01:34,400 The second position we have is a security analyst. 44 00:01:34,400 --> 00:01:36,710 Your team needs to have one or more security analysts 45 00:01:36,710 --> 00:01:39,600 assigned in order to work directly on the affected network 46 00:01:39,600 --> 00:01:42,020 and to play detective in order to determine 47 00:01:42,020 --> 00:01:44,160 what happened up to this point. 48 00:01:44,160 --> 00:01:47,350 Your security analyst may be assigned into two categories, 49 00:01:47,350 --> 00:01:49,220 although some analysts may be working 50 00:01:49,220 --> 00:01:51,140 in both categories simultaneously 51 00:01:51,140 --> 00:01:53,370 when dealing with a smaller scale incident. 52 00:01:53,370 --> 00:01:56,170 The first of these is known as a triage analyst. 53 00:01:56,170 --> 00:01:58,370 A triage analyst is a security analyst 54 00:01:58,370 --> 00:01:59,870 that's assigned to work on the network 55 00:01:59,870 --> 00:02:01,640 during the incident response. 56 00:02:01,640 --> 00:02:04,540 Triage analysts are going to help filter out false positives 57 00:02:04,540 --> 00:02:06,650 by properly configuring intrusion detection 58 00:02:06,650 --> 00:02:08,050 and protection systems, 59 00:02:08,050 --> 00:02:10,760 as well as performing ongoing monitoring and analysis 60 00:02:10,760 --> 00:02:13,010 to detect any new or potential intrusions 61 00:02:13,010 --> 00:02:14,980 during your incident response. 62 00:02:14,980 --> 00:02:16,860 Another type of security analysts we use 63 00:02:16,860 --> 00:02:19,030 is what's known as a forensic analyst. 64 00:02:19,030 --> 00:02:20,820 Now, a forensic analyst on the other hand, 65 00:02:20,820 --> 00:02:23,000 is going to be more focused on the detective work 66 00:02:23,000 --> 00:02:24,360 and trying to piece together 67 00:02:24,360 --> 00:02:26,820 what has already occurred on the network. 68 00:02:26,820 --> 00:02:29,020 They're going to focus on recovering key artifacts 69 00:02:29,020 --> 00:02:31,300 and evidence from the network and then use these 70 00:02:31,300 --> 00:02:33,400 to build a timeline of the different events 71 00:02:33,400 --> 00:02:35,330 that led up to the incident itself 72 00:02:35,330 --> 00:02:36,720 and that way we can understand 73 00:02:36,720 --> 00:02:38,600 what happened up to this point. 74 00:02:38,600 --> 00:02:40,590 Beyond that, you're also going to want to have 75 00:02:40,590 --> 00:02:43,990 a threat researcher, this is another key part of your team. 76 00:02:43,990 --> 00:02:45,600 These threat researchers are able 77 00:02:45,600 --> 00:02:46,850 to compliment your analysts 78 00:02:46,850 --> 00:02:49,760 by providing threat intelligence, and overall context 79 00:02:49,760 --> 00:02:51,660 during your incident response. 80 00:02:51,660 --> 00:02:54,060 These specialists work to always remain up to date 81 00:02:54,060 --> 00:02:56,480 on the current threats that are facing your organization 82 00:02:56,480 --> 00:02:59,580 and your specific industry, as well as keeping up to date 83 00:02:59,580 --> 00:03:02,040 with previous incidents that may have occurred. 84 00:03:02,040 --> 00:03:03,470 I like to think about these folks 85 00:03:03,470 --> 00:03:05,420 as both a combination of a futurist 86 00:03:05,420 --> 00:03:07,830 in terms of guessing what the bad guys might do, 87 00:03:07,830 --> 00:03:10,610 as well as a historian because they know all the bad things 88 00:03:10,610 --> 00:03:12,720 that the bad guys have done in the past. 89 00:03:12,720 --> 00:03:14,250 By using this they can help us 90 00:03:14,250 --> 00:03:15,760 build better security and defenses, 91 00:03:15,760 --> 00:03:18,180 as well as trying to get one step ahead of the bad guys 92 00:03:18,180 --> 00:03:20,470 who've already broken into our network. 93 00:03:20,470 --> 00:03:23,050 Finally, we have cross functional support. 94 00:03:23,050 --> 00:03:24,460 In addition to all the critical roles 95 00:03:24,460 --> 00:03:25,580 I already talked about, 96 00:03:25,580 --> 00:03:27,230 we also want to expand our team 97 00:03:27,230 --> 00:03:29,580 with additional cross functional support. 98 00:03:29,580 --> 00:03:32,510 This includes people from management or the executive team, 99 00:03:32,510 --> 00:03:33,890 somebody from human resources, 100 00:03:33,890 --> 00:03:36,110 if you're dealing with an employee insider threat, 101 00:03:36,110 --> 00:03:38,790 or an attorney or lawyer in the case that the company 102 00:03:38,790 --> 00:03:40,400 may want to take legal action 103 00:03:40,400 --> 00:03:42,910 against the perpetrator or the attacker. 