WEBVTT 0:00:03.500000 --> 0:00:05.980000 Hello everyone and welcome. 0:00:05.980000 --> 0:00:09.700000 In this video we're going to be taking a look at the instant response 0:00:09.700000 --> 0:00:16.500000 process or lifecycle if you will and we're going to be looking or sort 0:00:16.500000 --> 0:00:24.780000 of exploring this process on the basis of the predefined or the defined 0:00:24.780000 --> 0:00:27.720000 NIST incident response process. 0:00:27.720000 --> 0:00:31.940000 So, you know, we're essentially going to, you know, get an understanding 0:00:31.940000 --> 0:00:38.260000 as to why having a process or sort of standardizing a process is important, 0:00:38.260000 --> 0:00:41.780000 more specifically an instant response process and then we're going to 0:00:41.780000 --> 0:00:49.100000 look at the most arguably the most popular of these frameworks or processes, 0:00:49.100000 --> 0:00:54.200000 namely the NIST incident response process or I should say framework. 0:00:54.200000 --> 0:00:59.360000 And in the next video we'll take a look at an alternative one which is 0:00:59.360000 --> 0:01:02.060000 the SANS incident response process. 0:01:02.060000 --> 0:01:07.860000 So, to get started, you know, we need to sort of understand the instant 0:01:07.860000 --> 0:01:12.880000 response process and I want you to pay very close attention to the keywords 0:01:12.880000 --> 0:01:16.400000 here that I've sort of made bold and italicized. 0:01:16.400000 --> 0:01:20.640000 So, incident response as we know is a structured and systematic. 0:01:20.640000 --> 0:01:23.580000 So, those are very important things here. 0:01:23.580000 --> 0:01:28.340000 You need structure and you need a system, right, in order for this to 0:01:28.340000 --> 0:01:35.560000 work. So, there are structured and systematic approach to detecting, investigating, 0:01:35.560000 --> 0:01:40.420000 containing, eradicating and recovering from cybersecurity incidents, for 0:01:40.420000 --> 0:01:44.640000 example, you know, like Malo infections, data breaches, ransomware attacks 0:01:44.640000 --> 0:01:48.300000 and any other form of unauthorized access. 0:01:48.300000 --> 0:01:53.080000 So, from that we can sort of derive the goals or the objectives of incident 0:01:53.080000 --> 0:01:58.760000 response which are a, minimize damage and disruption, b, restore normal 0:01:58.760000 --> 0:02:03.500000 operations as quickly as possible, c, reduce the risk of future incidents 0:02:03.500000 --> 0:02:08.020000 and d, comply with legal and regulatory requirements. 0:02:08.020000 --> 0:02:12.320000 The bottom line is that it's not just about reacting, it's about responding 0:02:12.320000 --> 0:02:16.280000 effectively, efficiently and with purpose. 0:02:16.280000 --> 0:02:20.420000 So, with that in mind, that brings us to, you know, the need for a standardized 0:02:20.420000 --> 0:02:26.280000 framework or process because as I sort of outlined here, a framework transforms 0:02:26.280000 --> 0:02:31.160000 incident response from, you know, ad hoc firefighting into a disciplined 0:02:31.160000 --> 0:02:33.540000 professional practice. 0:02:33.540000 --> 0:02:41.720000 And, you know, what this means or the underpinning principle here is that 0:02:41.720000 --> 0:02:46.860000 incident response is a high stakes time sensitive activity. 0:02:46.860000 --> 0:02:51.440000 As a result, you know, without a structured and repeatable process, organizations 0:02:51.440000 --> 0:02:57.280000 are likely to respond inconsistently, which consequently results in a, 0:02:57.280000 --> 0:03:01.860000 you know, delayed containment and recovery, increased damage and downtime, 0:03:01.860000 --> 0:03:06.360000 poor communication and role confusion, missed compliance and reporting 0:03:06.360000 --> 0:03:15.280000 requirements, and that brings us to the NIST incident response framework, 0:03:15.280000 --> 0:03:21.980000 which is outlined in the NIST special publication 861 revision two, it's 0:03:21.980000 --> 0:03:26.040000 also there in the original revision, but the NIST special publication 0:03:26.040000 --> 0:03:31.100000 861 is the most widely adopted and recommended framework globally. 