WEBVTT 0:00:03.760000 --> 0:00:07.160000 preparing for cybersecurity incidents. 0:00:07.160000 --> 0:00:11.040000 So welcome to the preparation section of this course. 0:00:11.040000 --> 0:00:15.720000 Where as you guessed it will be taking a look at the first phase of the 0:00:15.720000 --> 0:00:19.760000 instant response process or life cycle, namely preparation. 0:00:19.760000 --> 0:00:26.760000 So there's really not much to add as sort of an introduction or prelude, 0:00:26.760000 --> 0:00:31.680000 but let's not waste any more time and let's sort of get an understanding 0:00:31.680000 --> 0:00:37.800000 or feeling as to where we are in relation to the instant response process 0:00:37.800000 --> 0:00:41.320000 or life cycle, which we have already gone through and you probably already 0:00:41.320000 --> 0:00:44.280000 guessed it that it's preparation, you know, it's the first phase. 0:00:44.280000 --> 0:00:48.560000 So just wanted to give you an idea, visual ideas to where we are. 0:00:48.560000 --> 0:00:53.600000 Of course we'll be covering detection and analysis in a later course, 0:00:53.600000 --> 0:00:57.420000 likewise, you know, the same for containment, eradication, etc. 0:00:57.420000 --> 0:01:02.040000 So we're, you know, we're getting into preparation now. 0:01:02.040000 --> 0:01:05.880000 So the preparation phase, what is the preparation phase? 0:01:05.880000 --> 0:01:06.900000 What is it all about? 0:01:06.900000 --> 0:01:11.600000 Well, the preparation phase is the first and I should say foundational 0:01:11.600000 --> 0:01:15.540000 phase of the incident response process and life cycle. 0:01:15.540000 --> 0:01:20.360000 And it involves establishing and developing the capabilities, policies, 0:01:20.360000 --> 0:01:25.740000 tools, people and processes that an organization needs before an incident 0:01:25.740000 --> 0:01:31.740000 occurs. So what that means in simple, in preparation for an incident. 0:01:31.740000 --> 0:01:35.500000 So you're essentially preparing everything, you know, the capabilities, 0:01:35.500000 --> 0:01:41.020000 as I said, policies, plans, tools, employees, being people, the IR team, 0:01:41.020000 --> 0:01:44.520000 you're preparing all of this before an incident. 0:01:44.520000 --> 0:01:47.480000 So in preparation for an incident. 0:01:47.480000 --> 0:01:51.560000 And the goal of this phase is to ensure that an organization is equipped 0:01:51.560000 --> 0:01:56.940000 and ready to handle a potential security incident effectively, therefore 0:01:56.940000 --> 0:02:01.860000 minimizing damage and ensuring a coordinated timely response. 0:02:01.860000 --> 0:02:05.340000 And the key takeaway that you need to understand, you know, it probably 0:02:05.340000 --> 0:02:14.540000 is obvious, based on response process is not reactive, it's proactive. 0:02:14.540000 --> 0:02:18.300000 So, you know, as I said, that should make sense to you based on what I 0:02:18.300000 --> 0:02:23.300000 said, you know, preparing or, you know, developing capabilities, policies, 0:02:23.300000 --> 0:02:28.640000 tools, etc. All that good stuff is something you have to do proactively. 0:02:28.640000 --> 0:02:32.420000 You know, it's not something that you can start doing, you know, at the 0:02:32.420000 --> 0:02:35.500000 point of which you're dealing with an incident or, you know, the organization 0:02:35.500000 --> 0:02:38.520000 has suffered a breach. 0:02:38.520000 --> 0:02:43.460000 So at that point, you can't start doing the same thing. 0:02:43.460000 --> 0:02:47.240000 So, you know, you're not supposed to be reacting in this phase, it's proactive. 0:02:47.240000 --> 0:02:50.400000 So this is stuff that you need to be proactive about. 0:02:50.400000 --> 0:02:51.580000 And that's very important. 0:02:51.580000 --> 0:02:55.140000 And you know, you'll sort of understand why as we progress within this 0:02:55.140000 --> 0:03:00.460000 section. So the preparation, you may be asking yourself, well, what exactly 0:03:00.460000 --> 0:03:02.280000 does preparation entail? 0:03:02.280000 --> 0:03:05.780000 I've gone through this and the previous course as well as earlier on in 0:03:05.780000 --> 0:03:09.620000 this course, but we didn't really dive deep as to, you know, what exactly 0:03:09.620000 --> 0:03:11.600000 goes on in this phase? 0:03:11.600000 --> 0:03:15.540000 And what does it mean for you as an incident responder? 