WEBVTT

0:00:03.460000 --> 0:00:06.660000
 Hello everyone and welcome to this video.


0:00:06.660000 --> 0:00:10.420000
 In this video we are going to be taking
 a look at incident containment

0:00:10.420000 --> 0:00:16.120000
 and eradication as part of the overall
 incident response life cycle or

0:00:16.120000 --> 0:00:21.800000
 process. Now, by this point in this
 course you should have a fairly good

0:00:21.800000 --> 0:00:25.840000
 idea as to what incident containment
 and eradication is.

0:00:25.840000 --> 0:00:30.240000
 But I just wanted to go over it formally
 so that again it's something

0:00:30.240000 --> 0:00:36.240000
 that we have indeed covered and that
 you are aware of in terms of the

0:00:36.240000 --> 0:00:43.320000
 intricacies involved and you'll actually
 see what those intricacies are.

0:00:43.320000 --> 0:00:45.440000
 So let's get started.

0:00:45.440000 --> 0:00:50.760000
 In the incident response life cycle,
 the containment and eradication phase

0:00:50.760000 --> 0:00:56.240000
 is crucial for minimizing damage, preventing
 lateral movement and of course

0:00:56.240000 --> 0:00:59.920000
 eliminating the threats from
 the environment if any.

0:00:59.920000 --> 0:01:04.020000
 Effective containment and eradication
 strategies ensure that incidents

0:01:04.020000 --> 0:01:10.340000
 are handled quickly and they prevent
 attackers from re-entering or causing

0:01:10.340000 --> 0:01:14.700000
 further harm because one of the things
 attackers like doing is leaving

0:01:14.700000 --> 0:01:19.240000
 a little backdoor or a form of persistence
 so they can always get in at

0:01:19.240000 --> 0:01:22.160000
 a later date once the heat has died down.


0:01:22.160000 --> 0:01:26.600000
 So it's very important, the eradication
 phase is very important with regards

0:01:26.600000 --> 0:01:31.880000
 to that aspect. So this phase occurs
 after the detection and analysis

0:01:31.880000 --> 0:01:37.420000
 phase and lays the groundwork for successful
 recovery which is the phase

0:01:37.420000 --> 0:01:42.400000
 that comes after containment eradication
 which we've already gone over

0:01:42.400000 --> 0:01:46.260000
 but the focus here let's
 begin with containment.

0:01:46.260000 --> 0:01:48.180000
 So what is containment?

0:01:48.180000 --> 0:01:51.580000
 You know the word is sort of self-explanatory
 but in the context of incident

0:01:51.580000 --> 0:01:55.940000
 response, containment involves taking
 immediate actions to limit the scope

0:01:55.940000 --> 0:02:01.400000
 and the impact of a security incident
 or you know an intrusion.

0:02:01.400000 --> 0:02:05.300000
 The goal is to isolate affected systems,
 prevent the attacker from moving

0:02:05.300000 --> 0:02:10.120000
 laterally and ensure the organization can
 maintain operations while preparing

0:02:10.120000 --> 0:02:12.700000
 for full threat eradication.

0:02:12.700000 --> 0:02:23.280000
 So what are the objectives of the spread
 of malware or unauthorized access?

0:02:23.280000 --> 0:02:28.480000
 B, limit the attacker's ability to
 access additional systems or data?

0:02:28.480000 --> 0:02:33.260000
 C, preserve forensic evidence for further
 investigation and D, maintain

0:02:33.260000 --> 0:02:36.200000
 business continuity by
 minimizing downtime.

0:02:36.200000 --> 0:02:40.160000
 That's arguably one of the objectives
 that's going to be really important

0:02:40.160000 --> 0:02:44.200000
 for the executives or the executive
 level as it were.

0:02:44.200000 --> 0:02:48.840000
 But now this is sort of what I wanted
 the focus of this video to be and

0:02:48.840000 --> 0:02:55.940000
 that is the categorization of containment
 in terms of the you know the

0:02:55.940000 --> 0:03:05.160000
 nature of the actions taken and you know
 the holistic nature of the containment.