104 00:03:42,910 --> 00:03:44,210 Sometimes you might even have somebody 105 00:03:44,210 --> 00:03:47,130 from public relations, because you may have media interest 106 00:03:47,130 --> 00:03:49,050 into the incident as well. 107 00:03:49,050 --> 00:03:50,220 In addition, all this, 108 00:03:50,220 --> 00:03:52,100 you may have to pull in technical experts 109 00:03:52,100 --> 00:03:54,930 on specific systems, like system administrators, 110 00:03:54,930 --> 00:03:57,430 network administrators, or database administrators 111 00:03:57,430 --> 00:03:59,650 to help you recover back to normal operations 112 00:03:59,650 --> 00:04:01,250 as part of your response. 113 00:04:01,250 --> 00:04:03,630 All of these are considered cross functional support, 114 00:04:03,630 --> 00:04:05,290 because they're coming from outside 115 00:04:05,290 --> 00:04:07,190 of the incident response team itself 116 00:04:07,190 --> 00:04:09,483 and across the entire organization. 117 00:04:10,460 --> 00:04:14,250 Now, this incident response team is often known as a CSIRT, 118 00:04:14,250 --> 00:04:17,510 a CSIRT is the computer security incident response team, 119 00:04:17,510 --> 00:04:20,430 and your CSIRT should be the single point of contact 120 00:04:20,430 --> 00:04:21,980 for security incidents. 121 00:04:21,980 --> 00:04:24,160 Now, the CSIRT may be part of the SOC, 122 00:04:24,160 --> 00:04:25,700 the Security Operations Center, 123 00:04:25,700 --> 00:04:27,750 or they could be an independent team. 124 00:04:27,750 --> 00:04:30,830 It just depends on how your organization has set this up. 125 00:04:30,830 --> 00:04:33,540 In fact, some organizations have chosen to outsource 126 00:04:33,540 --> 00:04:36,180 their security response and their CSIRT teams, 127 00:04:36,180 --> 00:04:37,970 this way whenever there's an incident 128 00:04:37,970 --> 00:04:40,020 they would call on this third party contractor 129 00:04:40,020 --> 00:04:41,400 who will bring their experts 130 00:04:41,400 --> 00:04:43,320 to help you bring your systems back online 131 00:04:43,320 --> 00:04:45,520 and get the bad guys out of your network. 132 00:04:45,520 --> 00:04:47,640 Now, regardless of which way you decide to do it, 133 00:04:47,640 --> 00:04:49,780 it's important to realize that being a part 134 00:04:49,780 --> 00:04:53,260 of an instant response team is a 24/7 job. 135 00:04:53,260 --> 00:04:54,240 Instant response teams 136 00:04:54,240 --> 00:04:56,810 will typically require 24/7 availability 137 00:04:56,810 --> 00:04:58,030 and because of this, 138 00:04:58,030 --> 00:05:00,900 this can become a very expensive thing to provide. 139 00:05:00,900 --> 00:05:02,340 It's also important for you to consider 140 00:05:02,340 --> 00:05:04,930 how you're going to rotate out members of your CSIRT, 141 00:05:04,930 --> 00:05:08,710 because they can get burnout being on call 24/7. 142 00:05:08,710 --> 00:05:09,543 If you happen to work 143 00:05:09,543 --> 00:05:11,860 for a small or medium sized organization, 144 00:05:11,860 --> 00:05:13,710 it's most likely the case that you're going to have 145 00:05:13,710 --> 00:05:15,360 an outsourced CSIRT team, 146 00:05:15,360 --> 00:05:16,550 because it's really expensive 147 00:05:16,550 --> 00:05:19,510 to have your own CSIRT team for your organization. 148 00:05:19,510 --> 00:05:22,110 So really, unless you have a really large organization, 149 00:05:22,110 --> 00:05:24,530 you're probably not going to have a dedicated CSIRT team. 150 00:05:24,530 --> 00:05:26,020 Because the expense of maintaining this 151 00:05:26,020 --> 00:05:27,440 and having them ready to run 152 00:05:27,440 --> 00:05:31,210 at any time 24/7 can get very costly. 153 00:05:31,210 --> 00:05:33,350 The other benefit of using an external team 154 00:05:33,350 --> 00:05:36,600 is these external agents can often deal more efficiently 155 00:05:36,600 --> 00:05:37,640 with the different problems 156 00:05:37,640 --> 00:05:39,730 that we have inside of our networks. 157 00:05:39,730 --> 00:05:42,660 For example, if you're investigating an insider threat, 158 00:05:42,660 --> 00:05:44,070 using a third party team 159 00:05:44,070 --> 00:05:46,210 that's coming from outside your organization 160 00:05:46,210 --> 00:05:47,350 would actually be better, 161 00:05:47,350 --> 00:05:49,420 because they don't know all the people involved 162 00:05:49,420 --> 00:05:51,050 and they will have a clear eye 163 00:05:51,050 --> 00:05:52,690 to look through all of the logs 164 00:05:52,690 --> 00:05:55,430 and try to figure out exactly who the insider threat is, 165 00:05:55,430 --> 00:05:56,920 as opposed to having bias 166 00:05:56,920 --> 00:05:59,010 based on knowing these people personally. 