0:03:15.540000 --> 0:03:19.700000 Right. So the preparation phase typically encompasses the following activities 0:03:19.700000 --> 0:03:24.200000 or components. Firstly, establishing and training the incident response 0:03:24.200000 --> 0:03:29.360000 team, IRT, whatever shape or form that may take, whether it's a C cert, 0:03:29.360000 --> 0:03:32.020000 cert, C, E, R T, etc. 0:03:32.020000 --> 0:03:36.520000 So the objective here is, you know, and I'm not being completely extensive 0:03:36.520000 --> 0:03:38.300000 as to what exactly goes on. 0:03:38.300000 --> 0:03:42.440000 But primarily this, you know, what you're trying to do here is ensure 0:03:42.440000 --> 0:03:47.840000 that all responders or everyone in the team understands their roles, responsibilities, 0:03:47.840000 --> 0:03:50.020000 and of course, the escalation parts. 0:03:50.020000 --> 0:03:55.100000 Now, we've already gone through the IR team, you know, models or the various 0:03:55.100000 --> 0:03:58.740000 types of IR teams, as well as the roles and responsibilities. 0:03:58.740000 --> 0:04:02.000000 So we've pretty much covered that, which is great. 0:04:02.000000 --> 0:04:07.040000 But moving on, you're also developing incident response plans, policies 0:04:07.040000 --> 0:04:10.860000 and playbooks, which will actually be taking a look at in this section. 0:04:10.860000 --> 0:04:12.140000 Very, very important. 0:04:12.140000 --> 0:04:14.860000 And again, don't need to worry about why it's important. 0:04:14.860000 --> 0:04:17.140000 It'll become apparent as we progress. 0:04:17.140000 --> 0:04:20.540000 You then have the deployment and configuration of monitoring and detection 0:04:20.540000 --> 0:04:25.960000 systems, again, equally important deployment of tools, security controls, 0:04:25.960000 --> 0:04:27.200000 countermeasures, etc. 0:04:27.200000 --> 0:04:32.400000 So this actually, you know, requires or involves getting, you know, it's 0:04:32.400000 --> 0:04:36.040000 pretty much based on the needs assessment or the needs of the organization 0:04:36.040000 --> 0:04:41.480000 and the consequent risk analysis or assessments that have been performed. 0:04:41.480000 --> 0:04:45.300000 And then, of course, you know, user awareness training and skills development. 0:04:45.300000 --> 0:04:49.500000 So an example of this would be running tabletop exercises and simulations, 0:04:49.500000 --> 0:04:53.560000 you know, in preparation for. 0:04:53.560000 --> 0:04:58.160000 So hopefully the name of the face gives you an idea as to the type of 0:04:58.160000 --> 0:05:01.800000 the training or the nature of the training that's going to be provided 0:05:01.800000 --> 0:05:08.560000 here. So you may be asking yourself again, it's fairly natural. 0:05:08.560000 --> 0:05:11.740000 What why is preparation so important, right? 0:05:11.740000 --> 0:05:14.040000 What is the importance of preparation? 0:05:14.040000 --> 0:05:19.540000 I should say good preparation because preparation can be bad or inadequate. 0:05:19.540000 --> 0:05:22.640000 It can also be thorough or good, as it were. 0:05:22.640000 --> 0:05:27.600000 So without proper preparation, even the most skilled response team can 0:05:27.600000 --> 0:05:32.640000 be crippled, I should say will be crippled by confusion, delays and poor 0:05:32.640000 --> 0:05:35.860000 coordination when an incident occurs, right? 0:05:35.860000 --> 0:05:40.840000 And what you typically have sort of juxtaposed both of these have sort 0:05:40.840000 --> 0:05:44.800000 of juxtaposed, you know, well, well prepared organizations against unprepared 0:05:44.800000 --> 0:05:47.960000 organizations or ill prepared organizations. 0:05:47.960000 --> 0:05:55.240000 So you can sort of see or sort of identify the profile of a good or a 0:05:55.240000 --> 0:05:59.840000 well prepared org and an unprepared organization based on how they respond 0:05:59.840000 --> 0:06:01.660000 to an incident or a threat. 0:06:01.660000 --> 0:06:05.620000 So firstly, well prepared organizations detect incidents faster. 0:06:05.620000 --> 0:06:09.340000 Now again, that may be a little bit ambiguous. 0:06:09.340000 --> 0:06:13.480000 But don't worry, this will make sense as we progress, be the respond more 0:06:13.480000 --> 0:06:19.880000 efficiently. See the, you know, minimize the impact on business operations, 0:06:19.880000 --> 0:06:24.280000 meet legal and regulatory obligations. 0:06:24.280000 --> 0:06:29.260000 They improve recovery times over time, no pun intended, and they learn 0:06:29.260000 --> 0:06:31.660000 and adapt through documentation and review. 