0:03:05.160000 --> 0:03:09.320000
 So what that means is we have short-term
 containment as well as long-term

0:03:09.320000 --> 0:03:19.560000
 containment. So short-term so think of
 your emergency response as it were

0:03:19.560000 --> 0:03:24.320000
 and they really you know given the fact
 that they are short-term and their

0:03:24.320000 --> 0:03:28.700000
 job is to stop the attack from spreading
 are going to be temporary and

0:03:28.700000 --> 0:03:33.480000
 you know they're meant to quickly isolate
 the compromised system or systems

0:03:33.480000 --> 0:03:39.020000
 plural. And examples of short-term containment
 measures or actions include

0:03:39.020000 --> 0:03:48.540000
 disconnecting the affected devices from
 infectious IP addresses or domains,

0:03:48.540000 --> 0:03:52.260000
 disabling compromised user accounts and
 of course applying temporary network

0:03:52.260000 --> 0:03:57.280000
 segmentation. Examples of these
 are you know VLAN isolation.

0:03:57.280000 --> 0:04:00.820000
 In terms of long-term containment these
 are more comprehensive measures

0:04:00.820000 --> 0:04:06.360000
 designed to allow business operations to
 continue while planning eradication.

0:04:06.360000 --> 0:04:10.900000
 And you know it focuses on enhancing
 the security posture before a full

0:04:10.900000 --> 0:04:12.900000
 remediation effort is conducted.

0:04:12.900000 --> 0:04:17.320000
 And examples of these long-term containment
 actions are patching vulnerable

0:04:17.320000 --> 0:04:23.060000
 systems to prevent exploitation, rebuilding
 systems with hardened configuration.

0:04:23.060000 --> 0:04:27.980000
 So you now harden the systems you know
 based on lessons learned and then

0:04:27.980000 --> 0:04:31.300000
 you implement more robust
 monitoring mechanisms.

0:04:31.300000 --> 0:04:41.180000
 So you take in again lessons learned from
 the incident and sort of identify

0:04:41.180000 --> 0:04:47.580000
 those types of incidents or behavior
 or activity quicker the next time

0:04:47.580000 --> 0:04:51.040000
 around. So that's containment.

0:04:51.040000 --> 0:04:56.620000
 We then have eradication which is again
 a fairly simple concept to understand.

0:04:56.620000 --> 0:05:01.000000
 Eradication is the process of removing
 the root cause, that's the keyword

0:05:01.000000 --> 0:05:05.400000
 there, of the incident and ensuring that
 the attacker's axis or persistence

0:05:05.400000 --> 0:05:07.680000
 mechanisms are fully eliminated.

0:05:07.680000 --> 0:05:12.060000
 And the goal here is to clean the environment
 or you know the affected

0:05:12.060000 --> 0:05:17.040000
 system or systems and ensure that
 the threat cannot reoccur.

0:05:17.040000 --> 0:05:20.200000
 And the objectives of eradication based
 on that description that I've

0:05:20.200000 --> 0:05:21.460000
 given you are A.

0:05:21.460000 --> 0:05:24.960000
 Identify and remove malware or
 any other malicious artifacts.

0:05:24.960000 --> 0:05:29.240000
 B. Patch exploited vulnerabilities
 in close attack vectors or you know

0:05:29.240000 --> 0:05:31.880000
 add implement mitigations.

0:05:31.880000 --> 0:05:35.660000
 C. Remove any back doors or persistence
 mechanisms used by the attackers

0:05:35.660000 --> 0:05:39.340000
 that's you know quite common that's
 what I've repeated it twice.

0:05:39.340000 --> 0:05:43.300000
 And then lastly validate the threat
 validate that the threat has been

0:05:43.300000 --> 0:05:44.840000
 fully removed from the environment.

0:05:44.840000 --> 0:05:51.260000
 So you know eradication as I said the word
 in and of itself is self-explanatory.

0:05:51.260000 --> 0:05:56.120000
 But this is these objectives sort of
 underline or underpin what the focus

0:05:56.120000 --> 0:06:03.160000
 is. So in sort of further elaborating
 on eradication it's very important

0:06:03.160000 --> 0:06:07.760000
 that we break down the key activities
 or the objectives as it were and

0:06:07.760000 --> 0:06:10.540000
 sort of describe what they entail.

