WEBVTT 0:00:03.880000 --> 0:00:08.360000 Hello everyone and welcome to the first section of this course. 0:00:08.360000 --> 0:00:12.740000 We're going to be kicking off by getting a formal introduction to incident 0:00:12.740000 --> 0:00:16.740000 response. Now, if you've gone through the previous course, so the one 0:00:16.740000 --> 0:00:20.860000 before this course that was titled Introduction to Security Operations 0:00:20.860000 --> 0:00:26.920000 Center, SOC in abbreviated form, then you will be familiar with incident 0:00:26.920000 --> 0:00:31.400000 response. But given that we're getting into incident response proper now, 0:00:31.400000 --> 0:00:38.140000 we need to go through or get a formal reintroduction to incident response. 0:00:38.140000 --> 0:00:42.880000 And there's a lot of important things that we didn't address in the SOC 0:00:42.880000 --> 0:00:47.960000 course that we're going to address not only in this video but throughout 0:00:47.960000 --> 0:00:55.480000 this course. So let's get started by understanding exactly what incident 0:00:55.480000 --> 0:01:01.200000 response is. So incident response abbreviated as IR is the structured 0:01:01.200000 --> 0:01:07.140000 process organizations followed to detect, investigate, contain, eradicate, 0:01:07.140000 --> 0:01:09.560000 and recover from cybersecurity incidents. 0:01:09.560000 --> 0:01:16.460000 Now these incidents can be things like data breaches or malware infections, 0:01:16.460000 --> 0:01:21.680000 etc. And the goal here is to minimize damage, reduce recovery time and 0:01:21.680000 --> 0:01:24.440000 costs as well as prevent future incidents. 0:01:24.440000 --> 0:01:27.160000 The prevention aspect is quite important. 0:01:27.160000 --> 0:01:33.200000 But we've thrown this word around quite a bit in the previous course as 0:01:33.200000 --> 0:01:34.660000 well as now in this one. 0:01:34.660000 --> 0:01:36.480000 And that word is incident. 0:01:36.480000 --> 0:01:40.620000 So that begs the question, we're talking about incident response. 0:01:40.620000 --> 0:01:43.480000 But what exactly is an incident? 0:01:43.480000 --> 0:01:49.660000 And again, for those of you who are already SOC analysts or incident responders, 0:01:49.660000 --> 0:01:55.060000 then this is not going to be something that's going to be new to you. 0:01:55.060000 --> 0:02:00.300000 But if this is your first time or if you're looking to become a SOC analyst 0:02:00.300000 --> 0:02:04.060000 or incident responder, then you may have asked yourself, well, what exactly 0:02:04.060000 --> 0:02:08.780000 is an incident? And what exactly is an event? 0:02:08.780000 --> 0:02:10.560000 And what's the difference between the two? 0:02:10.560000 --> 0:02:12.500000 And I think that's what we should address. 0:02:12.500000 --> 0:02:17.080000 So that brings us to events and incidents, which is, you know, quite important 0:02:17.080000 --> 0:02:22.540000 to understand. So let's start off with, you know, the most basic and that 0:02:22.540000 --> 0:02:29.660000 is events. So an event is any observable occurrence in a system or network. 0:02:29.660000 --> 0:02:31.820000 Now that's as simply as it can be put. 0:02:31.820000 --> 0:02:38.580000 So this could be something routine like a user logging in, a file being 0:02:38.580000 --> 0:02:40.860000 accessed or network traffic. 0:02:40.860000 --> 0:02:47.060000 And that last point, I wouldn't say you should take it seriously, because 0:02:47.060000 --> 0:02:51.860000 again, it states that most events are harmless and part of normal operations. 0:02:51.860000 --> 0:02:55.480000 But really, that is what distinguishes an event from an incident. 0:02:55.480000 --> 0:03:00.860000 So you only know that, you know, an event is just a normal event because 0:03:00.860000 --> 0:03:03.860000 it's not an incident and we'll get to what an incident is. 0:03:03.860000 --> 0:03:11.040000 Now, one quote that I've taken from the NIST special publication 861 revision 0:03:11.040000 --> 0:03:16.960000 two is the definition of what you would call adverse events. 0:03:16.960000 --> 0:03:19.060000 Now, what are adverse events? 0:03:19.060000 --> 0:03:23.080000 Well, adverse events are events with, as the name suggests, a negative 0:03:23.080000 --> 0:03:28.060000 consequence. Examples of these would be system crashes, packet floods, 0:03:28.060000 --> 0:03:32.320000 unauthorized use of system privileges, unauthorized access to sensitive 0:03:32.320000 --> 0:03:36.620000 data and execution of malware that destroys data. 0:03:36.620000 --> 0:03:38.220000 Okay, just wanted to throw that in. 0:03:38.220000 --> 0:03:43.320000 In the event you hear about or you hear the term adverse events, you know, 0:03:43.320000 --> 0:03:46.880000 based on where it sort of originated, which is, you know, in the special 0:03:46.880000 --> 0:03:50.080000 publication, that's what it means. 