0:06:31.660000 --> 0:06:35.800000 So lessons learned in the case of one prepared or ill prepared organizations, 0:06:35.800000 --> 0:06:40.880000 you typically see disorganized responses and disorganized processes as 0:06:40.880000 --> 0:06:45.840000 well. So everything just looks kind of ad hoc, like they may be procedures 0:06:45.840000 --> 0:06:51.140000 or playbooks, but it's not no one's really sure about whether that playbook 0:06:51.140000 --> 0:06:58.600000 really applies to this case or what, what type of, you know, what type 0:06:58.600000 --> 0:07:03.520000 of incident this should be classified as in terms of severity or criticality 0:07:03.520000 --> 0:07:08.360000 as it were, you know, stuff like this, you also have, you know, breakdowns 0:07:08.360000 --> 0:07:14.080000 and so information is not being, is not being communicated to those who 0:07:14.080000 --> 0:07:19.520000 are consulted or consultable as it were, and to those who need to be informed. 0:07:19.520000 --> 0:07:22.460000 No one knows, you know, using the RACI matrix there. 0:07:22.460000 --> 0:07:27.740000 No one really knows who is, I shouldn't say responsible, but no one really 0:07:27.740000 --> 0:07:29.540000 knows who should be consulted. 0:07:29.540000 --> 0:07:32.300000 Typically that's the case, you know, for example, you get an incident, 0:07:32.300000 --> 0:07:36.400000 you're not really sure, you know, what to do next, what do you do next, 0:07:36.400000 --> 0:07:38.100000 who do you reach out to next. 0:07:38.100000 --> 0:07:41.680000 So you can start to understand the importance of preparation and why you 0:07:41.680000 --> 0:07:45.960000 need to understand these teams, the different types of types and models 0:07:45.960000 --> 0:07:49.720000 of IR teams, the roles and responsibilities, etc. 0:07:49.720000 --> 0:07:53.460000 In order for you, you can, you can sort of see why it's important and 0:07:53.460000 --> 0:07:56.680000 why you need to understand it, because at the end of the day, you're going 0:07:56.680000 --> 0:08:00.160000 to be working in an incident response team and you need to be able to, 0:08:00.160000 --> 0:08:03.860000 you know, even as an incident responder say, hey, I think we need to improve 0:08:03.860000 --> 0:08:08.400000 there. But, you know, moving on, you can also see they typically miss 0:08:08.400000 --> 0:08:12.840000 reporting deadlines and of course, greater financial and reputational 0:08:12.840000 --> 0:08:16.460000 damage, because again, they are ill prepared. 0:08:16.460000 --> 0:08:20.680000 Now, another great question that again, you may not have asked, but that 0:08:20.680000 --> 0:08:26.840000 I asked or I am asking is how preparation affects other phases of the 0:08:26.840000 --> 0:08:29.040000 incident response process or life cycle? 0:08:29.040000 --> 0:08:34.780000 So how does, you know, good preparation or ill or bad preparation or insufficient 0:08:34.780000 --> 0:08:39.640000 preparation affect detection and analysis, containment, eradication and 0:08:39.640000 --> 0:08:44.280000 recovery and, you know, post incident activity or review? 0:08:44.280000 --> 0:08:50.080000 So in the case of detection and analysis, detection and analysis, or I 0:08:50.080000 --> 0:08:55.000000 should say detection primarily relies on well-configured monitoring, logging 0:08:55.000000 --> 0:08:58.700000 and alerting tools established during preparation. 0:08:58.700000 --> 0:09:05.220000 So, you know, you actually define, you know, the detection tools or all 0:09:05.220000 --> 0:09:09.520000 the various ways, you know, you're going to get logs and all of this in 0:09:09.520000 --> 0:09:11.220000 the preparation phase. 0:09:11.220000 --> 0:09:15.680000 In the case of containment eradication and recovery, you know, this phase 0:09:15.680000 --> 0:09:21.780000 will depend heavily on the clearly defined playbooks, asset inventories 0:09:21.780000 --> 0:09:26.500000 and train personnel that again is defined in the preparation phase. 0:09:26.500000 --> 0:09:30.320000 So, you know, we define playbooks and all the important stuff that, you 0:09:30.320000 --> 0:09:34.780000 know, becomes relevant during, you know, phases like containment eradication 0:09:34.780000 --> 0:09:37.380000 and recovery in the preparation phase. 0:09:37.380000 --> 0:09:42.980000 And then, you know, the post incident, you know, the post incident activity 0:09:42.980000 --> 0:09:47.900000 and lessons learned and all of this, you know, the final phases it were, 0:09:47.900000 --> 0:09:50.300000 how is that affected by preparation? 