WEBVTT 0:00:03.660000 --> 0:00:07.900000 incident response roles and responsibilities. 0:00:07.900000 --> 0:00:12.300000 So, the previous two videos we have gotten an understanding of the various 0:00:12.300000 --> 0:00:18.180000 types of IR teams and then in the most recent video, the one before this, 0:00:18.180000 --> 0:00:24.700000 we took a look at the various names used to describe different types of 0:00:24.700000 --> 0:00:31.100000 IR teams and that sort of gave us an understanding of what IR teams are 0:00:31.100000 --> 0:00:37.360000 generally speaking called as well as some more specialized or more specific 0:00:37.360000 --> 0:00:41.720000 IR teams and what their responsibilities are. 0:00:41.720000 --> 0:00:48.100000 In this video, we're going to now turn our attention to an IR team in 0:00:48.100000 --> 0:00:57.960000 and of itself and importantly the responsibilities of these individuals 0:00:57.960000 --> 0:01:02.280000 or these roles within the IR team. 0:01:02.280000 --> 0:01:07.240000 Later on in this section, we will be taking a look at the responsibility 0:01:07.240000 --> 0:01:13.100000 matrix for these roles and responsibilities but let's not dive into that 0:01:13.100000 --> 0:01:14.560000 at this point in time. 0:01:14.560000 --> 0:01:19.740000 So, to kick things off, it's very important to know, you know, it's fairly 0:01:19.740000 --> 0:01:25.200000 obvious that a successful incident response effort relies on the coordination 0:01:25.200000 --> 0:01:31.220000 and collaboration of multiple individuals and departments, each fulfilling 0:01:31.220000 --> 0:01:36.360000 specific roles that contribute to the overall response effort. 0:01:36.360000 --> 0:01:41.380000 From detection to triage and containment, legal compliance and public 0:01:41.380000 --> 0:01:46.720000 communication, every function within the IR team plays a vital role in 0:01:46.720000 --> 0:01:50.340000 managing and resolving security incidents effectively. 0:01:50.340000 --> 0:01:53.860000 In the next set of slides, we're going to break down the common roles 0:01:53.860000 --> 0:01:58.120000 within an IR team and of course, I'm referring to it here as an IR team 0:01:58.120000 --> 0:02:02.660000 but it could be a C-set or a CIRT. 0:02:02.660000 --> 0:02:06.700000 So, just an incident response team and, you know, we'll be taking a look 0:02:06.700000 --> 0:02:11.540000 at roles including technical responders like the SOC analysts, forensic 0:02:11.540000 --> 0:02:17.100000 specialists which are more specialized roles as well as other supporting 0:02:17.100000 --> 0:02:22.420000 roles or departments like legal, BR and HR which are, you know, actually 0:02:22.420000 --> 0:02:27.320000 quite important in the overall response process, not of course technically 0:02:27.320000 --> 0:02:30.380000 but part of the wider process. 0:02:30.380000 --> 0:02:34.980000 So, the bottom line is that each role carries unique responsibilities 0:02:34.980000 --> 0:02:41.060000 and together they form a cohesive response unit capable of handling complex 0:02:41.060000 --> 0:02:43.960000 and high-pressure security events. 0:02:43.960000 --> 0:02:47.080000 Understanding, so you may be asking yourself why is this important to 0:02:47.080000 --> 0:02:51.140000 me? Well, understanding these roles and, you know, how they're sort of 0:02:51.140000 --> 0:02:54.800000 organized and how they collaborate with each other is essential for any 0:02:54.800000 --> 0:02:59.080000 incident responder, not only because you're going to work within an incident 0:02:59.080000 --> 0:03:04.460000 response team but it also helps you or helps you understand or clarifies 0:03:04.460000 --> 0:03:09.640000 the scope of one's own responsibilities but also enhances, as I mentioned, 0:03:09.640000 --> 0:03:13.400000 coordination improves communication during incidents and ensures that 0:03:13.400000 --> 0:03:17.540000 all aspects of the response that being, you know, technical, legal and 0:03:17.540000 --> 0:03:21.760000 operational are addressed in a timely and effective manner. 