WEBVTT 0:00:03.740000 --> 0:00:06.060000 Hello everyone and welcome. 0:00:06.060000 --> 0:00:09.620000 In this video, we're going to be taking a look at the SANS incident response 0:00:09.620000 --> 0:00:12.080000 process or cycle. 0:00:12.080000 --> 0:00:17.620000 And this is going to be sort of juxtaposed against the NIST incident response 0:00:17.620000 --> 0:00:21.060000 process or life cycle that we looked at in the previous video. 0:00:21.060000 --> 0:00:24.760000 So what is the SANS incident response process? 0:00:24.760000 --> 0:00:31.620000 Well, firstly, let's get some background or historical references to who 0:00:31.620000 --> 0:00:37.040000 created this particular incident response process or life cycle. 0:00:37.040000 --> 0:00:41.600000 As the name suggests, it's created by the SANS Institute through its incident 0:00:41.600000 --> 0:00:43.200000 handlers handbook. 0:00:43.200000 --> 0:00:47.220000 And it pretty much outlines a six phase incident response life cycle that 0:00:47.220000 --> 0:00:52.140000 is widely used by security professionals, especially in operational environments 0:00:52.140000 --> 0:00:53.440000 and IR training. 0:00:53.440000 --> 0:00:59.140000 So it's really relevant, at least in my experience, when training individuals 0:00:59.140000 --> 0:01:00.360000 on incident response. 0:01:00.360000 --> 0:01:05.240000 Now, the process emphasizes a hands-on tactical approach to incident handling 0:01:05.240000 --> 0:01:12.100000 or incident response, whereby each step is broken down just like the NIST 0:01:12.100000 --> 0:01:17.840000 incident response process into, broken on into phases. 0:01:17.840000 --> 0:01:23.760000 So from preparation to lessons learned, just like you'll actually see 0:01:23.760000 --> 0:01:24.820000 the similarities. 0:01:24.820000 --> 0:01:26.100000 There are a couple of differences. 0:01:26.100000 --> 0:01:30.660000 The difference is really, if I can, you know, point it out right now, 0:01:30.660000 --> 0:01:36.900000 it's to do with what is the third step of the NIST incident response process 0:01:36.900000 --> 0:01:41.780000 or life cycle. Now, let's sort of proceed on here and let's not get onto 0:01:41.780000 --> 0:01:46.120000 a tangent. So the bottom line is that it's clarity and simplicity, make 0:01:46.120000 --> 0:01:51.160000 it a favorite among IR practitioners, especially those working in SOCs, 0:01:51.160000 --> 0:01:55.100000 MSSPs, and operational response teams. 0:01:55.100000 --> 0:02:00.320000 So the SANS incident response process or cycle outlines a clear six phase 0:02:00.320000 --> 0:02:04.680000 life cycle designed to help organizations effectively detect, respond 0:02:04.680000 --> 0:02:07.500000 to, and recover from security incidents. 0:02:07.500000 --> 0:02:12.420000 And these six phases or steps are number one, preparation, number two, 0:02:12.420000 --> 0:02:17.220000 identification, that's for all intents and purposes, detection and analysis 0:02:17.220000 --> 0:02:20.000000 in the NIST incident response process. 0:02:20.000000 --> 0:02:23.540000 You then have containment eradication and recovery, but now they're their 0:02:23.540000 --> 0:02:25.560000 own phases or steps. 0:02:25.560000 --> 0:02:28.880000 So you're sort of taking the third step in the NIST incident response 0:02:28.880000 --> 0:02:34.960000 process or framework and you're sort of, you know, making or giving them 0:02:34.960000 --> 0:02:40.260000 each, sort of breaking down into so that each of those, you know, activities 0:02:40.260000 --> 0:02:49.540000 is sort of represents or containment, eradication, recovery, and just 0:02:49.540000 --> 0:02:54.700000 like NIST, the lessons learned, which is sort of the final phase, which, 0:02:54.700000 --> 0:02:57.820000 you know, you can actually see the similarities between the two now. 0:02:57.820000 --> 0:03:01.900000 So this is what it looks like, just like we had sort of explored in the 0:03:01.900000 --> 0:03:04.120000 previous video, we have preparation. 0:03:04.120000 --> 0:03:07.940000 So this is where you're laying the foundation for effective incident response. 0:03:07.940000 --> 0:03:13.160000 Identification is, you know, this is, as I said, doubles as detection. 0:03:13.160000 --> 0:03:16.060000 This is where, you know, you determine whether an incident has occurred 0:03:16.060000 --> 0:03:19.900000 and you assess its nature, you then have containment. 