0:09:50.300000 --> 0:09:55.440000 Well, only effective or that particular phase is only effective if incidents 0:09:55.440000 --> 0:09:59.720000 are documented properly and procedures are followed, all of which, you 0:09:59.720000 --> 0:10:04.320000 know, the procedures specifically are defined or established and defined 0:10:04.320000 --> 0:10:06.240000 during the preparation phase. 0:10:06.240000 --> 0:10:10.660000 So, preparation, you know, pretty much affects all the other phases and 0:10:10.660000 --> 0:10:13.580000 consequently the entire incident response process. 0:10:13.580000 --> 0:10:18.000000 So a lot of people, a lot of teams, a lot of organizations I've seen usually, 0:10:18.000000 --> 0:10:20.020000 you know, don't spend a lot of time in preparation. 0:10:20.020000 --> 0:10:24.020000 They don't want to spend enough time understanding what their needs are, 0:10:24.020000 --> 0:10:28.200000 what, you know, they can spend what their budget is, whether their team 0:10:28.200000 --> 0:10:33.180000 needs to be trained, you know, what tools to utilize and, you know, what 0:10:33.180000 --> 0:10:38.080000 threats they're currently facing, all of that, you know, some organizations 0:10:38.080000 --> 0:10:42.660000 don't even know or don't even have an accurate inventory of all their 0:10:42.660000 --> 0:10:47.080000 assets or, you know, all the systems that they should be protecting or, 0:10:47.080000 --> 0:10:49.080000 you know, defending as it were. 0:10:49.080000 --> 0:10:53.160000 So they don't spend a lot of time there and what ends up happening is, 0:10:53.160000 --> 0:10:59.900000 you know, somehow, you know, there's a breach or an incident and, you 0:10:59.900000 --> 0:11:04.180000 know, the ill, the lack of preparation then affects the incident response 0:11:04.180000 --> 0:11:10.760000 process, sort of as an additional consequence because a lack of knowledge 0:11:10.760000 --> 0:11:14.980000 of, you know, what you need to secure, how it's going to be secured and 0:11:14.980000 --> 0:11:17.140000 how you're going to respond. 0:11:17.140000 --> 0:11:22.980000 A lack of knowledge on that front is bad enough in and of itself, but 0:11:22.980000 --> 0:11:28.500000 when you sort of feed that into the incident response process or lifecycle, 0:11:28.500000 --> 0:11:32.720000 as it were within the organization, then, you know, you sort of compound 0:11:32.720000 --> 0:11:35.140000 the problem, if that makes sense. 0:11:35.140000 --> 0:11:40.920000 In any case, I wanted to sort of explain this a little bit better using 0:11:40.920000 --> 0:11:45.800000 the people, processes and technology framework, which I introduced in 0:11:45.800000 --> 0:11:49.860000 the previous course in, you know, security operations center. 0:11:49.860000 --> 0:11:54.600000 And the reason I like this particular framework or model of looking at 0:11:54.600000 --> 0:12:02.740000 things is because it allows you to clearly categorize and separate, you 0:12:02.740000 --> 0:12:07.360000 know, preparation in the form of people, which I'll get to, the processes 0:12:07.360000 --> 0:12:09.040000 and then the technology. 0:12:09.040000 --> 0:12:14.040000 So you actually have categories of areas that you need to prepare, that 0:12:14.040000 --> 0:12:16.120000 you need to prepare in as it were. 0:12:16.120000 --> 0:12:21.160000 So to better understand the components of the preparation phase, we can 0:12:21.160000 --> 0:12:24.780000 apply the people, processes and technology framework. 0:12:24.780000 --> 0:12:29.060000 This approach helps break down the complexity of preparation into manageable 0:12:29.060000 --> 0:12:32.940000 and more importantly, interrelated categories. 0:12:32.940000 --> 0:12:37.860000 So by organizing preparation activities into these three domains, namely 0:12:37.860000 --> 0:12:42.140000 people, processes and technology, we create a structured view of what 0:12:42.140000 --> 0:12:43.900000 needs to be in place. 0:12:43.900000 --> 0:12:48.200000 So in the case of people, that's, you know, trained personnel or the IR 0:12:48.200000 --> 0:12:53.620000 team as an example, workflows, that's processes and then technology is 0:12:53.620000 --> 0:12:58.200000 things like your seem, you know, monitoring and letting all of that good 0:12:58.200000 --> 0:13:02.740000 stuff. So you can now start to understand that using this model, things 0:13:02.740000 --> 0:13:04.240000 become a little bit more manageable. 