0:03:21.760000 --> 0:03:30.420000 So, I've sort of, you know, come up with a hierarchy tree or org chart, 0:03:30.420000 --> 0:03:37.700000 if you will, of what these roles are and, you know, what's listed here 0:03:37.700000 --> 0:03:43.060000 or what this diagram illustrates is not representative of every incident 0:03:43.060000 --> 0:03:45.060000 response team, right? 0:03:45.060000 --> 0:03:49.880000 As I mentioned in the previous course and in a previous video within this 0:03:49.880000 --> 0:03:56.080000 course, the, you know, the type of incident response team that you work 0:03:56.080000 --> 0:04:01.360000 in or that you have out there, you know, could either be a hybrid embedded, 0:04:01.360000 --> 0:04:05.720000 you know, it could also be outsourced but regardless of that, this is 0:04:05.720000 --> 0:04:12.060000 sort of referring to a CSERT, if you will, and what you typically have, 0:04:12.060000 --> 0:04:19.580000 you know, in terms of roles and sort of where they sort of fall in terms 0:04:19.580000 --> 0:04:23.700000 of hierarchy. So, obviously, you're going to have the CSO Chief Information 0:04:23.700000 --> 0:04:29.340000 Security Officer and in the case of a, you know, properly defined or mature 0:04:29.340000 --> 0:04:34.660000 incident response team or CSERT, you know, you just know that I'm referring 0:04:34.660000 --> 0:04:38.780000 to the same thing, you're most likely going to have an incident response 0:04:38.780000 --> 0:04:42.680000 manager or a team lead that's sort of coordinating all of these different 0:04:42.680000 --> 0:04:45.380000 individuals or, you know, these roles. 0:04:45.380000 --> 0:04:49.060000 And then, of course, you have some of the other departments or roles that 0:04:49.060000 --> 0:04:52.660000 are not really related to incident response per se at a technical level 0:04:52.660000 --> 0:04:57.120000 like human resources, public relations and communications and then legal 0:04:57.120000 --> 0:05:02.240000 and compliance. But to focus or to drill down specific, you know, to the 0:05:02.240000 --> 0:05:08.160000 specific roles that are, other roles that are specific to incident response, 0:05:08.160000 --> 0:05:12.580000 depending on, you know, whether this, this capability is embedded in a 0:05:12.580000 --> 0:05:16.680000 SOC or, you know, whether it is a dedicated team, you're going to have 0:05:16.680000 --> 0:05:21.080000 your SOC analysts, more specifically, your tier two analysts who are what 0:05:21.080000 --> 0:05:24.060000 you would traditionally call the incident responders. 0:05:24.060000 --> 0:05:28.140000 However, if this is a siloed team and is separate from the SOC, which 0:05:28.140000 --> 0:05:32.620000 is, you know, can also be the case, you'll typically have an incident 0:05:32.620000 --> 0:05:33.980000 response analyst. 0:05:33.980000 --> 0:05:39.700000 So someone dedicated to incident response, you then have the roles highlighted 0:05:39.700000 --> 0:05:44.260000 in purple are what you would call barring or with the exception of incident 0:05:44.260000 --> 0:05:47.820000 response analyst are more specialized roles. 0:05:47.820000 --> 0:05:52.660000 That may not always be there or may not always be present within an IR 0:05:52.660000 --> 0:06:01.160000 team. But, you know, this is not just referring to individuals, it's also 0:06:01.160000 --> 0:06:05.580000 referring to skill sets, which is why within this learning path, we also 0:06:05.580000 --> 0:06:09.760000 touch on, you know, digital forensics, threat intelligence and threat 0:06:09.760000 --> 0:06:15.480000 hunting. But we have the forensic analysts, the threat intelligence analysts, 0:06:15.480000 --> 0:06:21.520000 the threat hunters, and of course, we have the IT operations or infrastructure. 