0:03:19.900000 --> 0:03:22.920000 So, you know, you limit the damage and prevent the incident from spreading 0:03:22.920000 --> 0:03:27.300000 eradication. This is where you remove the cause and artifacts of the incident 0:03:27.300000 --> 0:03:28.200000 from the environment. 0:03:28.200000 --> 0:03:32.120000 Recovery, this is where you restore and validate systems to return to 0:03:32.120000 --> 0:03:35.920000 normal operations and then lessons learned, documented, improved based 0:03:35.920000 --> 0:03:36.940000 on the response. 0:03:36.940000 --> 0:03:39.780000 And just like NIST, it feeds back into preparation. 0:03:39.780000 --> 0:03:49.320000 So, you know, is always, always leads to the improvement of the incident 0:03:49.320000 --> 0:03:53.840000 process as a whole, the incident response process as a whole. 0:03:53.840000 --> 0:03:58.500000 So, you know, just like we're going to go through each phase, just like 0:03:58.500000 --> 0:04:03.040000 we did in the previous video, but you'll actually see the similarities. 0:04:03.040000 --> 0:04:06.020000 So in the case of preparation, you're laying the foundation for effective 0:04:06.020000 --> 0:04:07.480000 incident response. 0:04:07.480000 --> 0:04:11.200000 And just like NIST, you know, the preparation phase involves establishing 0:04:11.200000 --> 0:04:15.740000 policies, procedures, tools, and resources, necessary to effectively detect 0:04:15.740000 --> 0:04:17.540000 and respond to it to incidents. 0:04:17.540000 --> 0:04:20.540000 And the key activities are exactly the same. 0:04:20.540000 --> 0:04:25.040000 Develop IR policies, plans, and playbooks, define the team roles, responsibilities, 0:04:25.040000 --> 0:04:29.520000 and communication paths or protocols, as well as escalation, you know, 0:04:29.520000 --> 0:04:35.240000 protocols, you set up detection, detection systems, you know, so you set 0:04:35.240000 --> 0:04:39.080000 up logging, monitoring, and alerting systems, you train staff and run 0:04:39.080000 --> 0:04:44.100000 tabletop exercises, and you establish your secure configurations, asset 0:04:44.100000 --> 0:04:46.780000 inventories, and backups. 0:04:46.780000 --> 0:04:50.980000 You then have identification, which, as I said, doubles as detection. 0:04:50.980000 --> 0:04:54.080000 So this is where you determine whether an incident has occurred and assess 0:04:54.080000 --> 0:04:59.400000 its nature. So, this phase is focused on identifying potential security 0:04:59.400000 --> 0:05:03.360000 incidents and analyzing them to confirm the legitimacy and impact. 0:05:03.360000 --> 0:05:09.800000 So key activities here are exactly the same as you, you know, as is in 0:05:09.800000 --> 0:05:13.820000 the NIST incident response framework in the detection and analysis phase. 0:05:13.820000 --> 0:05:19.720000 So monitor security tools, those being the CEM, EDR, IDS, you know, logs, 0:05:19.720000 --> 0:05:23.760000 etc., for suspicious activity, you validate these alerts and classify 0:05:23.760000 --> 0:05:28.180000 potential incidents, you determine the scope, severity, and impact of 0:05:28.180000 --> 0:05:32.360000 the incident, you record evidence and assign incidents of variety levels, 0:05:32.360000 --> 0:05:36.960000 and finally you decide whether to escalate or initiate full response. 0:05:36.960000 --> 0:05:40.380000 You then have containment, so this is where you limit the damage and prevent 0:05:40.380000 --> 0:05:45.160000 the incident from spreading, just like NIST, isolate affected systems. 0:05:45.160000 --> 0:05:50.160000 Examples of that are network segmentation, disconnecting devices, you 0:05:50.160000 --> 0:05:54.860000 know, just ripping the cord, the Ethernet cable, applying short-term containment 0:05:54.860000 --> 0:06:00.100000 measures to stop further attack activity, consider long-term containment 0:06:00.100000 --> 0:06:03.680000 steps for continued business operations and, you know, preserving volatile 0:06:03.680000 --> 0:06:05.800000 data for later analysis. 0:06:05.800000 --> 0:06:09.760000 You can actually see with the SANS incident response process of framework, 0:06:09.760000 --> 0:06:16.740000 I should say cycle, why this is very valuable, especially when, especially 0:06:16.740000 --> 0:06:20.740000 in the context of training incident responders, because in the NIST incident 0:06:20.740000 --> 0:06:26.360000 response framework, the containment eradication and recovery phases being 0:06:26.360000 --> 0:06:36.040000 combined may lead to confusion in understanding the lines of demarcation 0:06:36.040000 --> 0:06:39.020000 that separate containment, eradication, and recovery. 