167 00:05:59,010 --> 00:05:59,870 Another thing we need 168 00:05:59,870 --> 00:06:01,890 to consider during our preparation phase 169 00:06:01,890 --> 00:06:03,970 is our communication plan. 170 00:06:03,970 --> 00:06:05,830 How are we going to make our communications 171 00:06:05,830 --> 00:06:08,120 back to home station or up to leadership 172 00:06:08,120 --> 00:06:10,430 in the event of an instant response. 173 00:06:10,430 --> 00:06:11,730 This is extremely important, 174 00:06:11,730 --> 00:06:13,595 especially in larger organizations 175 00:06:13,595 --> 00:06:14,940 where have a distributed workforce 176 00:06:14,940 --> 00:06:17,250 around the country or around the world. 177 00:06:17,250 --> 00:06:19,960 Your teams have to have a secure method of communication 178 00:06:19,960 --> 00:06:21,960 for managing your incidents. 179 00:06:21,960 --> 00:06:23,110 Now, this is really important, 180 00:06:23,110 --> 00:06:25,440 because if you have a VoIP system for instance, 181 00:06:25,440 --> 00:06:27,410 and that's what you're going to use to communicate, 182 00:06:27,410 --> 00:06:29,430 well, if an attacker is in that VoIP system 183 00:06:29,430 --> 00:06:31,150 they can hear everything you're saying. 184 00:06:31,150 --> 00:06:32,290 And they will be tipped off 185 00:06:32,290 --> 00:06:33,710 as to all the things you're doing 186 00:06:33,710 --> 00:06:35,100 and they can pivot away from you 187 00:06:35,100 --> 00:06:37,150 and gain access further into your systems 188 00:06:37,150 --> 00:06:38,840 before you can get them out. 189 00:06:38,840 --> 00:06:40,380 And so often what we want to do 190 00:06:40,380 --> 00:06:43,120 is use an out-of-band communication system. 191 00:06:43,120 --> 00:06:45,150 Now, an out-of-band communication system 192 00:06:45,150 --> 00:06:46,870 is one where your signals are being sent 193 00:06:46,870 --> 00:06:49,070 between two parties or two devices 194 00:06:49,070 --> 00:06:51,290 that are sent via a path or method that's different 195 00:06:51,290 --> 00:06:52,810 from the primary communication 196 00:06:52,810 --> 00:06:55,000 between those two parties or devices. 197 00:06:55,000 --> 00:06:57,260 Now, that's a really complicated way of saying things, 198 00:06:57,260 --> 00:06:59,710 but let's say, normally, you would go ahead 199 00:06:59,710 --> 00:07:00,820 and report to your manager 200 00:07:00,820 --> 00:07:02,360 using your corporate email account. 201 00:07:02,360 --> 00:07:04,040 Well, if you think that corporate email 202 00:07:04,040 --> 00:07:06,060 has been compromised, you don't want to use that 203 00:07:06,060 --> 00:07:07,600 as your communication method. 204 00:07:07,600 --> 00:07:10,510 Instead, you want to use an out-of-band communication, 205 00:07:10,510 --> 00:07:12,150 that might mean you're going to make a call 206 00:07:12,150 --> 00:07:13,940 from your cell phone to their cell phone, 207 00:07:13,940 --> 00:07:16,430 or you might use an encrypted path. 208 00:07:16,430 --> 00:07:18,480 For example, one of the most commonly used ones 209 00:07:18,480 --> 00:07:22,220 is something like WhatsApp, or Signal, or Off the Record. 210 00:07:22,220 --> 00:07:24,360 All of these apps have messaging systems 211 00:07:24,360 --> 00:07:25,870 with end-to-end encryption 212 00:07:25,870 --> 00:07:27,860 so no attacker can see the information 213 00:07:27,860 --> 00:07:29,640 in between that's being sent. 214 00:07:29,640 --> 00:07:32,060 And so oftentimes we'll have a channel set up 215 00:07:32,060 --> 00:07:34,240 on WhatsApp as a way for us to use 216 00:07:34,240 --> 00:07:35,710 as a communication mechanism. 217 00:07:35,710 --> 00:07:38,830 So what is your backup communication plan going to be? 218 00:07:38,830 --> 00:07:41,230 Well, you have to consider how you're going to communicate 219 00:07:41,230 --> 00:07:43,050 with the people who are on call, 220 00:07:43,050 --> 00:07:45,460 especially when you have a distributed workforce. 221 00:07:45,460 --> 00:07:47,890 For example, one organization I worked at, 222 00:07:47,890 --> 00:07:50,680 we had a team that was actually flown out to a center 223 00:07:50,680 --> 00:07:52,300 that was dealing with an incident. 224 00:07:52,300 --> 00:07:54,190 Now, that center they weren't allowed 225 00:07:54,190 --> 00:07:56,930 to have smartphones inside that organization 226 00:07:56,930 --> 00:07:58,720 and so when they went into the building 227 00:07:58,720 --> 00:08:00,160 we couldn't communicate with them. 228 00:08:00,160 --> 00:08:02,700 So we had to have a way for that team to respond to us, 229 00:08:02,700 --> 00:08:04,800 even though they couldn't have smartphones in the building. 