0:06:21.520000 --> 0:06:25.720000 And you'll sort of understand why they're important or why they play a 0:06:25.720000 --> 0:06:31.640000 role within the incident response team or the process as a whole. 0:06:31.640000 --> 0:06:36.640000 And you'll actually understand what they do or how they contribute to 0:06:36.640000 --> 0:06:40.540000 this. So hopefully that gives you an idea, you know, what you're likely 0:06:40.540000 --> 0:06:45.740000 to expect. Of course, this sort of accounts for instances where the IR 0:06:45.740000 --> 0:06:50.340000 team is largely part of the SOC, that's why you have the SOC analysts. 0:06:50.340000 --> 0:06:54.600000 And it also caters for the other model where, you know, this is sort of 0:06:54.600000 --> 0:06:58.840000 a dedicated CSET as it were where you have dedicated incident response 0:06:58.840000 --> 0:07:03.540000 analysts. So let's get started by, you know, understanding the incident 0:07:03.540000 --> 0:07:06.520000 response manager or the IR team lead. 0:07:06.520000 --> 0:07:08.120000 So what is their role? 0:07:08.120000 --> 0:07:11.680000 Their role is to lead and coordinate all phases of the incident response 0:07:11.680000 --> 0:07:14.380000 process or life cycle as it were. 0:07:14.380000 --> 0:07:18.940000 And their key responsibilities are A over C incident response planning 0:07:18.940000 --> 0:07:24.860000 and execution, assign roles and roles and responsibilities during an incident, 0:07:24.860000 --> 0:07:28.480000 ensure response procedures are followed. 0:07:28.480000 --> 0:07:31.600000 And of course, act as the main point of contact during major incidents 0:07:31.600000 --> 0:07:36.040000 and then coordinate post incident reviews and continuous improvement. 0:07:36.040000 --> 0:07:44.040000 So fairly simple to understand what, you know, is responsible for, you 0:07:44.040000 --> 0:07:46.940000 know, in terms of the key responsibilities. 0:07:46.940000 --> 0:07:48.640000 We then have the SOC analysts. 0:07:48.640000 --> 0:07:52.700000 Now this is in the event that the CSET or the incident response team is, 0:07:52.700000 --> 0:07:56.840000 you know, part of the SOC largely. 0:07:56.840000 --> 0:08:01.540000 So, you know, SOC analysts, what's their primary role to, as we've, you 0:08:01.540000 --> 0:08:04.920000 know, explored in the previous course to monitor, detect, escalate and 0:08:04.920000 --> 0:08:08.340000 help investigate potential security incidents. 0:08:08.340000 --> 0:08:10.340000 What are their key responsibilities? 0:08:10.340000 --> 0:08:15.180000 Obviously monitor logs, seam alerts and threat intel feeds, triage and 0:08:15.180000 --> 0:08:19.760000 validate security events, escalate confirmed incidents to the IR manager. 0:08:19.760000 --> 0:08:24.280000 Generally speaking, there could be different escalation protocols, but 0:08:24.280000 --> 0:08:31.020000 generally to the IR manager, if that role is indeed occupied, defined 0:08:31.020000 --> 0:08:36.080000 and occupied, collect initial evidence and context, and of course, recommend 0:08:36.080000 --> 0:08:37.380000 containment steps. 0:08:37.380000 --> 0:08:42.960000 So, within the SOC, you typically have level one or tier, you know, you'll 0:08:42.960000 --> 0:08:45.840000 typically see it referred to as level or tier. 0:08:45.840000 --> 0:08:49.040000 So level one, two, three, tier one, two, three, pretty much referring 0:08:49.040000 --> 0:08:50.800000 to the same thing. 0:08:50.800000 --> 0:08:54.580000 But you know, level one or tier one analysts perform basic triage and 0:08:54.580000 --> 0:09:00.420000 alert validation, level two or tier two SOC analysts who are the incident 0:09:00.420000 --> 0:09:03.280000 responders within a SOC. 0:09:03.280000 --> 0:09:08.720000 You know, they perform deeper investigation and analysis and correlation. 