WEBVTT 0:00:03.620000 --> 0:00:06.060000 Hello everyone and welcome. 0:00:06.060000 --> 0:00:09.720000 In this video we are going to be taking a look at the role of incident 0:00:09.720000 --> 0:00:11.480000 response in the SOC. 0:00:11.480000 --> 0:00:14.560000 Now again you might be wondering to yourself why are we sort of going 0:00:14.560000 --> 0:00:18.360000 over this again because by this point in the course you should already 0:00:18.360000 --> 0:00:26.440000 be aware of to quite a certain extent what the role of incident response 0:00:26.440000 --> 0:00:32.000000 in the SOC is. However it's something that I need to sort of formalize 0:00:32.000000 --> 0:00:36.200000 in the form of the video that you can always refer back to and there's 0:00:36.200000 --> 0:00:40.420000 a couple of other things that I want to point out that have to do with 0:00:40.420000 --> 0:00:47.460000 you know the issues or the problems faced by the incident response team 0:00:47.460000 --> 0:00:52.560000 or the incident response process as a whole and you know what they are 0:00:52.560000 --> 0:00:58.440000 caused by and you know there's quite a few there's a lot of the role of 0:00:58.440000 --> 0:01:03.300000 incident response in the SOC as you already know by this point you know 0:01:03.300000 --> 0:01:08.360000 it all really depends on how the SOC and the SOC team is sort of set up 0:01:08.360000 --> 0:01:12.540000 and laid out as well as you know the resources available the maturity 0:01:12.540000 --> 0:01:17.200000 of the organization but you know I sort of wanted to formalize it and 0:01:17.200000 --> 0:01:24.980000 in that sense or in this particular case sort of tie off any loose ends 0:01:24.980000 --> 0:01:32.360000 that I might have missed or skipped so sort of revisiting incident response 0:01:32.360000 --> 0:01:37.500000 with regards to it being a you know important function within the SOC 0:01:37.500000 --> 0:01:44.620000 what is incident response what is the role of incident response within 0:01:44.620000 --> 0:01:49.200000 a SOC well the core function just again to clarify it and to crystallize 0:01:49.200000 --> 0:01:54.240000 this is to ensure that any detected security threats or incidents are 0:01:54.240000 --> 0:01:59.760000 properly analyzed managed and resolved and the SOC's primary responsibility 0:01:59.760000 --> 0:02:03.820000 is to ensure that incidents are identified early and handled effectively 0:02:03.820000 --> 0:02:08.760000 to minimize risk to the organization so the point I'm trying to make here 0:02:08.760000 --> 0:02:13.380000 is that you know generally speaking regardless is to the structure of 0:02:13.380000 --> 0:02:18.740000 the SOC team and where incident response falls within the SOC team whether 0:02:18.740000 --> 0:02:23.420000 it's yours or you know just generally speaking incident response is a 0:02:23.420000 --> 0:02:30.300000 core function or core service of you know a security operation center 0:02:30.300000 --> 0:02:36.320000 and its primary responsibility or rule is you know again I'll just repeat 0:02:36.320000 --> 0:02:40.100000 it to ensure that detected security threats or incidents are properly 0:02:40.100000 --> 0:02:45.180000 analyzed managed and resolved okay you're already aware of that so let's 0:02:45.180000 --> 0:02:49.440000 just go over you know the various roles or you know and all responsibilities 0:02:49.440000 --> 0:02:56.440000 of incident response as a process within the SOC so this is again stuff 0:02:56.440000 --> 0:03:00.960000 that you that should not be new to you by this point so you know we'll 0:03:00.960000 --> 0:03:05.380000 just go over it briefly we have threat detection and monitoring so what 0:03:05.380000 --> 0:03:08.900000 are the activities here well the SOC continuously monitors the organizations 0:03:08.900000 --> 0:03:14.220000 networks endpoints and systems for suspicious activities or IOCs using 0:03:14.220000 --> 0:03:18.080000 tools like a CEDR you know intrusion detection and intrusion prevention 0:03:18.080000 --> 0:03:23.640000 systems and the IR teams or the incident responders in the SOC are responsible 0:03:23.640000 --> 0:03:27.940000 for analyzing alerts and determining whether they represent a true security 0:03:27.940000 --> 0:03:32.900000 incident so the point I'm trying to you know make here is that without 0:03:32.900000 --> 0:03:39.920000 the incident response team a SOC really can tell if the SOC really cannot 0:03:39.920000 --> 0:03:46.240000 tell if you know an incident or an event or you know an alert is legitimate 0:03:46.240000 --> 0:03:51.580000 because it requires investigation and you know this is what the IR team 0:03:51.580000 --> 0:03:55.900000 is therefore or the you know incident respond as it were we then have 0:03:55.900000 --> 0:03:59.540000 triage right which we've covered already but just to