0:13:04.240000 --> 0:13:09.120000 You understand that, okay, preparation with, in reference to people, that's 0:13:09.120000 --> 0:13:14.320000 referring to the IR team itself, how it's set up roles and responsibilities, 0:13:14.320000 --> 0:13:17.800000 training, skills development, upskilling, etc. 0:13:17.800000 --> 0:13:23.660000 Okay. In the case of processes, that's to do with an IR plan, policies, 0:13:23.660000 --> 0:13:25.800000 procedures, playbooks. 0:13:25.800000 --> 0:13:27.100000 Great, great. Okay. 0:13:27.100000 --> 0:13:28.280000 So now it's starting to make sense. 0:13:28.280000 --> 0:13:32.020000 And then technology, that's referring to as the name suggests technology. 0:13:32.020000 --> 0:13:38.540000 So this is an extremely useful framework for, you know, understanding 0:13:38.540000 --> 0:13:44.320000 the preparation phase and the, you know, the different components, the 0:13:44.320000 --> 0:13:47.840000 different components that need to be in place, as it were. 0:13:47.840000 --> 0:13:52.600000 So this categorization not only enhances clarity and alignment across 0:13:52.600000 --> 0:13:58.040000 teams, but also ensures that the preparation phase is comprehensive, well 0:13:58.040000 --> 0:13:59.700000 organized and actionable. 0:13:59.700000 --> 0:14:03.440000 So, you know, this, as I'm sure you've already been able to tell, makes 0:14:03.440000 --> 0:14:08.020000 it much easier to understand, even without me getting into it, you know, 0:14:08.020000 --> 0:14:17.480000 what preparation looks like when you're dealing with processes, technology, 0:14:17.480000 --> 0:14:24.220000 etc. So this triad, you know, people, processes and technology reflects 0:14:24.220000 --> 0:14:28.440000 the core, the core components that must be in place before an incident 0:14:28.440000 --> 0:14:33.060000 ever occurs. So in the case of people, what does this represent? 0:14:33.060000 --> 0:14:37.080000 This represents the trained individuals, typically the IR team will detect, 0:14:37.080000 --> 0:14:40.880000 assess and respond when threats arise. 0:14:40.880000 --> 0:14:46.420000 Okay. So you now know how you need to prepare with regards to people. 0:14:46.420000 --> 0:14:48.020000 You then have processes. 0:14:48.020000 --> 0:14:54.580000 This refers to or essentially ensures that there's a well defined repeatable 0:14:54.580000 --> 0:14:57.020000 structure for our incidents are handled. 0:14:57.020000 --> 0:15:02.480000 As I said, that's IR plans, policies, procedures, playbooks, etc. 0:15:02.480000 --> 0:15:03.940000 You then have technology. 0:15:03.940000 --> 0:15:09.160000 This is referring to the tools and systems required or necessary to monitor, 0:15:09.160000 --> 0:15:14.580000 detect, investigate and referring to the tools for incident responses, 0:15:14.580000 --> 0:15:17.200000 but also, you know, wider than that. 0:15:17.200000 --> 0:15:21.980000 But now you can start to see or start to understand, you know, what, you 0:15:21.980000 --> 0:15:25.060000 know, what you need to do, what you need to put in place or what you need 0:15:25.060000 --> 0:15:30.360000 to improve with regards to, you know, preparing for an incident. 0:15:30.360000 --> 0:15:34.000000 The best way to do it, as I said, is to divide it into people, processes 0:15:34.000000 --> 0:15:38.160000 and technology. This way, you know, you can tackle each separately, you 0:15:38.160000 --> 0:15:43.460000 can give each its own, you can sort of focus on each where required and 0:15:43.460000 --> 0:15:47.840000 you can then actually assess your performance in each of these aspects 0:15:47.840000 --> 0:15:52.020000 or, you know, in each of these components with regards to, you know, the 0:15:52.020000 --> 0:15:54.320000 level of preparedness. 0:15:54.320000 --> 0:15:56.600000 So let's go through all of them. 0:15:56.600000 --> 0:16:00.760000 Of course, I'll not spend too much time getting into the nitty gritty, 0:16:00.760000 --> 0:16:02.940000 but starting off with people. 0:16:02.940000 --> 0:16:07.580000 The key point here is that, you know, this is where you're building the 0:16:07.580000 --> 0:16:09.200000 human element of readiness. 0:16:09.200000 --> 0:16:13.460000 So the foundation of any successful incident response capability begins 0:16:13.460000 --> 0:16:15.060000 with the right people. 0:16:15.060000 --> 0:16:17.680000 Then this is the key, not just the right people. 0:16:17.680000 --> 0:16:22.160000 In the right roles, properly trained and prepared to respond under pressure. 0:16:22.160000 --> 0:16:27.040000 And what are the key focus areas here or areas that, again, you'll be 0:16:27.040000 --> 0:16:29.240000 looking to establish or develop. 