0:09:08.720000 --> 0:09:12.460000 And then you have your L3 or tier three analysts who perform, you know, 0:09:12.460000 --> 0:09:18.020000 more specialized tasks like advanced forensics, threat hunting and containment, 0:09:18.020000 --> 0:09:20.500000 you know, they provide containment guidance. 0:09:20.500000 --> 0:09:25.760000 So, I think we sort of need to drill deeper into this, even though we 0:09:25.760000 --> 0:09:30.900000 covered it in the previous course, we need to understand what, you know, 0:09:30.900000 --> 0:09:36.980000 what the role of SOC analysts is or are within incident response. 0:09:36.980000 --> 0:09:40.900000 Now, this is assuming that they are part of the incident response team, 0:09:40.900000 --> 0:09:48.100000 right? As I said, you know, in the previous slides where we had the diagram, 0:09:48.100000 --> 0:09:52.360000 in the event that the CSERT or the incident response team is sort of dedicated 0:09:52.360000 --> 0:09:55.200000 and separate from the SOC, you know, you're going to have a dedicated 0:09:55.200000 --> 0:09:57.000000 incident response analyst. 0:09:57.000000 --> 0:10:02.260000 But in most cases, the SOC analysts are usually responsible or play a 0:10:02.260000 --> 0:10:07.080000 huge part in incident response or the incident response process, right? 0:10:07.080000 --> 0:10:09.060000 And they're part of the incident response team. 0:10:09.060000 --> 0:10:18.720000 So you have the tier one initial triage and escalate potential incidents. 0:10:18.720000 --> 0:10:20.020000 This is very important. 0:10:20.020000 --> 0:10:23.620000 They do not typically lead the response for obvious reasons, which we 0:10:23.620000 --> 0:10:25.660000 explored in the previous course. 0:10:25.660000 --> 0:10:30.160000 Tier two or level two SOC analysts act as the incident responder. 0:10:30.160000 --> 0:10:33.460000 As I said, this is typically, you know, if you're going to be an incident 0:10:33.460000 --> 0:10:37.040000 responder within a SOC, you're going to be a tier two analyst, right? 0:10:37.040000 --> 0:10:42.940000 So the tier two analyst investigates escalated alerts, confirms incidents, 0:10:42.940000 --> 0:10:48.040000 performs deeper analysis, and begins response actions or activities like 0:10:48.040000 --> 0:10:49.800000 containment, for example. 0:10:49.800000 --> 0:10:53.320000 You then have your tier three or level three SOC analysts who provide 0:10:53.320000 --> 0:10:55.020000 expert level support. 0:10:55.020000 --> 0:10:59.800000 They perform advanced forensics, threat hunting, and they help guide complex 0:10:59.800000 --> 0:11:01.780000 response efforts. 0:11:01.780000 --> 0:11:06.100000 And they may lead the incident response process for high severity cases. 0:11:06.100000 --> 0:11:10.680000 So, you know, just wanted to go through that so that, again, we have it 0:11:10.680000 --> 0:11:13.660000 in mind and, you know, it's sort of clarified in your head. 0:11:13.660000 --> 0:11:17.180000 We then have some of the other specialist roles or individuals, as it 0:11:17.180000 --> 0:11:19.180000 were, like the forensic analyst. 0:11:19.180000 --> 0:11:20.900000 What is their primary role? 0:11:20.900000 --> 0:11:25.720000 Well, they perform in-depth analysis of compromised systems and, you know, 0:11:25.720000 --> 0:11:29.160000 digital artifacts, that, you know, part of the incident. 0:11:29.160000 --> 0:11:31.080000 What are their key responsibilities? 0:11:31.080000 --> 0:11:35.660000 Fairly obvious. They need to acquire and preserve digital evidence. 0:11:35.660000 --> 0:11:38.860000 They conduct disk memory and file system forensics. 0:11:38.860000 --> 0:11:41.600000 They analyze malware and attack patterns. 0:11:41.600000 --> 0:11:44.680000 They reconstruct attacker actions and timelines. 0:11:44.680000 --> 0:11:49.020000 And they also support legal slash regulatory requirements with, you know, 0:11:49.020000 --> 0:11:50.580000 proper chain of custody. 