0:03:50.080000 --> 0:03:53.880000 So what are some additional examples of events? 0:03:53.880000 --> 0:03:59.480000 Well, if we go by the definition, one example is a user successfully logging 0:03:59.480000 --> 0:04:03.860000 into their workstation, a file being accessed or modified. 0:04:03.860000 --> 0:04:08.760000 And again, if you're viewing all of these logs in a scene, you typically 0:04:08.760000 --> 0:04:13.740000 have these events, you know, you typically be analyzing or you'll have 0:04:13.740000 --> 0:04:20.420000 visibility on these particular events and events pretty much to put it 0:04:20.420000 --> 0:04:24.940000 simply just represent normal behavior, normal activity on a system or 0:04:24.940000 --> 0:04:29.580000 on a network. So you can see another example is a firewall logging, you 0:04:29.580000 --> 0:04:34.480000 know, firewall logging allowed traffic, a scheduled system reboot, an 0:04:34.480000 --> 0:04:38.540000 antivirus scan completing successfully, etc, etc. 0:04:38.540000 --> 0:04:46.260000 So that brings us to the most important or the most important term, you 0:04:46.260000 --> 0:04:47.580000 know, an incident response. 0:04:47.580000 --> 0:04:51.140000 And that is, you know, the word incident. 0:04:51.140000 --> 0:04:52.860000 So what is an incident? 0:04:52.860000 --> 0:04:57.340000 Well, an incident, and this is, you know, taken or quoted directly from 0:04:57.340000 --> 0:05:03.000000 the NIST 861 or two special publication, we'll get to that, don't worry, 0:05:03.000000 --> 0:05:07.180000 we did cover this, this particular special publication in the previous 0:05:07.180000 --> 0:05:13.280000 course, but an incident is a violation or imminent threat of violation 0:05:13.280000 --> 0:05:18.720000 of computer security policies, acceptable use policies or standard security 0:05:18.720000 --> 0:05:23.880000 practices. Now, I've added my definition just below that, which is a little 0:05:23.880000 --> 0:05:29.080000 bit longer, but is very much, is quite descriptive to sort of, you know, 0:05:29.080000 --> 0:05:33.780000 explain exactly what an incident is, you know, so that you have a better 0:05:33.780000 --> 0:05:39.880000 understanding of what, you know, the characteristics of an incident. 0:05:39.880000 --> 0:05:45.200000 So an incident is a security event or a series of related events that 0:05:45.200000 --> 0:05:50.280000 indicates this is the key a potential security breach policy violation 0:05:50.280000 --> 0:05:55.860000 or malicious activity that threatens the CIA triad of systems or data. 0:05:55.860000 --> 0:05:59.680000 When I say the CIA triad should be already familiar with that, referring 0:05:59.680000 --> 0:06:03.840000 to confidentiality, integrity or availability. 0:06:03.840000 --> 0:06:08.120000 Now, in short, or to make things even simpler, this is very important. 0:06:08.120000 --> 0:06:10.980000 This really helped me when I was getting started. 0:06:10.980000 --> 0:06:14.360000 And that is that every incident is an event, right? 0:06:14.360000 --> 0:06:18.900000 So events are just normal, you know, just represent normal activity on 0:06:18.900000 --> 0:06:20.960000 a system or on a network. 0:06:20.960000 --> 0:06:25.820000 And an incident is essentially a type of event that indicates a potential 0:06:25.820000 --> 0:06:27.020000 security breach. 0:06:27.020000 --> 0:06:30.920000 So it tells you that there's something not normal or something out of 0:06:30.920000 --> 0:06:36.400000 the ordinary. But so just to complete this little sentence here, every 0:06:36.400000 --> 0:06:40.220000 incident is an event, but not every event is an incident. 0:06:40.220000 --> 0:06:49.840000 And that's the way with a C, more your, you know, analyzing logs, etc. 0:06:49.840000 --> 0:06:52.840000 You're, you know, you're generally speaking, going to be seeing just normal 0:06:52.840000 --> 0:06:59.660000 events that represent, you know, general predictable activity on the computers 0:06:59.660000 --> 0:07:01.860000 or the systems that you're monitoring. 