0:06:39.020000 --> 0:06:43.640000 So this is actually a little bit more useful, you know, sort of treating 0:06:43.640000 --> 0:06:47.660000 them independent because you actually understand what each of these phases 0:06:47.660000 --> 0:06:52.760000 entails. So eradication, this is where you're removing the cause, you 0:06:52.760000 --> 0:06:57.020000 know, the cause and the artifacts of the incident from the environment. 0:06:57.020000 --> 0:07:01.220000 So key activities are identifying the root cause that can be malware, 0:07:01.220000 --> 0:07:05.320000 vulnerable software, stolen credentials, as examples. 0:07:05.320000 --> 0:07:09.820000 Secondly, removing the malicious files, backdoors, and persistence mechanisms. 0:07:09.820000 --> 0:07:15.020000 So the attackers can get back in, you patch systems or change passwords, 0:07:15.020000 --> 0:07:19.880000 very important, and then reimage compromise systems if required or if 0:07:19.880000 --> 0:07:25.120000 needed. And then recovery, so again, this should already be familiar, 0:07:25.120000 --> 0:07:28.840000 you know, should already be familiar to you. 0:07:28.840000 --> 0:07:33.740000 So you restore and validate systems to return to normal operations. 0:07:33.740000 --> 0:07:38.720000 Key activities are restoring systems from clean backups, monitoring systems 0:07:38.720000 --> 0:07:42.260000 to confirm they are functioning properly, and there's nothing going on 0:07:42.260000 --> 0:07:44.980000 in the background that, you know, indicates that you have not completely 0:07:44.980000 --> 0:07:49.320000 performed eradication, or you did not perform farter eradication of the 0:07:49.320000 --> 0:07:53.520000 threat. You reintroduce affected systems to the network in a controlled 0:07:53.520000 --> 0:07:58.800000 manner, and you verify system integrity and user access controls. 0:07:58.800000 --> 0:08:05.840000 And you then have the final phase, phase six or step six, step four in 0:08:05.840000 --> 0:08:09.380000 the instance, the NIST incident response framework or process. 0:08:09.380000 --> 0:08:13.420000 So you learn from the incident to enhance defenses and refine the incident 0:08:13.420000 --> 0:08:14.440000 response process. 0:08:14.440000 --> 0:08:19.360000 So this phase ensures that lessons are learned from the incident in order 0:08:19.360000 --> 0:08:21.900000 to improve future detection and response capabilities. 0:08:21.900000 --> 0:08:27.260000 Key activities are fairly obvious, conduct a post incident review or debrief, 0:08:27.260000 --> 0:08:32.200000 document the timeline, actions taken and outcomes, identify what worked, 0:08:32.200000 --> 0:08:35.700000 and of course, where improvements need to be made, update the incident 0:08:35.700000 --> 0:08:40.260000 response plans, policies, and detection tools accordingly, based on what 0:08:40.260000 --> 0:08:43.940000 was learned, and finally, share findings with stakeholders and relevant 0:08:43.940000 --> 0:08:51.120000 teams. So that's the NIST incident response process or lifecycle, as it 0:08:51.120000 --> 0:08:55.700000 were. And now let's compare the SANS incident response process to the 0:08:55.700000 --> 0:09:00.800000 NIST incident response process or framework outlined in the NIST special 0:09:00.800000 --> 0:09:03.040000 publication 861. 0:09:03.040000 --> 0:09:09.040000 So you can see we have six phases, but, you know, with NIST therefore, 0:09:09.040000 --> 0:09:13.440000 but you know, on in the case of SANS, it's pretty much the same as NIST 0:09:13.440000 --> 0:09:17.600000 preparation preparation, both begin with readiness planning tools and 0:09:17.600000 --> 0:09:24.160000 training. Step two or phase two identification in the case of SANS, in 0:09:24.160000 --> 0:09:28.160000 the NIST incident response framework, it's detection and analysis. 0:09:28.160000 --> 0:09:30.080000 So what's the comparison here? 0:09:30.080000 --> 0:09:31.900000 Well, what's the difference? 0:09:31.900000 --> 0:09:35.500000 SANS separates detection into its own phase. 0:09:35.500000 --> 0:09:38.540000 NIST combines detection and analysis. 0:09:38.540000 --> 0:09:43.740000 In the case of SANS, you have containment eradication and recovery, you 0:09:43.740000 --> 0:09:46.400000 know, each being independent phases or steps. 0:09:46.400000 --> 0:09:50.260000 In the case of the NIST incident response framework, they're combined. 0:09:50.260000 --> 0:09:54.620000 So let's take a look at the comparison of the differences. 0:09:54.620000 --> 0:09:59.360000 So SANS breaks these into three distinct phases for clarity. 