0:11:50.580000 --> 0:11:54.300000 Very important. You then have another specialist role. 0:11:54.300000 --> 0:11:56.440000 That's the threat intelligence analyst. 0:11:56.440000 --> 0:12:00.040000 What's their primary role, as it were? 0:12:00.040000 --> 0:12:04.540000 Well, they provide context and threat data or threat intelligence to inform 0:12:04.540000 --> 0:12:07.540000 detection response and, of course, decision making. 0:12:07.540000 --> 0:12:09.520000 What are their key responsibilities? 0:12:09.520000 --> 0:12:12.440000 A, collect and analyze threat intelligence. 0:12:12.440000 --> 0:12:18.520000 Examples of that is, you know, examples of that is IOCs, TTPs, threat 0:12:18.520000 --> 0:12:23.820000 actors, etc. They also correlate threat intelligence with current incidents. 0:12:23.820000 --> 0:12:27.740000 Very important. They identify related campaigns or threat actors. 0:12:27.740000 --> 0:12:31.460000 You know, they essentially perform threat profiling and they recommend 0:12:31.460000 --> 0:12:35.100000 defensive actions based on emerging threats, which is pretty much, you 0:12:35.100000 --> 0:12:37.980000 know, their primary responsibility as it were. 0:12:37.980000 --> 0:12:41.740000 You then have IT operations and the infrastructure team. 0:12:41.740000 --> 0:12:44.880000 So, this one may be a little bit confusing to you, but they actually play 0:12:44.880000 --> 0:12:46.440000 a very important role. 0:12:46.440000 --> 0:12:49.140000 So, what's their primary role? 0:12:49.140000 --> 0:12:54.040000 Well, it's to support containment, eradication and recovery efforts from 0:12:54.040000 --> 0:12:58.180000 a system, you know, from systems, from a systems and network perspective. 0:12:58.180000 --> 0:12:59.180000 So, what does that mean? 0:12:59.180000 --> 0:13:01.860000 Well, let's take a look at the key responsibilities. 0:13:01.860000 --> 0:13:05.920000 They help in isolating affected systems or networks because they are the 0:13:05.920000 --> 0:13:08.240000 IT operations or infrastructure team. 0:13:08.240000 --> 0:13:12.040000 They have arguably the most consistent level of access to these systems 0:13:12.040000 --> 0:13:15.180000 and they, you know, probably played a part in configuring them. 0:13:15.180000 --> 0:13:17.440000 So, they handle that part. 0:13:17.440000 --> 0:13:24.600000 So, isolate affected systems or networks. 0:13:24.600000 --> 0:13:28.860000 They security engineer, but generally it's, you know, going to be the 0:13:28.860000 --> 0:13:31.860000 IT ops or the infrastructure team. 0:13:31.860000 --> 0:13:34.780000 And this, the third responsibility here is very important. 0:13:34.780000 --> 0:13:37.680000 They help restore systems from backups. 0:13:37.680000 --> 0:13:40.800000 Now, as I said, this is not always going to be the case because in certain 0:13:40.800000 --> 0:13:45.780000 cases, the incident response analyst or the tier two, SOC tier two analyst 0:13:45.780000 --> 0:13:50.840000 may be responsible for performing the restoration, in which case they 0:13:50.840000 --> 0:13:52.160000 need to be provided. 0:13:52.160000 --> 0:13:56.400000 And we'll talk about this one in the preparation section of this course. 0:13:56.400000 --> 0:14:03.100000 There needs to be procedures that sort of outline how access will be provided 0:14:03.100000 --> 0:14:08.300000 to the SOC tier two analyst or the incident responders as it were. 0:14:08.300000 --> 0:14:13.740000 And, you know, how to, you know, ensure or how to oversee the incident 0:14:13.740000 --> 0:14:17.300000 responders so that they don't do anything dangerous or stupid. 0:14:17.300000 --> 0:14:19.600000 But we're sort of going on a tangent. 0:14:19.600000 --> 0:14:23.900000 They also help rebuild compromised servers or endpoints and, you know, 0:14:23.900000 --> 0:14:26.920000 implement firewall and network segmentation. 