go over it again 0:03:59.540000 --> 0:04:04.400000 so when an alert is triggered SOC analysts conduct event triage to determine 0:04:04.400000 --> 0:04:09.640000 the severity scope and potential impact and IR comes into play here by 0:04:09.640000 --> 0:04:13.820000 classifying incidents based on severity levels so there's classification 0:04:13.820000 --> 0:04:18.760000 you know in the form of low moderate high critical and then use that to 0:04:18.760000 --> 0:04:23.920000 prioritize their response accordingly so they essentially again help this 0:04:23.920000 --> 0:04:28.640000 or assist in this process I not assist they actually play a crucial role 0:04:28.640000 --> 0:04:32.840000 by you know performing the required classification so that they can deal 0:04:32.840000 --> 0:04:37.880000 with what needs to be dealt with first with regards to events or incidents 0:04:37.880000 --> 0:04:43.260000 that pose you know the highest risk to the organization and so they take 0:04:43.260000 --> 0:04:48.400000 that off the plate of the you know SOC tier one analysts for example we 0:04:48.400000 --> 0:04:52.640000 then have incident investigation right so the IR team conducts deep or 0:04:52.640000 --> 0:04:56.900000 thorough investigations to identify stuff like the root cause scope and 0:04:56.900000 --> 0:05:00.740000 impact of the incident so the SOC their primary objective we think of 0:05:00.740000 --> 0:05:05.460000 the SOC tier one analysts for example and all the technologies in there 0:05:05.460000 --> 0:05:10.140000 they really are just telling the SOC tier one analysts that hey this looks 0:05:10.140000 --> 0:05:16.580000 suspicious but the IR team or the role that IR plays within a SOC is to 0:05:16.580000 --> 0:05:22.360000 say okay let's investigate a particular incident let's find out what caused 0:05:22.360000 --> 0:05:26.780000 it what the root cause is what the scope is and you know the potential 0:05:26.780000 --> 0:05:31.700000 not the potential the impact of the incident and you know this involves 0:05:31.700000 --> 0:05:36.180000 you know this is sort of multidisciplinary in that you have log analysis 0:05:36.180000 --> 0:05:42.000000 end point forensics network analysis and you know network forensics as 0:05:42.000000 --> 0:05:46.820000 well in the form of you know traffic analysis etc malware traffic analysis 0:05:46.820000 --> 0:05:52.560000 and then you know leveraging threat intelligence for context and so IR 0:05:52.560000 --> 0:05:57.240000 is very important in this because it goes beyond just you know saying 0:05:57.240000 --> 0:06:03.400000 or containing a particular you know compromise system and then performing 0:06:03.400000 --> 0:06:08.260000 the eradication recovery it also tells you other important things like 0:06:08.260000 --> 0:06:12.080000 you know what caused this intrusion or what was the root cause of the 0:06:12.080000 --> 0:06:16.300000 intrusion what was the scope so how many systems were affected by the 0:06:16.300000 --> 0:06:21.740000 intrusion and what was the impact in terms of you know business continuity 0:06:21.740000 --> 0:06:27.760000 you know data so on and so forth and then when you add in threat intelligence 0:06:27.760000 --> 0:06:32.020000 into this you're sort of contextualizing it from the perspective of let's 0:06:32.020000 --> 0:06:37.480000 say the attacker and you're able to sort of you know accurately profile 0:06:37.480000 --> 0:06:43.320000 the adversary based on what they did you know to gain access to the compromise 0:06:43.320000 --> 0:06:48.980000 system or to compromise a particular system but also what they did after 0:06:48.980000 --> 0:06:54.520000 gaining initial access so this is all very important and then of course 0:06:54.520000 --> 0:06:58.140000 we have containment so you're already aware of this the IR teams develop 0:06:58.140000 --> 0:07:01.720000 and implement containment strategies to limit the spread of the incident 0:07:01.720000 --> 0:07:07.280000 so very very important role there you then have eradication recovery post 0:07:07.280000 --> 0:07:10.980000 incident review and analysis documentation and reporting and then coordination 0:07:10.980000 --> 0:07:15.860000 with external stakeholders so starting off with our eradication the SOC 0:07:15.860000 --> 0:07:20.720000 IR team or again it could just be a single SOC tier two analyst but in 0:07:20.720000 --> 0:07:24.740000 most cases going to be more than just one SOC tier two analyst if it is 0:07:24.740000 --> 0:07:28.960000 a dedicated team it's pretty much you know going to be the same so if 0:07:28.960000 --> 0:07:32.800000 if you're a bit confused as to why i'm referring to a team or a SOC tier 0:07:32.800000 --> 0:07:37.680000 two analyst just know that i'm referring to the same role as it were because 0:07:37.680000 --> 0:07:42.220000 if you remember the SOC