230 00:08:04,800 --> 00:08:06,430 And what we ended up coming up with 231 00:08:06,430 --> 00:08:08,700 was that every hour somebody would leave the building, 232 00:08:08,700 --> 00:08:10,580 go to their car, get their smartphone, 233 00:08:10,580 --> 00:08:12,600 and then call in to check with us. 234 00:08:12,600 --> 00:08:13,790 This is a way of doing things. 235 00:08:13,790 --> 00:08:15,160 But again, it was our backup plan 236 00:08:15,160 --> 00:08:17,990 that if you can't do this, then you should do this, 237 00:08:17,990 --> 00:08:20,020 and every hour send us a message. 238 00:08:20,020 --> 00:08:20,853 That was one of the ways 239 00:08:20,853 --> 00:08:22,610 we were able to work our way through this. 240 00:08:22,610 --> 00:08:23,840 Maybe you're going to send them to an area 241 00:08:23,840 --> 00:08:25,480 that doesn't have good cellular coverage. 242 00:08:25,480 --> 00:08:27,930 So instead, they're going to have to use a satellite phone, 243 00:08:27,930 --> 00:08:29,630 or some other method like that. 244 00:08:29,630 --> 00:08:31,300 You're going to have to think these things through 245 00:08:31,300 --> 00:08:33,730 for your organization based on your own incidents 246 00:08:33,730 --> 00:08:35,430 and your own response plans. 247 00:08:35,430 --> 00:08:36,910 Another thing you want to make sure you're doing 248 00:08:36,910 --> 00:08:40,350 is always make sure you maintain an up-to-date contact list. 249 00:08:40,350 --> 00:08:42,500 The best way to prepare for your team's activation 250 00:08:42,500 --> 00:08:43,770 for a future response 251 00:08:43,770 --> 00:08:46,060 is to ensure you have an accurate contact list 252 00:08:46,060 --> 00:08:47,960 that is prepared ahead of time. 253 00:08:47,960 --> 00:08:49,388 This will include things like their phone numbers 254 00:08:49,388 --> 00:08:50,700 and email addresses 255 00:08:50,700 --> 00:08:52,910 for each member of the incident response team, 256 00:08:52,910 --> 00:08:55,107 as well as others within the organization 257 00:08:55,107 --> 00:08:57,950 and your third party partner organizations. 258 00:08:57,950 --> 00:09:00,070 By ensuring you have an accurate contact list, 259 00:09:00,070 --> 00:09:02,520 that is ready to go, you're going to be better prepared 260 00:09:02,520 --> 00:09:03,600 when you receive the message 261 00:09:03,600 --> 00:09:05,630 that your team needs to be activated 262 00:09:05,630 --> 00:09:07,770 and in the case of people who have to fly away 263 00:09:07,770 --> 00:09:09,840 for a remote response, you're ready to go 264 00:09:09,840 --> 00:09:12,560 because you have all the information you need. 265 00:09:12,560 --> 00:09:14,210 Another part of your communication plan 266 00:09:14,210 --> 00:09:15,320 that you have to consider 267 00:09:15,320 --> 00:09:17,620 is what is your escalation procedure going to be 268 00:09:17,620 --> 00:09:19,130 for your organization? 269 00:09:19,130 --> 00:09:21,190 Basically, at what point should you call 270 00:09:21,190 --> 00:09:23,070 the on call person or team? 271 00:09:23,070 --> 00:09:25,500 What exactly defines when the event or incident 272 00:09:25,500 --> 00:09:27,330 is bad enough that you need to call somebody 273 00:09:27,330 --> 00:09:28,930 and wake them up at three in the morning, 274 00:09:28,930 --> 00:09:30,030 instead of waiting till they show up 275 00:09:30,030 --> 00:09:32,170 at work at 8am the next day. 276 00:09:32,170 --> 00:09:33,560 This is especially important 277 00:09:33,560 --> 00:09:35,560 if you're going to use contract personnel. 278 00:09:35,560 --> 00:09:38,480 Because when you call in contract personnel after-hours, 279 00:09:38,480 --> 00:09:40,810 this can actually have huge additional charges 280 00:09:40,810 --> 00:09:42,060 per the contract. 281 00:09:42,060 --> 00:09:43,800 So you need to make sure it's clearly outlined 282 00:09:43,800 --> 00:09:45,770 based on your organizational priorities 283 00:09:45,770 --> 00:09:47,470 when you're going to call somebody in. 284 00:09:47,470 --> 00:09:49,020 If somebody's email was hacked, 285 00:09:49,020 --> 00:09:50,530 you may not call them in for that. 286 00:09:50,530 --> 00:09:52,370 But if your credit card system was hacked, 287 00:09:52,370 --> 00:09:55,130 you may do that for that because it's protected information. 