0:06:10.540000 --> 0:06:14.500000
 So what you'll typically see is you
 have root cause analysis, artifact

0:06:14.500000 --> 0:06:18.680000
 removal, patch management and hardening,
 credential resets and you know

0:06:18.680000 --> 0:06:22.220000
 credential management in general
 and log analysis and monitoring.

0:06:22.220000 --> 0:06:26.240000
 So in the case of root cause analysis
 what you're trying to do here is

0:06:26.240000 --> 0:06:29.900000
 identifying how the attacker gained access
 and understanding the tactics,

0:06:29.900000 --> 0:06:34.600000
 techniques and procedures also known
 as TTPs or trade craft in general

0:06:34.600000 --> 0:06:39.080000
 and then determining if persistence
 mechanisms were indeed configured

0:06:39.080000 --> 0:06:44.100000
 or established. In the case of artifact
 removal that again is self-explanatory.

0:06:44.100000 --> 0:06:48.600000
 Here you're deleting malware, script, tools,
 back doors or any other malicious

0:06:48.600000 --> 0:06:50.620000
 code from the systems.

0:06:50.620000 --> 0:06:53.800000
 And you know you're removing unauthorized
 user accounts and network connections

0:06:53.800000 --> 0:06:57.920000
 as well. You then have patch management
 and hardening so you're applying

0:06:57.920000 --> 0:07:02.000000
 patches to eliminate or mitigate the vulnerabilities
 and you're strengthening

0:07:02.000000 --> 0:07:05.240000
 security configurations
 on affected systems.

0:07:05.240000 --> 0:07:08.840000
 You then have credential resets and
 you know credential management in

0:07:08.840000 --> 0:07:12.320000
 general which involves resetting
 compromised credentials.

0:07:12.320000 --> 0:07:16.620000
 If they were part of the intrusion but
 even you know regardless of that

0:07:16.620000 --> 0:07:20.620000
 you need to reset credentials because
 the attackers may have gotten a

0:07:20.620000 --> 0:07:24.460000
 hold of hashes and of crack passwords
 or may just have got the password.

0:07:24.460000 --> 0:07:28.720000
 So you're resetting the compromised credentials
 and enhancing authentication

0:07:28.720000 --> 0:07:32.520000
 mechanisms and more importantly this
 is the best time after an incident

0:07:32.520000 --> 0:07:38.040000
 to sort of enforce or if you haven't
 implemented already to enforce MFA,

0:07:38.040000 --> 0:07:44.380000
 multi-factor authentication or if you
 haven't implemented it then this

0:07:44.380000 --> 0:07:46.780000
 is a great time to sort of implement it.

0:07:46.780000 --> 0:07:48.880000
 You then have log analysis
 and monitoring.

0:07:48.880000 --> 0:07:52.340000
 You may be a little bit confused as to
 why that's in the eradication phase

0:07:52.340000 --> 0:07:55.780000
 but what you're doing here is you're
 sort of reviewing logs to confirm

0:07:55.780000 --> 0:07:58.580000
 that all signs of compromise
 have been addressed.

0:07:58.580000 --> 0:08:02.240000
 So you're actually going back to the
 detection phase to see whether you

0:08:02.240000 --> 0:08:06.980000
 can detect anything else that's going
 on or anything fishy and you know

0:08:06.980000 --> 0:08:10.040000
 you're doing this to ensure you know
 you're ensuring continuous monitoring

0:08:10.040000 --> 0:08:13.920000
 for signs of reinfection because that
 is something that can also happen

0:08:13.920000 --> 0:08:18.320000
 especially if you're dealing with
 an advanced persistent threat.

0:08:18.320000 --> 0:08:20.720000
 With that being said that's going
 to be it for this video.

0:08:20.720000 --> 0:08:25.800000
 Hopefully you know better understand
 containment and eradication in the

0:08:25.800000 --> 0:08:31.200000
 context of a SOC in general but more
 specifically the incident response

0:08:31.200000 --> 0:08:36.440000
 process or lifecycle and with that being
 said there's nothing more that

0:08:36.440000 --> 0:08:39.900000
 I want to add here so that's going
 to be it for this video and I will

0:08:39.900000 --> 0:08:41.820000
 be seeing you in the next video.