0:07:01.860000 --> 0:07:06.220000 So, you know, installing software, of course, I'm not saying that that 0:07:06.220000 --> 0:07:11.160000 is not an indication of a breach, but you know, the general activity. 0:07:11.160000 --> 0:07:16.540000 And then an incident sort of is an event that tells you, hey, you know, 0:07:16.540000 --> 0:07:20.520000 there's something fishy going on here, or there's something that indicates 0:07:20.520000 --> 0:07:25.060000 breach, policy violation or malicious activity that, again, threatens 0:07:25.060000 --> 0:07:28.860000 the CIA triad of systems or data. 0:07:28.860000 --> 0:07:32.000000 So what are some examples of incidents? 0:07:32.000000 --> 0:07:35.720000 Well, a good example of an incident is, you know, when you see multiple 0:07:35.720000 --> 0:07:40.600000 failed login attempts followed by a successful login, that would indicate 0:07:40.600000 --> 0:07:43.220000 a possible brute force attack, right? 0:07:43.220000 --> 0:07:47.420000 You then have another example where malware is detected and quarantined 0:07:47.420000 --> 0:07:48.940000 automatically on an endpoint. 0:07:48.940000 --> 0:07:54.760000 And if you get that event, you know, that pretty much makes it an incident, 0:07:54.760000 --> 0:07:58.060000 which infers that you have to respond to it. 0:07:58.060000 --> 0:08:00.860000 So hopefully you're seeing how this all ties in. 0:08:00.860000 --> 0:08:04.960000 Another example is unusual outbound traffic from a server, which could 0:08:04.960000 --> 0:08:07.960000 potentially indicate possible data exfiltration. 0:08:07.960000 --> 0:08:14.760000 So an attacker, you know, downloading or extracting exfiltration is a 0:08:14.760000 --> 0:08:19.500000 better word, but you know, pretty much siphoning data from your organization's 0:08:19.500000 --> 0:08:23.180000 environment to their C2 server or, you know, wherever. 0:08:23.180000 --> 0:08:27.360000 Another example is unauthorized access to sensitive files. 0:08:27.360000 --> 0:08:32.380000 You know, file integrity monitoring typically allows you to set up rules 0:08:32.380000 --> 0:08:37.300000 for what can be and cannot be accessed, depending on a predefined set 0:08:37.300000 --> 0:08:41.780000 of rules. Don't worry, we'll actually touch on that later on in this course. 0:08:41.780000 --> 0:08:45.340000 And then another example, or the final example here is a user account 0:08:45.340000 --> 0:08:48.300000 performing privilege escalation without justification. 0:08:48.300000 --> 0:08:53.620000 So, you know, elevating their privileges, you know, especially in the 0:08:53.620000 --> 0:08:57.860000 context where they shouldn't be able to do that, or they really have no 0:08:57.860000 --> 0:09:01.020000 reason to be elevating their privileges, right? 0:09:01.020000 --> 0:09:04.720000 So that brings us to the next point. 0:09:04.720000 --> 0:09:06.820000 And that is incident response. 0:09:06.820000 --> 0:09:07.960000 What is it good for? 0:09:07.960000 --> 0:09:11.920000 What is the purpose of incident response? 0:09:11.920000 --> 0:09:15.720000 Well, the purpose of incident response is to help organizations quickly 0:09:15.720000 --> 0:09:19.620000 detect, contain, and recover from security incidents in order to minimize 0:09:19.620000 --> 0:09:24.340000 damage, reduce downtime, and of course, prevent further compromise. 0:09:24.340000 --> 0:09:28.220000 So the key thing is that it's all about responding, but responding in 0:09:28.220000 --> 0:09:30.040000 a structured and efficient way. 0:09:30.040000 --> 0:09:33.360000 A lot of people miss that, that bit of it, right? 0:09:33.360000 --> 0:09:36.920000 And what that means is that you respond in a structured and efficient 0:09:36.920000 --> 0:09:41.580000 way so that when something goes wrong, and it will go wrong, trust me, 0:09:41.580000 --> 0:09:46.260000 you know exactly what steps to take to protect critical systems, limit 0:09:46.260000 --> 0:09:50.700000 the impact of the breach or the incident, and of course, get operations 0:09:50.700000 --> 0:09:53.600000 back to normal as fast as possible. 0:09:53.600000 --> 0:09:58.680000 Building on top of this, additionally, incident response helps organizations 0:09:58.680000 --> 0:10:04.160000 learn from incidents by identifying root causes, as well as security gaps, 0:10:04.160000 --> 0:10:08.420000 ultimately improving defenses and reducing the risk or likelihoods of 0:10:08.420000 --> 0:10:11.980000 similar attacks or incidents from happening again. 