288 00:09:55,130 --> 00:09:56,790 These are the type of things to think about 289 00:09:56,790 --> 00:09:58,030 and make sure you have the right policies 290 00:09:58,030 --> 00:10:00,070 and procedures are in place. 291 00:10:00,070 --> 00:10:01,770 Now, another thing we have to think about 292 00:10:01,770 --> 00:10:03,850 is how are we going to notify people. 293 00:10:03,850 --> 00:10:05,120 Based on the prioritization 294 00:10:05,120 --> 00:10:06,840 and categorization of an incident, 295 00:10:06,840 --> 00:10:09,110 we're going to have different levels of notification 296 00:10:09,110 --> 00:10:12,720 from none to an email to a 3am wake up call. 297 00:10:12,720 --> 00:10:14,840 If it's a minor incident that's well understood 298 00:10:14,840 --> 00:10:17,260 and considered to have low or no priority, 299 00:10:17,260 --> 00:10:19,830 then our organization may have procedures in place, 300 00:10:19,830 --> 00:10:21,930 so the incident handlers and security teams 301 00:10:21,930 --> 00:10:23,410 will simply take care of the incident 302 00:10:23,410 --> 00:10:25,340 without telling anybody about it. 303 00:10:25,340 --> 00:10:27,230 If we have a more serious incident though 304 00:10:27,230 --> 00:10:28,480 we're going to have to follow our procedures 305 00:10:28,480 --> 00:10:32,400 to notify the right individuals up our organizational chain. 306 00:10:32,400 --> 00:10:34,850 This may include people like the chief information officer 307 00:10:34,850 --> 00:10:36,220 or the chief security officer, 308 00:10:36,220 --> 00:10:38,580 or the chief information security officer, 309 00:10:38,580 --> 00:10:41,240 the incident response team members, the system owners, 310 00:10:41,240 --> 00:10:43,450 the system administrators, our point of contact 311 00:10:43,450 --> 00:10:44,900 within human resources, 312 00:10:44,900 --> 00:10:47,960 a legal department representative, or even public affairs, 313 00:10:47,960 --> 00:10:50,490 maybe we even have to call law enforcement. 314 00:10:50,490 --> 00:10:52,260 All of this and the exact methods 315 00:10:52,260 --> 00:10:54,120 that you're going to use for these notifications 316 00:10:54,120 --> 00:10:56,450 will be based on your organization's procedures 317 00:10:56,450 --> 00:10:57,470 that are going to be developed 318 00:10:57,470 --> 00:10:58,910 during this preparation phase 319 00:10:58,910 --> 00:11:01,450 of the incident response lifecycle. 320 00:11:01,450 --> 00:11:03,890 Now, in addition to figuring out who you're going to notify, 321 00:11:03,890 --> 00:11:06,460 you have to know how you're going to notify them. 322 00:11:06,460 --> 00:11:09,700 This can include using email, internal web portals, 323 00:11:09,700 --> 00:11:12,150 telephone calls, an in-person update, 324 00:11:12,150 --> 00:11:14,700 leaving a voicemail, setting up a formal report 325 00:11:14,700 --> 00:11:16,490 or other forms of notification 326 00:11:16,490 --> 00:11:20,190 that your company decides is desirable and effective. 327 00:11:20,190 --> 00:11:22,620 In most organizations I've worked at in the past, 328 00:11:22,620 --> 00:11:25,350 we've used a phone call or an in-person notification 329 00:11:25,350 --> 00:11:27,530 for urgent and high priority incidents, 330 00:11:27,530 --> 00:11:30,790 and then we follow it up with an email or report. 331 00:11:30,790 --> 00:11:32,360 For a medium priority issue, 332 00:11:32,360 --> 00:11:35,050 we generally will rely on an email, a voicemail, 333 00:11:35,050 --> 00:11:38,240 or possibly even a phone call if it's during working hours. 334 00:11:38,240 --> 00:11:39,920 If it's a low priority incident, 335 00:11:39,920 --> 00:11:42,680 then we may handle this through a daily or weekly report 336 00:11:42,680 --> 00:11:44,550 or through an internet portal. 337 00:11:44,550 --> 00:11:46,710 This is definitely an area where you want to tailor it 338 00:11:46,710 --> 00:11:49,600 to suit the needs and desires of your organization. 339 00:11:49,600 --> 00:11:50,433 So you need to make sure 340 00:11:50,433 --> 00:11:52,380 you're involving those who are going to be notified 341 00:11:52,380 --> 00:11:55,010 and ask them what method works best for them 342 00:11:55,010 --> 00:11:57,700 and for which categories they want you to use it. 343 00:11:57,700 --> 00:11:59,130 The final thing we need to talk about 344 00:11:59,130 --> 00:12:00,740 when we're dealing with communication plans 345 00:12:00,740 --> 00:12:03,920 is how far out do you want this information to go. 346 00:12:03,920 --> 00:12:05,730 And what I mean by that is we want to make sure 347 00:12:05,730 --> 00:12:07,910 we're preventing unauthorized release of information 348 00:12:07,910 --> 00:12:09,990 outside of your CSIRT. 