0:14:26.920000 --> 0:14:31.140000 You then have legal and compliance is usually overlooked, but they provide 0:14:31.140000 --> 0:14:35.940000 advice on legal obligations and very important regulatory implications 0:14:35.940000 --> 0:14:40.480000 of incidents. So, their key responsibilities are a determine, you know, 0:14:40.480000 --> 0:14:42.440000 breach notification requirements. 0:14:42.440000 --> 0:14:46.640000 So, you know, when there's a breach, they determine the notification requirements 0:14:46.640000 --> 0:14:49.080000 who to report to so on and so forth. 0:14:49.080000 --> 0:14:52.620000 They support evidence handling and incident documentation. 0:14:52.620000 --> 0:14:56.420000 They if required coordinate with law enforcement and then show regulatory 0:14:56.420000 --> 0:15:00.920000 compliance. So, you know, compliance standards or frameworks like GDPR, 0:15:00.920000 --> 0:15:04.160000 hyper, PCI, DSS, etc. 0:15:04.160000 --> 0:15:07.840000 You then have communications or public relations, also very important 0:15:07.840000 --> 0:15:09.620000 for large organizations. 0:15:09.620000 --> 0:15:14.460000 So, their role is to manage internal and external, external is sort of 0:15:14.460000 --> 0:15:16.200000 the most important bit here. 0:15:16.200000 --> 0:15:20.040000 They manage internal and external communications during very important 0:15:20.040000 --> 0:15:24.360000 and, of course, after an incident and their key responsibilities revolve 0:15:24.360000 --> 0:15:29.320000 around a developing communication plans and press releases, you know, 0:15:29.320000 --> 0:15:32.000000 there's a breach, you need to make it public. 0:15:32.000000 --> 0:15:36.060000 Obviously, you should make it public, but moving on, be informed internal 0:15:36.060000 --> 0:15:39.760000 stakeholders, customers and partners, because they need to know if they 0:15:39.760000 --> 0:15:41.060000 have been affected. 0:15:41.060000 --> 0:15:45.460000 See, they coordinate messaging with legal and executive leadership and 0:15:45.460000 --> 0:15:50.140000 finally help protect the brand and public trust during a crisis or an 0:15:50.140000 --> 0:15:53.840000 incident. And then we have human resources, right? 0:15:53.840000 --> 0:15:55.960000 So, what's their primary role? 0:15:55.960000 --> 0:16:01.960000 Well, they engaged, they usually come in or get engaged, where there are 0:16:01.960000 --> 0:16:04.980000 incidents that involve employees. 0:16:04.980000 --> 0:16:06.820000 Very, very simple to understand. 0:16:06.820000 --> 0:16:09.820000 You're typically, they typically come in when there's an insider threat 0:16:09.820000 --> 0:16:11.660000 or a policy violation. 0:16:11.660000 --> 0:16:14.640000 So, key responsibilities are fairly simple. 0:16:14.640000 --> 0:16:19.260000 You know, investigate the involvement of the employee in relation to the 0:16:19.260000 --> 0:16:25.260000 incident. They support disciplinary actions or internal investigations, 0:16:25.260000 --> 0:16:29.500000 and they communicate outcomes to staff if appropriate. 0:16:29.500000 --> 0:16:32.560000 So, also very important to understand. 0:16:32.560000 --> 0:16:35.980000 You then have the executive leadership or CSO, right? 0:16:35.980000 --> 0:16:40.000000 So, you know, you should be familiar with this, but they, what's their 0:16:40.000000 --> 0:16:44.100000 primary role? Well, they provide high level oversight and strategic decision 0:16:44.100000 --> 0:16:46.280000 making. What does that mean? 0:16:46.280000 --> 0:16:48.040000 Well, let's take a look at the responsibility. 0:16:48.040000 --> 0:16:51.660000 So, A, they approve major containment or shutdown actions. 0:16:51.660000 --> 0:16:54.200000 Major is the sort of the key word here. 0:16:54.200000 --> 0:16:58.380000 If you're talking about, you know, shutdowns affecting business, it needs 0:16:58.380000 --> 0:16:59.980000 to go through the CSO. 0:16:59.980000 --> 0:17:03.400000 B, they ensure business alignment and continuity. 