0:03:31.100000 --> 0:03:35.600000 So, it provides a solid foundation for developing, operating and maturing 0:03:35.600000 --> 0:03:40.680000 an incident response capability, and it's compatible with most other standards 0:03:40.680000 --> 0:03:47.240000 and tools. Now, while several frameworks or processes exist, the NIST 0:03:47.240000 --> 0:03:52.840000 incident response framework is really the global standard due to its clarity, 0:03:52.840000 --> 0:03:54.900000 flexibility and comprehensive approach. 0:03:54.900000 --> 0:04:00.540000 In fact, this particular learning path is built on the NIST incident response 0:04:00.540000 --> 0:04:04.760000 framework in terms of how we've organized each of the courses and the 0:04:04.760000 --> 0:04:09.040000 fact that, you know, we're not covering it, you know, phase by phase or 0:04:09.040000 --> 0:04:12.620000 step by step, but we're sort of using the same phases. 0:04:12.620000 --> 0:04:17.580000 So, for example, this course covers preparation and detection. 0:04:17.580000 --> 0:04:22.240000 And the next one covers analysis and, you know, so on and so forth. 0:04:22.240000 --> 0:04:26.480000 So, it's actually, it's been there for a while. 0:04:26.480000 --> 0:04:32.160000 And really, you know, from a high level, you know, whether you look at 0:04:32.160000 --> 0:04:37.180000 it from a high level or even technically, it arguably is the simplest 0:04:37.180000 --> 0:04:39.060000 to understand the simplest to implement. 0:04:39.060000 --> 0:04:43.380000 It actually makes the most sense given the grouping of, you know, various 0:04:43.380000 --> 0:04:47.640000 activities. So, you'll actually see that in a few seconds. 0:04:47.640000 --> 0:04:54.640000 So, the NIST special publication 861 revision two outlines a standardized 0:04:54.640000 --> 0:04:59.720000 incident response lifecycle or process that organizations, I should say, 0:04:59.720000 --> 0:05:04.240000 can, but, you know, should follow to effectively prepare to effectively 0:05:04.240000 --> 0:05:08.220000 prepare for detect, respond to and recover from cybersecurity incidents. 0:05:08.220000 --> 0:05:18.280000 And those four, those four steps, you know, or phases are number one preparation, 0:05:18.280000 --> 0:05:22.860000 number two detection and analysis, number three containment eradication 0:05:22.860000 --> 0:05:27.520000 and recovery, number four, post incident activity or lessons learned. 0:05:27.520000 --> 0:05:32.180000 So, these four phases or steps sort of encompass all aspects of incident 0:05:32.180000 --> 0:05:36.680000 response, you know, starting off from preparation detection and analysis. 0:05:36.680000 --> 0:05:40.760000 And you can actually see the grouping of containment eradication and recovery 0:05:40.760000 --> 0:05:42.320000 actually makes sense. 0:05:42.320000 --> 0:05:51.900000 Don't worry if it doesn't, type of activity at that point of incident 0:05:51.900000 --> 0:05:55.760000 response. So, after you've done the detection and analysis, you're pretty 0:05:55.760000 --> 0:06:00.040000 much going to work on containing the threat, you know, removing it and 0:06:00.040000 --> 0:06:01.260000 then recovering from it. 0:06:01.260000 --> 0:06:04.420000 So, you know, this is what it looks like. 0:06:04.420000 --> 0:06:09.220000 So, there's four steps, you know, preparation, what are you doing here? 0:06:09.220000 --> 0:06:13.180000 Well, this is where you build readiness before an incident occurs. 0:06:13.180000 --> 0:06:16.360000 We'll actually cover that in this course in the next section and then 0:06:16.360000 --> 0:06:18.180000 detection and analysis. 0:06:18.180000 --> 0:06:21.800000 So, this is where you identify and confirm that, you know, an incident 0:06:21.800000 --> 0:06:23.820000 has indeed occurred. 