0:16:29.240000 --> 0:16:33.240000 Well, we obviously have the incident response team, which we've actually 0:16:33.240000 --> 0:16:37.800000 gone through. So define the team structure roles and escalation parts. 0:16:37.800000 --> 0:16:40.940000 You then have role clarity, which we actually have gone through. 0:16:40.940000 --> 0:16:45.620000 So, you know, use frameworks like RACI to define who is responsible, accountable, 0:16:45.620000 --> 0:16:47.340000 consulted and informed. 0:16:47.340000 --> 0:16:49.320000 And then we have training and drills. 0:16:49.320000 --> 0:16:54.880000 So examples of this would be to conduct tabletop exercises, red, blue, 0:16:54.880000 --> 0:16:57.100000 or purple team simulations, I should say. 0:16:57.100000 --> 0:17:01.700000 And of course, upskilling or skill development with regards to tools, 0:17:01.700000 --> 0:17:04.660000 etc. And then you also have awareness. 0:17:04.660000 --> 0:17:08.500000 So this is where this goes beyond the incident response team, where you 0:17:08.500000 --> 0:17:12.660000 ensure that all staff, not just security staff, know how to report suspicious 0:17:12.660000 --> 0:17:15.540000 activity and follow response protocols. 0:17:15.540000 --> 0:17:20.440000 So pretty much, you know, across the previous course and this course we 0:17:20.440000 --> 0:17:25.800000 have covered, I would say, quite comprehensively, the first two key focus 0:17:25.800000 --> 0:17:27.940000 areas when you're talking about people, right? 0:17:27.940000 --> 0:17:32.380000 So the incident response team and of course, role clarity. 0:17:32.380000 --> 0:17:37.720000 So focus in this section is really going to be focused on processes and 0:17:37.720000 --> 0:17:40.760000 technology. So let's take a look at processes. 0:17:40.760000 --> 0:17:42.960000 So what are we referring to here? 0:17:42.960000 --> 0:17:47.880000 Well, what this is all about is establishing playbooks, policies and communication 0:17:47.880000 --> 0:17:50.120000 paths or protocols, as it were. 0:17:50.120000 --> 0:17:56.860000 So processes provide the structure and repeatability required for a consistent 0:17:56.860000 --> 0:17:59.000000 and coordinated response. 0:17:59.000000 --> 0:18:03.460000 The key point here is that the preparation phase defines and documents 0:18:03.460000 --> 0:18:04.980000 these processes. 0:18:04.980000 --> 0:18:08.640000 So the key focus areas are going to be an incident response policy and 0:18:08.640000 --> 0:18:13.240000 plan. These are formal documents outlining how the organization detects, 0:18:13.240000 --> 0:18:15.900000 reports, escalates and responds to incidents. 0:18:15.900000 --> 0:18:19.600000 Extremely important, we're going to have, you know, dedicated videos on 0:18:19.600000 --> 0:18:21.560000 each of these and with tons of examples. 0:18:21.560000 --> 0:18:25.640000 So don't worry. You then have incident classification and severity again, 0:18:25.640000 --> 0:18:30.420000 very important. So this is where, you know, you define how the incidents 0:18:30.420000 --> 0:18:33.960000 are categorized and prioritized based on their nature. 0:18:33.960000 --> 0:18:35.320000 That's one criteria. 0:18:35.320000 --> 0:18:37.540000 But again, we'll get to that. 0:18:37.540000 --> 0:18:39.180000 You then have playbooks and runbooks. 0:18:39.180000 --> 0:18:43.060000 Again, I have plenty of examples in, you know, content coming up on this 0:18:43.060000 --> 0:18:47.740000 in this course. So, you know, predefined workflows for specific incident 0:18:47.740000 --> 0:18:51.020000 types. So if you're dealing with ransomware, you need to have playbooks 0:18:51.020000 --> 0:18:53.680000 as to, you know, who will do what? 0:18:53.680000 --> 0:18:57.580000 But more importantly, the steps to take when there is, you know, ransomware 0:18:57.580000 --> 0:19:00.480000 attack, inside the threats, etc. 0:19:00.480000 --> 0:19:02.760000 And then of course, communication protocols. 0:19:02.760000 --> 0:19:08.560000 So internal war room channels, external disclosure pathways, legal regulatory 0:19:08.560000 --> 0:19:11.040000 reporting timelines, all that good stuff. 0:19:11.040000 --> 0:19:15.360000 And then in the case of the post incident review process, you also need 0:19:15.360000 --> 0:19:19.520000 to account for this by defining how the lessons learned are captured. 0:19:19.520000 --> 0:19:22.560000 Because remember, you can just have it in your head after an incident 0:19:22.560000 --> 0:19:24.920000 that, oh, we did well here. 0:19:24.920000 --> 0:19:26.740000 And maybe not well here. 0:19:26.740000 --> 0:19:30.640000 They need to be captured because they need to go back into the process 0:19:30.640000 --> 0:19:35.460000 or the life cycle so that there actually is measurable improvement. 