WEBVTT

0:00:03.880000 --> 0:00:06.140000
 Hello everyone and welcome.

0:00:06.140000 --> 0:00:12.320000
 In this video, we're going to be taking
 a look at the NIST 861 incident

0:00:12.320000 --> 0:00:13.940000
 response lifecycle.

0:00:13.940000 --> 0:00:17.420000
 Now, I know that this course is not
 focused on incident response, but

0:00:17.420000 --> 0:00:24.080000
 given that we have touched on incident
 response as well as incident detection,

0:00:24.080000 --> 0:00:29.220000
 I think it's a very good idea to introduce
 you to this publication so

0:00:29.220000 --> 0:00:33.680000
 that you have this resource that you
 can go through in preparation for

0:00:33.680000 --> 0:00:37.600000
 what will be covering in the next set
 of courses within this learning

0:00:37.600000 --> 0:00:42.420000
 path. In either case, this particular
 publication has been really useful

0:00:42.420000 --> 0:00:45.320000
 to me and I think it will be to you.

0:00:45.320000 --> 0:00:49.220000
 So, what is the NIST 861?

0:00:49.220000 --> 0:00:55.240000
 Well, the NIST special publication 861
 outlines a standardized incident

0:00:55.240000 --> 0:01:00.620000
 response lifecycle that organizations
 should follow to effectively prepare

0:01:00.620000 --> 0:01:05.880000
 for, detect, respond to and recover
 from cybersecurity incidents.

0:01:05.880000 --> 0:01:11.840000
 And the lifecycle is divided
 into four main phases.

0:01:11.840000 --> 0:01:18.080000
 So, preparation, detection and analysis,
 containment eradication and recovery,

0:01:18.080000 --> 0:01:20.080000
 and then the post incident activity.

0:01:20.080000 --> 0:01:23.680000
 And this is something I really like
 about this publication because it

0:01:23.680000 --> 0:01:25.160000
 keeps it simple.

0:01:25.160000 --> 0:01:30.680000
 You have four phases and each of them
 is self-explanatory at this point.

0:01:30.680000 --> 0:01:34.120000
 If you've made it this far in this
 course, then you already know what

0:01:34.120000 --> 0:01:37.900000
 each of these phases entails.

0:01:37.900000 --> 0:01:42.080000
 But I just thought that this was really,
 really this was really helpful

0:01:42.080000 --> 0:01:47.940000
 to me when I was getting or trying to
 understand incident response before

0:01:47.940000 --> 0:01:55.540000
 I got into it formally and I'd worked
 in the sock of a bank or financial

0:01:55.540000 --> 0:02:00.960000
 institution. But I really liked
 this type of categorization.

0:02:00.960000 --> 0:02:06.620000
 But moving on, we can go through each
 of those phases at least in alignment

0:02:06.620000 --> 0:02:12.480000
 with what is listed in the NIST
 special publication 861.

0:02:12.480000 --> 0:02:14.860000
 So, starting off with preparation.

0:02:14.860000 --> 0:02:19.680000
 The preparation phase involves establishing
 policies, procedures, tools

0:02:19.680000 --> 0:02:24.660000
 and resources necessary to, and this
 is the key word, effectively detect

0:02:24.660000 --> 0:02:26.220000
 and respond to incidents.

0:02:26.220000 --> 0:02:30.840000
 And some of the key activities within
 this phase include A, developing

0:02:30.840000 --> 0:02:35.780000
 an incident response policy or plan
 and defining the team roles.

0:02:35.780000 --> 0:02:40.180000
 B, establishing communication plans
 and escalation processes, both of

0:02:40.180000 --> 0:02:43.620000
 which we'll actually cover
 in the next set of videos.

0:02:43.620000 --> 0:02:49.100000
 C, deploy and configure security tools,
 which we know are to be the same

0:02:49.100000 --> 0:02:56.580000
 EDR, IDS's, IBS's, you know, conduct
 employee security awareness training.

0:02:56.580000 --> 0:03:02.000000
 Create and test incident response playbooks
 for common scenarios and perform

0:03:02.000000 --> 0:03:05.260000
 threat modeling and risk assessments.

0:03:05.260000 --> 0:03:07.620000
 We then have detection and analysis.

0:03:07.620000 --> 0:03:12.160000
 So this phase, this phase not phase,
 this phase focuses on identifying

0:03:12.160000 --> 0:03:17.320000
 potential security incidents and analyzing
 them to confirm their legitimacy

0:03:17.320000 --> 0:03:22.420000
 and impact. So, the key activities
 involved in this phase include or,

0:03:22.420000 --> 0:03:26.760000
 you know, pretty much include A, monitor
 security systems for alerts and

0:03:26.760000 --> 0:03:28.220000
 suspicious activities.

0:03:28.220000 --> 0:03:33.880000
 B, triage or triage triage and categorize
 alerts based on severity and

0:03:33.880000 --> 0:03:35.700000
 potential impact.

0:03:35.700000 --> 0:03:41.340000
 C, use threat intelligence and forensic
 analysis to confirm instance.

0:03:41.340000 --> 0:03:46.660000
 D, documenting all findings,
 escalation and investigation.