tier two analyst is pretty much you know it's 0:07:42.220000 --> 0:07:46.580000 it's a known or defined that they are the ones you do incident response 0:07:46.580000 --> 0:07:51.720000 so the SOC IR team ensures that malware's removed vulnerabilities are 0:07:51.720000 --> 0:07:55.600000 patched and persistence mechanisms like backdoors are eliminated and they 0:07:55.600000 --> 0:07:59.540000 conduct thorough systems scans to ensure the complete removal of the threat 0:07:59.540000 --> 0:08:04.060000 you then have recovery right so the IR team coordinates with IT teams 0:08:04.060000 --> 0:08:08.660000 to restore systems from clean backups and ensure operations are back to 0:08:08.660000 --> 0:08:13.040000 normal very important as well and they validate system integrity to ensure 0:08:13.040000 --> 0:08:17.000000 that new residual threats remain then of course there's the important 0:08:17.000000 --> 0:08:21.080000 aspects of incident response which you know come towards the end of an 0:08:21.080000 --> 0:08:24.620000 incident which is the post incident review and analysis which is very 0:08:24.620000 --> 0:08:28.800000 important because all of you know the post incident review and analysis 0:08:28.800000 --> 0:08:33.220000 and lessons learned you know feeds back into the SOC team so that they 0:08:33.220000 --> 0:08:36.580000 can make improvements you know they can improve where they failed so on 0:08:36.580000 --> 0:08:41.060000 and so forth so after an incident is resolved the SOC conducts a lessons 0:08:41.060000 --> 0:08:45.360000 learned session to evaluate the response process and then of course you 0:08:45.360000 --> 0:08:49.960000 have documentation and reporting so the IR team maintains detailed documentation 0:08:49.960000 --> 0:08:54.700000 of every incident including timelines the actions that they took and the 0:08:54.700000 --> 0:08:58.140000 mitigation steps that's if you remember with the diagram examples I was 0:08:58.140000 --> 0:09:03.860000 giving I sort of followed what a an incident responder would do by clearly 0:09:03.860000 --> 0:09:10.420000 outlining the questions that I asked myself so for example is this IP 0:09:10.420000 --> 0:09:16.080000 known to us then I perform the invest the actual investigation and I answer 0:09:16.080000 --> 0:09:20.800000 it so you start with a hypothesis or in this case a question I then go 0:09:20.800000 --> 0:09:25.700000 ahead and validate it or you know invalid as it were and that tells me 0:09:25.700000 --> 0:09:30.700000 something so if the IP is not known then it means I need to investigate 0:09:30.700000 --> 0:09:34.940000 this a little bit more because it's most likely malicious so then you 0:09:34.940000 --> 0:09:38.360000 know go and see whether this IP has been known using threat intelligence 0:09:38.360000 --> 0:09:42.520000 tools or you know just part of threat intelligence to see whether it's 0:09:42.520000 --> 0:09:53.780000 this IP has been flagged by other organizations or you know just so the 0:09:53.780000 --> 0:09:57.140000 bottom line is that you know the IR team maintains detailed documentation 0:09:57.140000 --> 0:10:01.000000 of every incident including timelines actions taken and mitigation steps 0:10:01.000000 --> 0:10:05.140000 and reports are shared with executive leadership legal teams and regulatory 0:10:05.140000 --> 0:10:09.760000 bodies as needed or as and when required and then you have coordination 0:10:09.760000 --> 0:10:14.780000 with external stakeholders so in the cases of severe incidents the SOC 0:10:14.780000 --> 0:10:18.440000 IR team may need to coordinate with law enforcement which is something 0:10:18.440000 --> 0:10:23.200000 that you have to be prepared for regulators and external consultants and 0:10:23.200000 --> 0:10:27.000000 they ensure compliance with breach notification requirements and assistant 0:10:27.000000 --> 0:10:33.020000 legal investigations so finally to tie everything in together you know 0:10:33.020000 --> 0:10:37.380000 to to actually bring this to a close with regards to you know the the 0:10:37.380000 --> 0:10:43.600000 SOC and incident response how does the you know how does incident response 0:10:43.600000 --> 0:10:48.100000 as a process and you know even if you're to look at it as a team collaborate 0:10:48.100000 --> 0:10:53.720000 with other SOC functions so let's say let's start off with SOC analysts 0:10:53.720000 --> 0:10:59.400000 so what's the collaboration here well the IR team receives escalated alerts 0:10:59.400000 --> 0:11:04.560000 from the SOC tier one analysts really for deeper investigation and action 0:11:04.560000 --> 0:11:09.760000 what about the threat intelligence team or the threat intelligence analysts 0:11:09.760000 --> 0:11:18.380000 well the IR team receives IOCs and TTPs to contextualize behavior what 0:11:18.380000 --> 0:11:24.780000 info do