349 00:12:09,990 --> 00:12:11,320 This is because we don't want 350 00:12:11,320 --> 00:12:14,790 this information prematurely hitting the front page news, 351 00:12:14,790 --> 00:12:17,310 it is not helpful for an incident to be publicized 352 00:12:17,310 --> 00:12:19,380 in the press or through social media, 353 00:12:19,380 --> 00:12:21,830 outside of your planned communications. 354 00:12:21,830 --> 00:12:24,220 Anything that's going to go outside of the team 355 00:12:24,220 --> 00:12:26,250 needs to go through the appropriate parties 356 00:12:26,250 --> 00:12:28,530 and through public relations. 357 00:12:28,530 --> 00:12:30,070 You also need to ensure that parties 358 00:12:30,070 --> 00:12:32,940 with privileged information do not release this information 359 00:12:32,940 --> 00:12:34,250 to untrusted parties, 360 00:12:34,250 --> 00:12:36,450 whether intentionally or inadvertently, 361 00:12:36,450 --> 00:12:39,210 remember, if something is going to get out onto Facebook, 362 00:12:39,210 --> 00:12:41,580 or Twitter, or onto Google News, 363 00:12:41,580 --> 00:12:43,900 or any other news site, you want to make sure 364 00:12:43,900 --> 00:12:46,510 it's done appropriately through the organization 365 00:12:46,510 --> 00:12:48,260 with your public relations team 366 00:12:48,260 --> 00:12:49,950 and making sure that they are in the know 367 00:12:49,950 --> 00:12:51,780 and that they're the ones who are doing that. 368 00:12:51,780 --> 00:12:52,613 When you have an incident 369 00:12:52,613 --> 00:12:53,640 you need to start thinking about 370 00:12:53,640 --> 00:12:55,500 who are the affected stakeholders? 371 00:12:55,500 --> 00:12:56,950 There are lots of them out there, 372 00:12:56,950 --> 00:12:58,910 inside and outside your organization. 373 00:12:58,910 --> 00:13:00,960 For instance, you might have senior leadership 374 00:13:00,960 --> 00:13:03,940 that gets involved, you might have regulatory bodies, 375 00:13:03,940 --> 00:13:06,050 you might have your internal legal counsel, 376 00:13:06,050 --> 00:13:07,920 or external law enforcement. 377 00:13:07,920 --> 00:13:09,710 It might be your internal human resources 378 00:13:09,710 --> 00:13:11,540 or your internal public relations 379 00:13:11,540 --> 00:13:13,320 and externally with the media. 380 00:13:13,320 --> 00:13:15,460 All of these are people who are valid stakeholders 381 00:13:15,460 --> 00:13:16,610 when you have an incident. 382 00:13:16,610 --> 00:13:17,443 And you have to consider 383 00:13:17,443 --> 00:13:19,210 how does this incident affect them? 384 00:13:19,210 --> 00:13:21,530 And how are you going to coordinate your response? 385 00:13:21,530 --> 00:13:23,130 Let's go ahead and look at each of these. 386 00:13:23,130 --> 00:13:25,260 First, we have senior leadership. 387 00:13:25,260 --> 00:13:26,970 When we talk about senior leadership, 388 00:13:26,970 --> 00:13:29,240 this is the executives and managers who are responsible 389 00:13:29,240 --> 00:13:32,140 for business operations and various functional areas 390 00:13:32,140 --> 00:13:33,510 within your company. 391 00:13:33,510 --> 00:13:34,870 Now, the reason this is important 392 00:13:34,870 --> 00:13:36,680 is because a lot of our incident responders 393 00:13:36,680 --> 00:13:38,140 tend to be technical people. 394 00:13:38,140 --> 00:13:40,340 And so we might as technical people say, 395 00:13:40,340 --> 00:13:42,060 the quickest way to solve this incident 396 00:13:42,060 --> 00:13:43,500 is to shut down that server. 397 00:13:43,500 --> 00:13:44,950 But if we're not understanding 398 00:13:44,950 --> 00:13:46,770 the business impact to those actions, 399 00:13:46,770 --> 00:13:48,830 that could have second and third order effects 400 00:13:48,830 --> 00:13:50,820 that'd be very bad for our organization. 401 00:13:50,820 --> 00:13:53,390 So we're going to have to get senior leadership involved 402 00:13:53,390 --> 00:13:55,240 to understand if I do this, 403 00:13:55,240 --> 00:13:57,690 it's going to have this and that and the other effect, 404 00:13:57,690 --> 00:13:59,410 and we have to mitigate those. 405 00:13:59,410 --> 00:14:01,820 For example, if your credit card processing system 406 00:14:01,820 --> 00:14:04,490 has been compromised, if you immediately shut it down, 407 00:14:04,490 --> 00:14:05,860 you are cutting off your ability 408 00:14:05,860 --> 00:14:07,760 to process new transactions. 