0:09:59.360000 --> 0:10:02.620000 NIST groups them for flexibility, right? 0:10:02.620000 --> 0:10:05.840000 And the key thing is that they have the same goal, right? 0:10:05.840000 --> 0:10:11.360000 So those three in the case of SANS and, you know, the third phase in the 0:10:11.360000 --> 0:10:17.260000 case of NIST all have the same goal, which is to remove the root cause 0:10:17.260000 --> 0:10:18.800000 of the incident. 0:10:18.800000 --> 0:10:24.140000 And of course, the attacker artifacts, this is in the case of eradication. 0:10:24.140000 --> 0:10:29.580000 In the case of recovery, same thing, restore and validate systems. 0:10:29.580000 --> 0:10:33.180000 And then, of course, they both share lessons learned or post incident 0:10:33.180000 --> 0:10:37.960000 activity. So both conclude with the review documentation and improvement. 0:10:37.960000 --> 0:10:41.400000 So there's really not, there really isn't much of a difference. 0:10:41.400000 --> 0:10:49.180000 It's all about just, as I stated over here, if I can actually go back, 0:10:49.180000 --> 0:10:55.640000 yeah, as I stated over here, SANS, you know, sort of breaks the process 0:10:55.640000 --> 0:10:58.140000 into more steps for clarity. 0:10:58.140000 --> 0:11:03.100000 So you actually understand, you understand the overall process better, 0:11:03.100000 --> 0:11:10.460000 but you actually know the demarcation points or the scope and bounds of 0:11:10.460000 --> 0:11:16.320000 each phase with regards to what is performed in said phases. 0:11:16.320000 --> 0:11:20.260000 Whereas NIST groups performs this grouping of containment eradication 0:11:20.260000 --> 0:11:22.460000 and recovery for flexibility. 0:11:22.460000 --> 0:11:35.140000 But you can see they pretty much, you know, as extent, they're pretty 0:11:35.140000 --> 0:11:39.000000 much extensive, you know, in comparison, you can see that, you know, one 0:11:39.000000 --> 0:11:41.780000 has a phase and the other one doesn't. 0:11:41.780000 --> 0:11:45.460000 So, you know, very, very comprehensive. 0:11:45.460000 --> 0:11:50.240000 And it really just comes down to a couple of factors in terms of, you 0:11:50.240000 --> 0:11:52.980000 know, which one to use or which one to adhere to. 0:11:52.980000 --> 0:11:56.980000 The bottom line is that if you learn the SANS instant response process, 0:11:56.980000 --> 0:12:03.560000 you know, in terms of response framework or process. 0:12:03.560000 --> 0:12:07.560000 So what I'm trying to show you here is there isn't one, you know, one 0:12:07.560000 --> 0:12:09.280000 isn't better than the other. 0:12:09.280000 --> 0:12:13.520000 But the reason why the NIST instant response process or framework is more 0:12:13.520000 --> 0:12:18.740000 popular is really down to the fact that, you know, it was, it came before 0:12:18.740000 --> 0:12:22.320000 the SANS instant response process and was implemented. 0:12:22.320000 --> 0:12:24.400000 You know, you know, it comes from NIST. 0:12:24.400000 --> 0:12:28.680000 So the National Institute of Standards. 0:12:28.680000 --> 0:12:34.000000 So it's actually implemented by a lot of companies as part of, you know, 0:12:34.000000 --> 0:12:41.900000 best practice. So in this particular case, the SANS instant response process, 0:12:41.900000 --> 0:12:57.960000 in fact, before we do I sort of added in the comparison there that SANS 0:12:57.960000 --> 0:13:00.800000 separates detection into its own phase. 0:13:00.800000 --> 0:13:06.000000 That's not to say that within the SANS instant response process, you know, 0:13:06.000000 --> 0:13:09.420000 that's not to say that it does not entail analysis. 0:13:09.420000 --> 0:13:14.040000 In any case, the SANS instant response process offers a more granular 0:13:14.040000 --> 0:13:18.700000 operational breakdown ideal for hands on instant response teams. 0:13:18.700000 --> 0:13:23.380000 And the NIST instant response framework is more formal and flexible aligning 0:13:23.380000 --> 0:13:27.200000 with policy compliance and enterprise level governance. 0:13:27.200000 --> 0:13:30.360000 Bottom line is that, you know, both are widely accepted and compatible 0:13:30.360000 --> 0:13:31.940000 with each other. 0:13:31.940000 --> 0:13:36.680000 Many organizations use SANS for execution and NIST for structure and policy 0:13:36.680000 --> 0:13:41.860000 alignment. And that's exactly or that's as accurate as it gets. 0:13:41.860000 --> 0:13:44.880000 So that brings us to the end of this video. 0:13:44.880000 --> 0:13:47.240000 And I'll be seeing you in the next video.