they get from the red team well the IR team you know shares shares 0:11:24.780000 --> 0:11:28.620000 lessons learned from real incidents to refine red team simulations that's 0:11:28.620000 --> 0:11:32.960000 actually you know the the red team that does that and then of course SOAR 0:11:32.960000 --> 0:11:37.940000 which is not really a team but more so function but how does the IR team 0:11:37.940000 --> 0:11:43.860000 utilize the you know SOAR well it utilizes SOAR to automate certain IR 0:11:43.860000 --> 0:11:48.600000 tasks like isolating endpoints or blocking IPs and then you have management 0:11:48.600000 --> 0:11:53.160000 and compliance so what's the IR team collaboration here well you know 0:11:53.160000 --> 0:11:58.340000 IR team provides detailed reports to ensure regulatory compliance so hopefully 0:11:58.340000 --> 0:12:03.060000 by this point you now understand what a SOC is what its primary services 0:12:03.060000 --> 0:12:14.240000 are the categories of services whether they're you know response incident 0:12:14.240000 --> 0:12:19.820000 detection the incident response lifecycle so it's all starting to come 0:12:19.820000 --> 0:12:23.760000 together and I hope that this video would tie it in together and I'm pretty 0:12:23.760000 --> 0:12:29.160000 sure that I've done so but hopefully that all makes sense one of the final 0:12:29.160000 --> 0:12:33.500000 things I want to touch on is the importance of incident incident response 0:12:33.500000 --> 0:12:38.020000 in the SOC now you're probably you're probably already aware of this but 0:12:38.020000 --> 0:12:43.860000 I you know let's just start off with a mission statement right so let's 0:12:43.860000 --> 0:12:47.100000 just say that the SOCs primary mission is to detect respond to and prevent 0:12:47.100000 --> 0:12:51.560000 security incidents so what's the importance of IR refers to summarize 0:12:51.560000 --> 0:12:56.740000 it in a key points with no table no in-depth analysis how would I sort 0:12:56.740000 --> 0:13:03.520000 of elevate a speech type of deal a incident response plays a central role 0:13:03.520000 --> 0:13:11.560000 in achieving this incidents be ensuring rapid identification and containment 0:13:11.560000 --> 0:13:16.840000 of attacks see minimizing damage and ensuring timely recovery of operations 0:13:16.840000 --> 0:13:22.120000 and the driving continuous improvement in detection prevention and response 0:13:22.120000 --> 0:13:27.160000 capabilities and then finally something that I really didn't want to cover 0:13:27.160000 --> 0:13:30.860000 in its own video but I would just wanted to outline what the common problems 0:13:30.860000 --> 0:13:35.500000 faced by the IR team and the SOC usually is generally and I'm generalizing 0:13:35.500000 --> 0:13:41.600000 this but one of the most common issues faced is alert fatigue so managing 0:13:41.600000 --> 0:13:45.400000 a high volume of false positive alerts which is why I sort of wanted to 0:13:45.400000 --> 0:13:52.780000 outline the roles and responsibilities or sort of explain the triage process 0:13:52.780000 --> 0:13:56.760000 which is supposed to clean this up so the bottom line is SOC tier one 0:13:56.760000 --> 0:14:01.220000 analyst cannot be sending over a huge amount of false positives to the 0:14:01.220000 --> 0:14:05.340000 incident response team or the SOC tier two analyst and they should be 0:14:05.340000 --> 0:14:09.920000 a way for them to automate you know the handling of let's say false positives 0:14:09.920000 --> 0:14:15.580000 we also have skill gaps right so you know ensuring there's a constant 0:14:15.580000 --> 0:14:19.300000 need to ensure that the incident response team is scaled in forensics 0:14:19.300000 --> 0:14:24.400000 malware analysis and containment strategies in certain cases is also limited 0:14:24.400000 --> 0:14:28.080000 visibility what does this mean in complete data from network or endpoint 0:14:28.080000 --> 0:14:32.300000 systems can hamper investigations that's why I also explained incident 0:14:32.300000 --> 0:14:37.640000 detection as a process within the SOC and why that's so important because 0:14:37.640000 --> 0:14:41.520000 without proper incident detection the you know you can you wouldn't even 0:14:41.520000 --> 0:14:47.600000 be able to detect incidents you know holistically or accurately and then 0:14:47.600000 --> 0:14:57.620000 finally there's a lack of automation so manual processes can slow down 0:14:57.620000 --> 0:15:00.600000 going to set the state for the next section of this course which will 0:15:00.600000 --> 0:15:05.180000 be focused on automating SOC processes so that you also have an idea of 0:15:05.180000 --> 0:15:10.380000 how this is performed or done and with that being said that brings us 0:15:10.380000 --> 0:15:14.300000 to the end of this video and I will be seeing you in the next video.