409 00:14:07,760 --> 00:14:10,150 Now, that might be the right answer technically, 410 00:14:10,150 --> 00:14:11,870 but from a business standpoint 411 00:14:11,870 --> 00:14:13,600 that could actually hurt you even worse. 412 00:14:13,600 --> 00:14:15,720 And so you have to start weighing these factors 413 00:14:15,720 --> 00:14:17,920 and working across your organization 414 00:14:17,920 --> 00:14:20,470 to make sure you have another way to accept payments 415 00:14:20,470 --> 00:14:22,580 before shutting down that credit card system. 416 00:14:22,580 --> 00:14:24,010 Or maybe you're going to make the decision 417 00:14:24,010 --> 00:14:25,810 that it's okay to shut down the system 418 00:14:25,810 --> 00:14:28,070 but you understand you're going to be giving up the ability 419 00:14:28,070 --> 00:14:29,860 to process credit cards right now. 420 00:14:29,860 --> 00:14:32,860 That is a business decision not a technical decision 421 00:14:32,860 --> 00:14:34,110 and so it is one you have to have 422 00:14:34,110 --> 00:14:35,800 senior leadership's buy in on. 423 00:14:35,800 --> 00:14:37,640 The next key stakeholder we have to consider 424 00:14:37,640 --> 00:14:39,280 is regulatory bodies. 425 00:14:39,280 --> 00:14:40,940 These are governmental organizations 426 00:14:40,940 --> 00:14:42,180 that oversee the compliance 427 00:14:42,180 --> 00:14:44,510 with specific regulations and laws. 428 00:14:44,510 --> 00:14:46,710 For example, if we're talking about HIPAA, 429 00:14:46,710 --> 00:14:48,150 which has to do with health care, 430 00:14:48,150 --> 00:14:49,640 you're going to have to be overseen 431 00:14:49,640 --> 00:14:51,530 by Health and Human Services, 432 00:14:51,530 --> 00:14:54,030 because they're the ones who run the HIPAA program. 433 00:14:54,030 --> 00:14:55,040 If you're dealing with something like 434 00:14:55,040 --> 00:14:58,290 the California consumer Privacy Act, or CCPA, 435 00:14:58,290 --> 00:15:00,690 you're going to be dealing with the state of California. 436 00:15:00,690 --> 00:15:02,730 If you're dealing with something like credit card data, 437 00:15:02,730 --> 00:15:05,200 you're going to be dealing with PCI DSS 438 00:15:05,200 --> 00:15:07,720 and those people who run that program. 439 00:15:07,720 --> 00:15:09,970 Again, these are the different regulatory bodies 440 00:15:09,970 --> 00:15:11,190 you're going to have to consider. 441 00:15:11,190 --> 00:15:14,110 Now, a quick note, when you're dealing with PCI DSS 442 00:15:14,110 --> 00:15:16,480 they're not technically a regulatory body 443 00:15:16,480 --> 00:15:19,100 from a legal standpoint, but they do oversee 444 00:15:19,100 --> 00:15:20,850 all of the payment card systems. 445 00:15:20,850 --> 00:15:23,400 Now, generally, when we talk about the term regulatory, 446 00:15:23,400 --> 00:15:24,790 we are talking about legal, 447 00:15:24,790 --> 00:15:27,590 and with PCI DSS, it is not a legal requirement 448 00:15:27,590 --> 00:15:29,250 it is a contractual requirement 449 00:15:29,250 --> 00:15:31,980 between you and your payment processor. 450 00:15:31,980 --> 00:15:34,380 The next stakeholder we have to consider is legal. 451 00:15:34,380 --> 00:15:37,520 Now, legal is the business or organization's legal counsel, 452 00:15:37,520 --> 00:15:38,630 and they're going to be responsible 453 00:15:38,630 --> 00:15:41,290 for mitigating risk from civil lawsuits. 454 00:15:41,290 --> 00:15:43,460 For example, as you're planning out your response 455 00:15:43,460 --> 00:15:45,950 of what you're going to do to stop the breach of data 456 00:15:45,950 --> 00:15:47,510 you want to make sure legal is in the room 457 00:15:47,510 --> 00:15:49,940 because your actions could come up later on 458 00:15:49,940 --> 00:15:52,280 if your company is sued for its response. 459 00:15:52,280 --> 00:15:53,930 And so you want to make sure they're in the room 460 00:15:53,930 --> 00:15:55,430 and they understand what you're doing, 461 00:15:55,430 --> 00:15:57,380 and they have input into it. 462 00:15:57,380 --> 00:15:58,900 On the other side of the coin, 463 00:15:58,900 --> 00:16:00,150 we have law enforcement, 464 00:16:00,150 --> 00:16:02,770 and law enforcement is an external stakeholder, 465 00:16:02,770 --> 00:16:04,440 they may provide services to assist 466 00:16:04,440 --> 00:16:06,010 in your incident into handling efforts, 467 00:16:06,010 --> 00:16:07,670 or to prepare for legal action 468 00:16:07,670 --> 00:16:09,400 against the attacker in the future. 