0:03:46.660000 --> 0:03:52.580000
 And D, not D, E, determine the scope
 affected systems and the attacker

0:03:52.580000 --> 0:03:54.840000
 behavior or trade craft.

0:03:54.840000 --> 0:03:57.780000
 Which we already, we've already
 gone through these phases.

0:03:57.780000 --> 0:04:01.540000
 Or you should understand them by this
 point in the course, but just sort

0:04:01.540000 --> 0:04:03.160000
 of going through them again.

0:04:03.160000 --> 0:04:08.120000
 We then have the containment eradication
 and recovery phase.

0:04:08.120000 --> 0:04:13.740000
 So this phase, if I were to simplify
 it, is really focused on stopping

0:04:13.740000 --> 0:04:15.300000
 the attack, right?

0:04:15.300000 --> 0:04:16.640000
 Or mitigating it.

0:04:16.640000 --> 0:04:18.540000
 I think that's a better word.

0:04:18.540000 --> 0:04:22.580000
 But this, this phase only comes into
 action or, you know, you really only

0:04:22.580000 --> 0:04:26.700000
 get into this phase once
 an incident is confirmed.

0:04:26.700000 --> 0:04:31.660000
 And involves eliminating the threat and
 restoring systems to normal operations

0:04:31.660000 --> 0:04:36.240000
 and the key activities within this phase
 include A, containing the threat

0:04:36.240000 --> 0:04:41.080000
 by isolating affected systems and blocking
 malicious traffic B, eradicating

0:04:41.080000 --> 0:04:44.460000
 the threat by removing malware, patching
 vulnerabilities and ensuring

0:04:44.460000 --> 0:04:47.320000
 new persistence mechanisms remain.

0:04:47.320000 --> 0:04:51.300000
 Because, you know, attackers or threat
 actors like leaving something behind

0:04:51.300000 --> 0:04:57.460000
 so that they can get in, you know,
 another time or another day.

0:04:57.460000 --> 0:05:03.060000
 And then of course, we have recovering
 systems by restoring data from

0:05:03.060000 --> 0:05:06.000000
 backups and verifying system integrity.

0:05:06.000000 --> 0:05:11.760000
 You then have performing post recovery
 validation or validations to ensure

0:05:11.760000 --> 0:05:17.680000
 the attacker has been fully removed
 or any of their artifacts, you know,

0:05:17.680000 --> 0:05:21.760000
 have been fully removed or
 eradicated, as it were.

0:05:21.760000 --> 0:05:24.600000
 So that's that phase.

0:05:24.600000 --> 0:05:29.040000
 We then have the post incident activity
 phase, which is lessons learned.

0:05:29.040000 --> 0:05:30.480000
 And we haven't gone through
 this formally.

0:05:30.480000 --> 0:05:34.140000
 So I would say this is very important,
 at least in the context of this

0:05:34.140000 --> 0:05:40.000000
 course. But this phase ensures that lessons
 are learned from the incident

0:05:40.000000 --> 0:05:45.180000
 in order to improve future detection
 and response capabilities.

0:05:45.180000 --> 0:05:50.780000
 And the key activities involved in
 this phase include A, conducting a

0:05:50.780000 --> 0:05:55.300000
 post incident review to analyze what
 went well and what failed or what

0:05:55.300000 --> 0:05:57.820000
 didn't work quite well.

0:05:57.820000 --> 0:06:03.080000
 B, updating incident response plans and
 detection rules based on findings.

0:06:03.080000 --> 0:06:07.940000
 C, sharing these findings with threat
 intelligence teams to enrich data.

0:06:07.940000 --> 0:06:13.100000
 D, providing training for SOC teams on
 identified weaknesses or the areas

0:06:13.100000 --> 0:06:17.220000
 where you you think or feel that, you
 know, they could have done better.

0:06:17.220000 --> 0:06:24.220000
 And E, or lastly, preparing reports for
 regulatory and compliance requirements.

0:06:24.220000 --> 0:06:28.380000
 So again, I know that the focus of
 this course, as I mentioned, is not

0:06:28.380000 --> 0:06:31.420000
 on incident response, but given that we're
 going to be getting into incident

0:06:31.420000 --> 0:06:34.600000
 response, I think it's very important
 that I give you this, you know,

0:06:34.600000 --> 0:06:39.620000
 formal foray into the incident response
 process, which again, by this

0:06:39.620000 --> 0:06:44.820000
 point, you're already aware of, but
 the NIST 861 special publication is

0:06:44.820000 --> 0:06:46.220000
 a great place to start.

0:06:46.220000 --> 0:06:49.940000
 I've sort of summarized what it covers,
 but you can easily search for

0:06:49.940000 --> 0:06:53.180000
 it on Google. And you can
 go through the document.

0:06:53.180000 --> 0:06:56.340000
 In fact, I highly recommend you go
 through the document because it is

0:06:56.340000 --> 0:06:59.280000
 very helpful indeed.

0:06:59.280000 --> 0:07:02.100000
 But with that being said, that's
 going to be it for this video.

0:07:02.100000 --> 0:07:05.160000
 And as always, I'll be seeing
 you in the next video.