0:17:03.400000 --> 0:17:04.960000 Very, very important. 0:17:04.960000 --> 0:17:08.200000 And they communicate with board members or investors. 0:17:08.200000 --> 0:17:09.820000 Again, extremely important. 0:17:09.820000 --> 0:17:14.880000 And they support long-term improvements and resource allocation. 0:17:14.880000 --> 0:17:18.920000 So, I've sort of summarized these roles and key responsibilities, but 0:17:18.920000 --> 0:17:21.820000 also the focus area in this table. 0:17:21.820000 --> 0:17:25.160000 So, you know, you have the IR manager, SOC analyst, forensic analyst, 0:17:25.160000 --> 0:17:31.200000 threat intel, IT operations, legal PR comms, HR, CSO, or exec. 0:17:31.200000 --> 0:17:34.540000 So, IR manager, focus area, is coordination. 0:17:34.540000 --> 0:17:37.560000 So, that's their primary thing, is coordination. 0:17:37.560000 --> 0:17:40.860000 What's the key responsibility, lead the incident response process and 0:17:40.860000 --> 0:17:42.400000 manage the team. 0:17:42.400000 --> 0:17:44.900000 SOC analysts, monitoring and triage. 0:17:44.900000 --> 0:17:46.900000 So, detect and escalate threats. 0:17:46.900000 --> 0:17:50.480000 They obviously also perform investigation. 0:17:50.480000 --> 0:17:55.320000 And then you have forensic analysts who, the focus area is obviously investigation 0:17:55.320000 --> 0:17:58.600000 and analysis. So, the analyze systems and evidence. 0:17:58.600000 --> 0:18:02.540000 Threat intel analyst, there's this context and attribution. 0:18:02.540000 --> 0:18:03.980000 That's their focus area. 0:18:03.980000 --> 0:18:07.860000 So, they enrich investigations with intelligence. 0:18:07.860000 --> 0:18:09.640000 You then have IT operations. 0:18:09.640000 --> 0:18:11.220000 So, what's their focus area? 0:18:11.220000 --> 0:18:13.300000 Primarily containment and recovery. 0:18:13.300000 --> 0:18:16.700000 So, you know, if we boil it down to one key responsibility, it's going 0:18:16.700000 --> 0:18:19.520000 to be isolate and restore systems. 0:18:19.520000 --> 0:18:20.820000 You then have legal. 0:18:20.820000 --> 0:18:24.360000 Their focus area is compliance, which I've already just gone through. 0:18:24.360000 --> 0:18:27.540000 So, they advise on legal requirements and compliance and all that good 0:18:27.540000 --> 0:18:30.920000 stuff. You then have PR or communications. 0:18:30.920000 --> 0:18:35.320000 Their focus area is messaging and their key responsibilities to manage 0:18:35.320000 --> 0:18:40.240000 internal or external, I should say, and or external communication. 0:18:40.240000 --> 0:18:41.760000 You then have HR. 0:18:41.760000 --> 0:18:43.780000 Their focus area really is inside the threats. 0:18:43.780000 --> 0:18:47.940000 And again, this is in relation to the incident response process or the 0:18:47.940000 --> 0:18:49.520000 incident response team. 0:18:49.520000 --> 0:18:54.380000 The key responsibility here is to address employee related incidents. 0:18:54.380000 --> 0:18:57.080000 And then you have the CISO or the executives, right? 0:18:57.080000 --> 0:18:59.780000 And their focus area obviously is oversight. 0:18:59.780000 --> 0:19:02.720000 So, they approve actions and allocate resources. 0:19:02.720000 --> 0:19:03.840000 Very, very simple. 0:19:03.840000 --> 0:19:07.120000 Hopefully, this table gives you an idea of who does what with regards 0:19:07.120000 --> 0:19:11.020000 to roles and what the focus area is. 0:19:11.020000 --> 0:19:17.340000 Now, as I said, we will contextualize this using the racey, using a racey 0:19:17.340000 --> 0:19:26.480000 table. And that'll give you a better idea of the level or the degree of 0:19:26.480000 --> 0:19:31.880000 responsibility, you know, of each of these roles with regards to the incident 0:19:31.880000 --> 0:19:33.120000 response process. 0:19:33.120000 --> 0:19:35.480000 But we'll not cover that in that in this video. 0:19:35.480000 --> 0:19:37.800000 We'll cover it in another video. 