0:06:23.820000 --> 0:06:27.540000 And you know, you perform analysis in support of that. 0:06:27.540000 --> 0:06:30.500000 You then have containment, eradication and recovery. 0:06:30.500000 --> 0:06:34.240000 This is where you stop the attack or you contain it, you remove the threat 0:06:34.240000 --> 0:06:39.900000 or eradicate it and restore the system, the affected systems, you know, 0:06:39.900000 --> 0:06:44.440000 back to normal. So, that business operations can resume or can go back 0:06:44.440000 --> 0:06:45.920000 to normal, as it were. 0:06:45.920000 --> 0:06:50.240000 You then have the final phase, step four or phase four, which is post 0:06:50.240000 --> 0:06:51.560000 incident activity. 0:06:51.560000 --> 0:06:53.000000 So, this is lessons learned. 0:06:53.000000 --> 0:06:57.120000 So, this is where you review and improve, you know, you review the lessons 0:06:57.120000 --> 0:06:59.320000 learned and then consequently improve. 0:06:59.320000 --> 0:07:02.820000 And the key thing is that it's a life cycle or a cycle, which means it's, 0:07:02.820000 --> 0:07:07.380000 you know, it's constantly improving or, you know, you start from preparation 0:07:07.380000 --> 0:07:13.700000 and end up with post incident activity, which feeds back into preparation. 0:07:13.700000 --> 0:07:16.120000 So, hopefully, that makes sense. 0:07:16.120000 --> 0:07:20.720000 So, let's take a look at, you know, phase one or step one, which is preparation. 0:07:20.720000 --> 0:07:25.240000 So, the objective here is to build readiness before an incident occurs. 0:07:25.240000 --> 0:07:30.700000 So, the preparation phase involves establishing policies, procedures, 0:07:30.700000 --> 0:07:35.360000 tools and resources necessary to effectively detect and respond to incidents. 0:07:35.360000 --> 0:07:39.840000 And the key activities involved here in are a develop an incident response 0:07:39.840000 --> 0:07:44.620000 policy and define team roles, establish communication plans and escalation 0:07:44.620000 --> 0:07:49.320000 processes, deploy and configure security tools, those being examples of 0:07:49.320000 --> 0:07:53.840000 those are, you know, your SEAM, EDR, IDS, IPS, etc. 0:07:53.840000 --> 0:07:57.720000 You conduct employee security awareness training, create and test incident 0:07:57.720000 --> 0:08:02.580000 response playbooks for common scenarios, perform threat modeling and risk 0:08:02.580000 --> 0:08:05.940000 assessments. You then have detection and analysis. 0:08:05.940000 --> 0:08:09.920000 So, this is where you identify and confirm that an incident has indeed 0:08:09.920000 --> 0:08:17.240000 occurred. And, you know, just to sort of reiterate, you know, it's focused 0:08:17.240000 --> 0:08:19.300000 on identifying potential security incidents. 0:08:19.300000 --> 0:08:24.600000 But more importantly, the analysis phase in, you know, the outcome of 0:08:24.600000 --> 0:08:30.880000 the analysis phase is really the outcome of the analysis phase is aimed 0:08:30.880000 --> 0:08:35.460000 at confirming the legitimacy of the incident as well as the impact. 0:08:35.460000 --> 0:08:40.220000 So, therefore, I should say the key activities are a monitor security 0:08:40.220000 --> 0:08:45.540000 systems for alerts and suspicious activities, triage and categorize alerts 0:08:45.540000 --> 0:08:50.560000 based on severity and potential impact, utilize threat intelligence and 0:08:50.560000 --> 0:08:55.180000 forensic analysis to confirm incidents and, you know, also attribution, 0:08:55.180000 --> 0:09:00.180000 documenting or document all findings for escalation and investigation, 0:09:00.180000 --> 0:09:04.900000 and quite important determine the scope affected systems and the attacker 0:09:04.900000 --> 0:09:09.280000 behavior or their trade craft, you know, TTPs as it were. 0:09:09.280000 --> 0:09:13.040000 You then have phase three or step three, which is containment eradication 0:09:13.040000 --> 0:09:18.860000 and recovery. And, you know, as this, as the name of the phase infers, 0:09:18.860000 --> 0:09:25.280000 it should be fairly obvious what, you know, what this phase is all about. 