0:19:35.460000 --> 0:19:38.340000 And then technology, which should be self-explanatory. 0:19:38.340000 --> 0:19:42.000000 So detection, analysis, and response capabilities. 0:19:42.000000 --> 0:19:46.980000 So technology empowers the team to monitor, detect, investigate, and respond. 0:19:46.980000 --> 0:19:49.400000 So we're not just dealing with monitoring and detection. 0:19:49.400000 --> 0:19:53.700000 If you're looking at it from a SOC analyst perspective, we're also accounting 0:19:53.700000 --> 0:19:57.660000 for the technology required for investigation and response. 0:19:57.660000 --> 0:20:01.140000 So the key thing is that, you know, you can have all the best tools in 0:20:01.140000 --> 0:20:04.720000 the world commercial, all of this good stuff, but they must be properly 0:20:04.720000 --> 0:20:08.760000 deployed, configured, and accessible before the incident. 0:20:08.760000 --> 0:20:12.220000 Again, you don't want to be reactive when it comes down to having your 0:20:12.220000 --> 0:20:15.960000 tools ready. It's not like once there's an incident, at that point, you 0:20:15.960000 --> 0:20:20.460000 start, you know, at that point, you start using specific tools or you 0:20:20.460000 --> 0:20:26.420000 start finding tools to capture memory to capture, you know, for forensics 0:20:26.420000 --> 0:20:28.340000 or anything like this. 0:20:28.340000 --> 0:20:31.960000 The key focus areas are obviously going to be a monitoring and detection 0:20:31.960000 --> 0:20:38.380000 tool. So the CEMEDR, IDS, IPS, log aggregation, you then have this is 0:20:38.380000 --> 0:20:43.900000 something people really, you know, forget about a lot of, you know, up, 0:20:43.900000 --> 0:20:49.160000 upstarts or small organizations don't invest in, you know, let's say forensic 0:20:49.160000 --> 0:20:50.600000 and triage tools. 0:20:50.600000 --> 0:20:56.120000 So think tools like, you know, tools for memory analysis, disk imaging, 0:20:56.120000 --> 0:20:58.260000 network capture tools. 0:20:58.260000 --> 0:21:02.760000 A lot of those, you know, they're excellent free choices available, but, 0:21:02.760000 --> 0:21:08.920000 you know, there's, there needs to be an investment in, you know, specific 0:21:08.920000 --> 0:21:12.660000 ones, like, for example, disk imaging, etcetera. 0:21:12.660000 --> 0:21:14.120000 Access management. 0:21:14.120000 --> 0:21:18.200000 So, you know, you need to ensure the IRT has the necessary permissions 0:21:18.200000 --> 0:21:19.660000 to act without delay. 0:21:19.660000 --> 0:21:25.180000 So can the IRT, or do they have the permissions to access systems as administrator 0:21:25.180000 --> 0:21:29.880000 in order to perform what they are required to perform, whether it be containment, 0:21:29.880000 --> 0:21:33.980000 etcetera. And then the IR toolkit, which we'll actually cover in this 0:21:33.980000 --> 0:21:37.860000 course, where I'm going to show you how to set up an IR toolkit. 0:21:37.860000 --> 0:21:43.000000 So this is a curated collection of investigation, containment and recovery, 0:21:43.000000 --> 0:21:47.120000 how to keep it ready for, you know, ready so that you're ready to go when 0:21:47.120000 --> 0:21:48.480000 there is an incident. 0:21:48.480000 --> 0:21:51.520000 And then finally, asset inventory and network visibility. 0:21:51.520000 --> 0:21:55.920000 So this is, you know, knowing what systems exist and what normal looks 0:21:55.920000 --> 0:22:00.200000 like. Now, of course, I've sort of combined or have gone through all people 0:22:00.200000 --> 0:22:04.040000 processes and technology, but hopefully this gives you a better idea as 0:22:04.040000 --> 0:22:08.860000 to what the preparation phase entails, again, with regards to people, 0:22:08.860000 --> 0:22:11.820000 with regards to processes and with regards to technology. 0:22:11.820000 --> 0:22:16.520000 As I mentioned earlier on, we've sort of already covered people and, you 0:22:16.520000 --> 0:22:19.320000 know, what is required on that front. 0:22:19.320000 --> 0:22:24.080000 We're now going to, in this section, really focus on processes, so how 0:22:24.080000 --> 0:22:29.400000 to build an IR plan, policy, playbooks, etcetera. 