0:19:37.800000 --> 0:19:41.760000 And finally, I'm just going to revisit this diagram that I used in the 0:19:41.760000 --> 0:19:46.220000 previous course, which was Introduction to Security Operations Center, 0:19:46.220000 --> 0:19:50.380000 that sort of outlines what an IR team would look like. 0:19:50.380000 --> 0:19:55.920000 I should say an IR team that's not been defined, essentially an embedded 0:19:55.920000 --> 0:19:58.400000 IR team within the SOC, right? 0:19:58.400000 --> 0:19:59.700000 So this is what it would look like. 0:19:59.700000 --> 0:20:03.460000 You can see that we still have the specialist roles like Threat Intel 0:20:03.460000 --> 0:20:07.940000 analyst, a forensic analyst or specialist threat hunters, as well as, 0:20:07.940000 --> 0:20:09.720000 you know, some other specialist roles. 0:20:09.720000 --> 0:20:13.520000 But you can see that the SOC manager still reports to the Cecil. 0:20:13.520000 --> 0:20:17.960000 This is in the event that there isn't a CSERT or a defined incident response 0:20:17.960000 --> 0:20:25.300000 team. Regardless of that, if the incident response team or capabilities 0:20:25.300000 --> 0:20:30.220000 are sort of localized within a SOC, you obviously, the incident responders, 0:20:30.220000 --> 0:20:34.320000 as I mentioned, are going to be the SOC analyst, primarily the tier two 0:20:34.320000 --> 0:20:39.360000 analyst. And you have the IR team lead or the coordinate, as it were. 0:20:39.360000 --> 0:20:45.700000 And you can see that pretty much escalation is based on the increasing 0:20:45.700000 --> 0:20:47.700000 severity of alerts. 0:20:47.700000 --> 0:20:50.980000 And they consult with or escalate, you know, between themselves. 0:20:50.980000 --> 0:20:53.840000 And then you also have the, you know, security consultants, architects, 0:20:53.840000 --> 0:20:57.940000 these are not necessarily roles that you'll find, or individuals you'll 0:20:57.940000 --> 0:21:01.860000 find. But you have these specialist roles, like, you know, Malo analyst, 0:21:01.860000 --> 0:21:08.000000 et cetera. And the incident response team, in this case, within the SOC, 0:21:08.000000 --> 0:21:09.820000 coordinates with the specialist role. 0:21:09.820000 --> 0:21:14.180000 So eventually they, you know, an IR team ends up being formed. 0:21:14.180000 --> 0:21:16.300000 It may be an informal one. 0:21:16.300000 --> 0:21:21.160000 But this is what you have with a dedicated CSERT, you're essentially just 0:21:21.160000 --> 0:21:25.080000 taking the incident response analysts or the tier two analyst. 0:21:25.080000 --> 0:21:29.220000 And some of these other specialist roles and putting them, you know, putting 0:21:29.220000 --> 0:21:32.260000 them into a team or department formally. 0:21:32.260000 --> 0:21:37.120000 So it's just a matter of understanding the roles, the key roles, like 0:21:37.120000 --> 0:21:41.540000 the, you know, the executive level, the coordination or the team lead, 0:21:41.540000 --> 0:21:42.900000 and then who does what? 0:21:42.900000 --> 0:21:47.360000 So who is the incident response analyst, who does forensics, so on and 0:21:47.360000 --> 0:21:50.880000 so forth. So hopefully this makes it easier to understand. 0:21:50.880000 --> 0:21:54.160000 And with that being said, that brings us to the end of this video. 0:21:54.160000 --> 0:21:58.820000 So by this point, we know, you should be fairly well versed with the, 0:21:58.820000 --> 0:22:04.020000 with, you know, what incident response is, the various types of team models, 0:22:04.020000 --> 0:22:06.400000 their team names, and now the roles and responsibilities. 0:22:06.400000 --> 0:22:11.360000 Now we're going to turn our attention to the incident response process. 0:22:11.360000 --> 0:22:14.100000 With that being said, that's going to be it for this video. 0:22:14.100000 --> 0:22:16.580000 And I will be seeing you in the next video.