469 00:16:09,400 --> 00:16:10,870 Now, one quick thing to note, 470 00:16:10,870 --> 00:16:12,960 your decision to involve law enforcement 471 00:16:12,960 --> 00:16:15,270 has to be made by senior executives 472 00:16:15,270 --> 00:16:18,090 with guidance from your internal legal counsel. 473 00:16:18,090 --> 00:16:19,440 You as an incident responder 474 00:16:19,440 --> 00:16:20,900 should not immediately pick up the phone 475 00:16:20,900 --> 00:16:23,280 and call the FBI or the local police, 476 00:16:23,280 --> 00:16:25,770 this is something your business has to decide. 477 00:16:25,770 --> 00:16:28,150 Now, there are cases where it is legally required 478 00:16:28,150 --> 00:16:29,490 to bring in law enforcement. 479 00:16:29,490 --> 00:16:32,520 But in a lot of cases, it is more of a civil issue. 480 00:16:32,520 --> 00:16:33,970 And you have the determination 481 00:16:33,970 --> 00:16:36,400 and the right to decide if you want to press charges 482 00:16:36,400 --> 00:16:37,980 and bring in law enforcement. 483 00:16:37,980 --> 00:16:39,080 So keep that in mind. 484 00:16:39,080 --> 00:16:40,890 And remember, your senior executives 485 00:16:40,890 --> 00:16:42,470 get to make that decision. 486 00:16:42,470 --> 00:16:44,580 Our next stakeholder is human resources, 487 00:16:44,580 --> 00:16:46,530 and this is an internal stakeholder. 488 00:16:46,530 --> 00:16:47,680 They're going to be used to ensure 489 00:16:47,680 --> 00:16:49,430 there's no breaches of employment law 490 00:16:49,430 --> 00:16:52,660 or employee contracts during the incident response. 491 00:16:52,660 --> 00:16:54,420 For example, if you're a suspecting 492 00:16:54,420 --> 00:16:55,750 that there's an internal threat, 493 00:16:55,750 --> 00:16:57,620 and you start questioning employees, 494 00:16:57,620 --> 00:16:59,650 or you want start going through employee files, 495 00:16:59,650 --> 00:17:01,690 you're going to have to consult human resources, 496 00:17:01,690 --> 00:17:03,490 because you could be breaching employment law 497 00:17:03,490 --> 00:17:04,620 or employee contracts, 498 00:17:04,620 --> 00:17:07,160 so make sure you involve human resources. 499 00:17:07,160 --> 00:17:08,860 And our final stakeholder we want to consult 500 00:17:08,860 --> 00:17:11,110 is public relations or PR. 501 00:17:11,110 --> 00:17:12,640 Public relations is used to manage 502 00:17:12,640 --> 00:17:15,300 the negative publicity from a serious incident. 503 00:17:15,300 --> 00:17:16,280 Now, this is important 504 00:17:16,280 --> 00:17:19,000 because you want to make sure as the technical lead, 505 00:17:19,000 --> 00:17:20,260 as an incident responder 506 00:17:20,260 --> 00:17:22,940 you're not the one answering questions to the media. 507 00:17:22,940 --> 00:17:24,140 You don't want to be the one up there, 508 00:17:24,140 --> 00:17:25,550 behind all those microphones 509 00:17:25,550 --> 00:17:28,160 with a sea of reporters asking you questions. 510 00:17:28,160 --> 00:17:29,840 You have people in your organization 511 00:17:29,840 --> 00:17:31,390 whose job it is to handle that. 512 00:17:31,390 --> 00:17:33,450 And they're going to come up with a clear, concise, 513 00:17:33,450 --> 00:17:35,910 message that can be said over and over again 514 00:17:35,910 --> 00:17:38,050 to all the inquiries reporters have. 515 00:17:38,050 --> 00:17:39,670 This way you're on brand 516 00:17:39,670 --> 00:17:42,240 and on message across the organization. 517 00:17:42,240 --> 00:17:44,560 Remember, public relations needs to be involved, 518 00:17:44,560 --> 00:17:47,470 especially with larger breaches that may get the interest 519 00:17:47,470 --> 00:17:49,400 of media and the press. 520 00:17:49,400 --> 00:17:50,870 Now, as part of the CSIRT team, 521 00:17:50,870 --> 00:17:53,630 it's going to be your role to help provide information 522 00:17:53,630 --> 00:17:55,160 to these stakeholders. 523 00:17:55,160 --> 00:17:56,240 As part of the CSIRT, 524 00:17:56,240 --> 00:17:57,580 you're going to be asked for information 525 00:17:57,580 --> 00:17:59,460 regarding the estimated downtime, 526 00:17:59,460 --> 00:18:01,550 the scope of the systems and data affected 527 00:18:01,550 --> 00:18:03,230 and other relevant details. 528 00:18:03,230 --> 00:18:04,590 And by having that information 529 00:18:04,590 --> 00:18:06,820 and providing that up to the appropriate senior leadership, 530 00:18:06,820 --> 00:18:10,530 human resources, legal, public relations and others 531 00:18:10,530 --> 00:18:12,090 it's going to make sure that we all are providing 532 00:18:12,090 --> 00:18:14,430 a consistent message and that we're coordinating 533 00:18:14,430 --> 00:18:15,653 our response efforts.