0:10:11.980000 --> 0:10:16.060000 And it ensures a structured and efficient approach to managing incidents, 0:10:16.060000 --> 0:10:20.060000 allowing teams to protect critical systems, limit the impact and restore 0:10:20.060000 --> 0:10:23.360000 normal operations as swiftly as possible. 0:10:23.360000 --> 0:10:29.920000 So I've sort of summarized or condensed the key objectives of incident 0:10:29.920000 --> 0:10:34.340000 response. And again, you should these these objectives, you should be 0:10:34.340000 --> 0:10:38.580000 familiar with them because they sort of mirror the incident response life 0:10:38.580000 --> 0:10:41.760000 cycle or the process as it were. 0:10:41.760000 --> 0:10:45.400000 And you know, you start off with number one, detect the incident as early 0:10:45.400000 --> 0:10:49.580000 as possible, number two, contain the threat to prevent it from spreading, 0:10:49.580000 --> 0:10:53.040000 number three, eradicate, you know, the root cause of the incident. 0:10:53.040000 --> 0:10:57.500000 So if it's malware, you ensure that, you know, you get rid of the malware, 0:10:57.500000 --> 0:10:59.680000 re-image the system, etc. 0:10:59.680000 --> 0:11:04.200000 Four, recover the affected systems and restore normal operations, and 0:11:04.200000 --> 0:11:07.140000 five, very important people forget this. 0:11:07.140000 --> 0:11:10.920000 A lot of organizations don't really feed the lessons that they have learned 0:11:10.920000 --> 0:11:13.040000 back into the process again. 0:11:13.040000 --> 0:11:16.540000 So it's very important that you learn from the incident in order to improve 0:11:16.540000 --> 0:11:21.140000 your security. So you know, you form a it essentially becomes a cyclic 0:11:21.140000 --> 0:11:25.440000 process where, you know, from every incident, you're essentially feeding 0:11:25.440000 --> 0:11:30.900000 whatever lessons have been learned back into the process or, you know, 0:11:30.900000 --> 0:11:35.520000 the organization's security becomes better that way. 0:11:35.520000 --> 0:11:40.260000 And finally, you know, we've talked about what is what incident response 0:11:40.260000 --> 0:11:46.360000 is, what it is good for, what an incident and an event is and how to distinguish 0:11:46.360000 --> 0:11:47.360000 between the two. 0:11:47.360000 --> 0:11:51.520000 But, you know, who are the individuals that actually perform incident 0:11:51.520000 --> 0:11:56.100000 response? And, you know, of course, I'm generalizing here, but what is 0:11:56.100000 --> 0:11:57.420000 an incident responder? 0:11:57.420000 --> 0:12:01.380000 Well, an incident responder is a cybersecurity professional that's, you 0:12:01.380000 --> 0:12:05.580000 know, who's responsible for managing and handling security incidents within 0:12:05.580000 --> 0:12:06.800000 an organization. 0:12:06.800000 --> 0:12:12.460000 Now again, I know that you can be, you know, you could be an incident 0:12:12.460000 --> 0:12:17.320000 responder working for an MSSB and you're giving, you're essentially rendering 0:12:17.320000 --> 0:12:19.300000 these services to organizations. 0:12:19.300000 --> 0:12:31.100000 So it need not to be a necessary way to make that clear. 0:12:31.100000 --> 0:12:36.260000 So the primary role, you know, based on what I described as the key objectives 0:12:36.260000 --> 0:12:40.660000 of incident response are, are obviously going to be to detect, analyze, 0:12:40.660000 --> 0:12:44.580000 contain, and recover from security incidents in order to minimize the 0:12:44.580000 --> 0:12:47.460000 damage and restore normal operations. 0:12:47.460000 --> 0:12:50.820000 And the best way to think about it is, you know, an incident responder 0:12:50.820000 --> 0:12:53.640000 is the frontline defender during a security incident. 0:12:53.640000 --> 0:12:58.540000 So whenever there's an incident or, you know, whenever there appears to 0:12:58.540000 --> 0:13:02.260000 be an incident, it's the incident responder, you know, who is the first 0:13:02.260000 --> 0:13:05.420000 line or the frontline defender as it were. 0:13:05.420000 --> 0:13:08.340000 And, you know, they're responsible for identifying threats containing 0:13:08.340000 --> 0:13:13.060000 the attack, restoring operations, not always restoring, but, you know, 0:13:13.060000 --> 0:13:14.500000 give me some rope here. 0:13:14.500000 --> 0:13:19.040000 And ensuring the organization learns from the incident to prevent future 0:13:19.040000 --> 0:13:23.320000 occurrences. With that being said, there's nothing much to add and I'll 0:13:23.320000 --> 0:13:25.040000 be seeing you in the next video.