0:09:25.280000 --> 0:09:29.500000 So, stop the attack, remove the threat and restore normal operations. 0:09:29.500000 --> 0:09:32.940000 So, this phase focuses on, you know, stopping the attack once an incident 0:09:32.940000 --> 0:09:37.160000 is confirmed. That's sort of very important and involves eliminating the 0:09:37.160000 --> 0:09:40.360000 threat and restoring systems to normal operations. 0:09:40.360000 --> 0:09:43.760000 With that being said, the key activities are, you know, a contain the 0:09:43.760000 --> 0:09:47.000000 threat by isolating affected systems and, you know, blocking malicious 0:09:47.000000 --> 0:09:50.880000 traffic eradicate the threat by removing malware, patching vulnerabilities 0:09:50.880000 --> 0:09:53.660000 and ensuring no persistence mechanisms remain. 0:09:53.660000 --> 0:09:55.300000 That's quite important. 0:09:55.300000 --> 0:09:58.740000 You don't want to have the attacker leave a back door so that they can 0:09:58.740000 --> 0:10:03.660000 get back in. So, eradication is extremely important and needs to be extremely 0:10:03.660000 --> 0:10:08.500000 rigorous. You then have, you know, recover systems by restoring data from 0:10:08.500000 --> 0:10:10.340000 backups and verifying system integrity. 0:10:10.340000 --> 0:10:15.440000 So, you need to be able to recover, recover systems or restore backups, 0:10:15.440000 --> 0:10:25.100000 you know, part of that you're also verifying the integrity of the system. 0:10:25.100000 --> 0:10:29.200000 You then have, you know, performing post-recovery validation to ensure 0:10:29.200000 --> 0:10:33.580000 the attacker, you know, or the malware that they deployed has been fully 0:10:33.580000 --> 0:10:36.460000 removed or eradicated, as it were. 0:10:36.460000 --> 0:10:41.320000 And then you have the final phase, which is, you know, phase four or step 0:10:41.320000 --> 0:10:45.680000 four, which is, you know, post-incident activity, really lessons learned. 0:10:45.680000 --> 0:10:50.960000 So, this is where you learn from the incident to enhance defenses and 0:10:50.960000 --> 0:10:55.760000 resources. So, this phase ensures that lessons are learned from the incident 0:10:55.760000 --> 0:10:59.620000 in order to improve future detection and response capabilities. 0:10:59.620000 --> 0:11:04.920000 So, the key activities here are, A, conduct a post-incident review, very 0:11:04.920000 --> 0:11:08.940000 important to analyze what went well and, of course, what failed. 0:11:08.940000 --> 0:11:11.700000 This is, you know, equally as important. 0:11:11.700000 --> 0:11:14.980000 You don't want to be in a position where you're only focusing on the, 0:11:14.980000 --> 0:11:20.160000 you know, what you did well, what the organization did well with regards 0:11:20.160000 --> 0:11:24.140000 to responding to the incident, but also what you failed at or you didn't 0:11:24.140000 --> 0:11:29.800000 do well at. Secondly, update incident response plans and detection rules 0:11:29.800000 --> 0:11:30.920000 based on findings. 0:11:30.920000 --> 0:11:35.100000 So, this is where the whole cyclic nature of this process comes into play, 0:11:35.100000 --> 0:11:38.120000 where this phase feeds back into preparation. 0:11:38.120000 --> 0:11:42.140000 So, you're sort of learning and then improving so that the next time an 0:11:42.140000 --> 0:11:45.900000 incident occurs, you're much better prepared, right? 0:11:45.900000 --> 0:11:49.900000 And then, share findings with threat intelligence teams to enrich data, 0:11:49.900000 --> 0:11:54.640000 provide training for SOC teams on identified weaknesses, and prepare reports 0:11:54.640000 --> 0:11:57.700000 for regulatory and compliance requirements. 0:11:57.700000 --> 0:12:00.140000 So, fairly easy to understand. 0:12:00.140000 --> 0:12:03.420000 With that being said, that's going to be it for this video and I will 0:12:03.420000 --> 0:12:05.220000 be seeing you in the next video.