0:22:29.400000 --> 0:22:33.040000 And then in the case of technology, we'll take a look at, you know, creating 0:22:33.040000 --> 0:22:36.860000 an IR toolkit, the various tools utilized for, you know, various types 0:22:36.860000 --> 0:22:41.460000 of activities or objectives, you know, whether it be memory analysis, 0:22:41.460000 --> 0:22:45.560000 etcetera, pretty much all the tools that I have used for incident response 0:22:45.560000 --> 0:22:52.060000 and, you know, are popularly used, I should say, by incident responders. 0:22:52.060000 --> 0:22:58.880000 And we'll also take a look at incident management or handling and the 0:22:58.880000 --> 0:23:00.520000 tools they're in. 0:23:00.520000 --> 0:23:04.260000 And you'll start to understand just how important, how important preparation 0:23:04.260000 --> 0:23:08.720000 is, because for me, without some of these tools, like, you know, let's 0:23:08.720000 --> 0:23:15.900000 say the Hive, incident response just becomes a multitude, or I should 0:23:15.900000 --> 0:23:20.580000 say, just becomes increasingly difficult and more cumbersome. 0:23:20.580000 --> 0:23:24.680000 But that only, that's only something that you become aware of, had you 0:23:24.680000 --> 0:23:29.780000 given it enough time or consideration, you know, in the preparation phase, 0:23:29.780000 --> 0:23:33.420000 because if an organization doesn't ask themselves, well, how will the 0:23:33.420000 --> 0:23:38.060000 team collaborate with each other and, you know, how will they share information 0:23:38.060000 --> 0:23:40.780000 and knowledge about a particular incident? 0:23:40.780000 --> 0:23:45.500000 If that thought process does not go through your mind, then a tool like 0:23:45.500000 --> 0:23:49.540000 the Hive is seen as unnecessary in the process. 0:23:49.540000 --> 0:23:53.180000 So, don't worry, all of this will make sense as we progress. 0:23:53.180000 --> 0:23:58.100000 To sort of summarize this video, I've sort of, you know, compressed each 0:23:58.100000 --> 0:24:02.780000 of these three elements or components, people, processes, and technology. 0:24:02.780000 --> 0:24:06.660000 And I've sort of added a description and a question, right, that you should 0:24:06.660000 --> 0:24:09.200000 be asking yourself in the preparation phase. 0:24:09.200000 --> 0:24:12.940000 So, in the case of people, you know, you ensure every team member knows 0:24:12.940000 --> 0:24:15.340000 what to do before an incident occurs. 0:24:15.340000 --> 0:24:18.340000 And more importantly, they're confident in doing what they're supposed 0:24:18.340000 --> 0:24:25.100000 to do. And the question here that everyone, or I should say, a CISO or 0:24:25.100000 --> 0:24:28.600000 the company should be asking is, do we have the right team and skills 0:24:28.600000 --> 0:24:32.800000 or the right model, I should say, that's also a very good question. 0:24:32.800000 --> 0:24:36.060000 In the case of processes, this is where you create a reliable framework 0:24:36.060000 --> 0:24:38.520000 that guides action during chaos. 0:24:38.520000 --> 0:24:42.360000 So, reducing delays, missteps, and uncertainty. 0:24:42.360000 --> 0:24:45.620000 And the right, or the question to ask here is, do we have the right plans 0:24:45.620000 --> 0:24:50.040000 and workflows? And then in the case of technology, this is where you ensure 0:24:50.040000 --> 0:24:54.200000 that responders are equipped with the tools and access they need to, they 0:24:54.200000 --> 0:24:58.720000 need, and that those tools are tested, documented, and ready to use. 0:24:58.720000 --> 0:25:02.100000 Key question here is, do we have the right tools and access? 0:25:02.100000 --> 0:25:07.640000 Very simple. And this is very specific to you as an incident responder. 0:25:07.640000 --> 0:25:11.200000 You know, as we're going through the incident response process, and now 0:25:11.200000 --> 0:25:15.400000 specifically preparation, a lot of the stuff that I mentioned, you know, 0:25:15.400000 --> 0:25:19.660000 developing plans, etc, is stuff that will not be done by you, the incident 0:25:19.660000 --> 0:25:24.760000 responder, but by the incident response manager or team lead, of course, 0:25:24.760000 --> 0:25:27.260000 you will be involved to a certain extent in workflows. 0:25:27.260000 --> 0:25:31.860000 And of course, the technology aspect, but this sort of gives you an idea 0:25:31.860000 --> 0:25:34.160000 as to what is important for you. 0:25:34.160000 --> 0:25:37.780000 And don't worry, it'll become apparent as we move on in this course, as 0:25:37.780000 --> 0:25:38.960000 well as the other courses. 0:25:38.960000 --> 0:25:41.880000 So, that brings us to the end of this video. 0:25:41.880000 --> 0:25:45.960000 And with that being said, I will be seeing you in the next video.