WEBVTT 0:00:03.500000 --> 0:00:07.200000 The incident response hierarchy of needs. 0:00:07.200000 --> 0:00:13.520000 Now, before we get into creating incident response plans, policies, and 0:00:13.520000 --> 0:00:20.400000 playbooks, I just wanted to cover a very important conceptual model that 0:00:20.400000 --> 0:00:24.700000 I think some of you are watching this course will find very, very useful. 0:00:24.700000 --> 0:00:31.040000 This is not really that important for you practically as an incident responder, 0:00:31.040000 --> 0:00:36.220000 but I think it's very important if you are trying to measure the maturity 0:00:36.220000 --> 0:00:40.880000 of an incident response team and consequently, you know, an incident response 0:00:40.880000 --> 0:00:43.040000 process within an organization. 0:00:43.040000 --> 0:00:47.400000 So let me just introduce you to it and you'll sort of understand why I 0:00:47.400000 --> 0:00:51.840000 think it's important and why it's been very, very fruitful for me, not 0:00:51.840000 --> 0:00:57.300000 just as an incident responder, but one point, you know, was leading a 0:00:57.300000 --> 0:01:02.100000 SOC. I know that that's not an incident response per se, but let me explain 0:01:02.100000 --> 0:01:04.000000 it and you'll get it. 0:01:04.000000 --> 0:01:08.020000 So the incident response hierarchy of needs is a conceptual model created 0:01:08.020000 --> 0:01:09.820000 by Matt Swannman. 0:01:09.820000 --> 0:01:14.240000 It is used to describe the layers or I should say levels of readiness 0:01:14.240000 --> 0:01:19.580000 that must be established for an organization to effectively respond to 0:01:19.580000 --> 0:01:21.100000 security incidents. 0:01:21.100000 --> 0:01:28.680000 So key thing or the key point here is it is used to describe or outline 0:01:28.680000 --> 0:01:30.280000 the layers or levels. 0:01:30.280000 --> 0:01:33.060000 So it breaks down readiness into levels. 0:01:33.060000 --> 0:01:34.860000 That's the first thing or into layers. 0:01:34.860000 --> 0:01:37.400000 That's the first thing you need to be aware of. 0:01:37.400000 --> 0:01:43.400000 So it describes outlines these layers or levels of readiness that need 0:01:43.400000 --> 0:01:48.080000 to be there or need to be established and consequently developed or improved 0:01:48.080000 --> 0:01:54.060000 or an organization to keyword effectively respond to security incidents. 0:01:54.060000 --> 0:01:57.400000 This model offers a structured approach to building an effective incident 0:01:57.400000 --> 0:02:02.000000 response program, you know, team process, etc. 0:02:02.000000 --> 0:02:05.200000 So a program sort of conflates the two. 0:02:05.200000 --> 0:02:09.100000 So you're referring to the process itself, but also the team. 0:02:09.100000 --> 0:02:13.120000 With a clear emphasis on the layers that must be established before advanced 0:02:13.120000 --> 0:02:18.060000 functions like more specifically threat hunting and thrive. 0:02:18.060000 --> 0:02:23.500000 So the pyramid, it is illustrated in the form of a pyramid consists of 0:02:23.500000 --> 0:02:27.100000 10 layers, each having been built on the one below it. 0:02:27.100000 --> 0:02:31.420000 So you start off at the ground level, those being the most important or 0:02:31.420000 --> 0:02:36.400000 foundational, I should say, and then you sort of work your way up. 0:02:36.400000 --> 0:02:40.840000 So there's coupled with this, you know, in addition to the standard hierarchy 0:02:40.840000 --> 0:02:46.780000 of needs pyramid, that comprises of 10 layers, you also have Swanman's 0:02:46.780000 --> 0:02:53.080000 plateau, the plateau's model, which is built on the, you know, 10 layers. 0:02:53.080000 --> 0:02:57.940000 What it does is it tracks an organization, it is used to track an organization's 0:02:57.940000 --> 0:03:02.960000 progression through different levels of maturity in its security operations. 0:03:02.960000 --> 0:03:08.420000 Now we'll not touch on that specifically, but the, I'll actually have 0:03:08.420000 --> 0:03:11.720000 references in the slide where you can take a look at the GitHub repo where 0:03:11.720000 --> 0:03:14.880000 Matt Swanman has actually made this public. 0:03:14.880000 --> 0:03:19.180000 So this is the image again, taken directly from the GitHub repo. 0:03:19.180000 --> 0:03:24.700000 And you can see the, you know, all the 10 layers as it were, and you start 0:03:24.700000 --> 0:03:26.440000 off at the bottom with inventory. 0:03:26.440000 --> 0:03:28.320000 So what does this mean? 0:03:28.320000 --> 0:03:31.860000 When you look at this, it looks a little bit confusing, but again, remember 0:03:31.860000 --> 0:03:34.020000 what it's there for. 0:03:34.020000 --> 0:03:35.260000 I'll go back to the definition. 0:03:35.260000 --> 0:03:39.140000 It is used to describe the layers or levels of readiness that must be 0:03:39.140000 --> 0:03:43.360000 established for an organization to effectively respond to security incidents. 0:03:43.360000 --> 0:03:48.300000 What that means is how mature is your incident response program, program 0:03:48.300000 --> 0:03:53.500000 essentially being or encompassing the process as well as the team. 0:03:53.500000 --> 0:03:58.480000 So starting off at the ground floor with inventory, this is what I really 0:03:58.480000 --> 0:04:02.520000 like. So the question is, can you name the assets you're defending? 0:04:02.520000 --> 0:04:07.140000 So just with that, you can already, you know, you can already distinguish 0:04:07.140000 --> 0:04:13.680000 an ad hoc incident response program for one that's been, you know, properly, 0:04:13.680000 --> 0:04:17.000000 properly built or planned, right? 0:04:17.000000 --> 0:04:20.020000 And then you have telemetry, which is again important. 0:04:20.020000 --> 0:04:22.160000 So do you have visibility across your assets? 0:04:22.160000 --> 0:04:27.000000 What that means is are you getting logs from all the assets after having 0:04:27.000000 --> 0:04:29.820000 identified all the assets that you're defending? 0:04:29.820000 --> 0:04:33.180000 So you can see each layer builds on the one below it. 0:04:33.180000 --> 0:04:36.840000 So you can just start from detection and move upwards, you know, you start 0:04:36.840000 --> 0:04:41.760000 with inventory. Anyway, in the case of detection, can you detect unauthorized 0:04:41.760000 --> 0:04:47.300000 activity? What this infers is you need to be able to test detection to 0:04:47.300000 --> 0:04:52.600000 see whether your detection and alerting mechanisms or tools are actually 0:04:52.600000 --> 0:04:54.360000 detecting unauthorized activity. 0:04:54.360000 --> 0:04:56.420000 Otherwise, there's no point in having it. 0:04:56.420000 --> 0:05:01.240000 So you get the idea above that is triage, which again, now you're starting 0:05:01.240000 --> 0:05:04.080000 to get to the really mature aspects here. 0:05:04.080000 --> 0:05:07.600000 So can you accurately classify detection results? 0:05:07.600000 --> 0:05:10.240000 And now you can see it's not referring to technology. 0:05:10.240000 --> 0:05:15.140000 It's now starting to incorporate processes and the people or the IR team. 0:05:15.140000 --> 0:05:20.740000 So is the team able to accurately classify detection results? 0:05:20.740000 --> 0:05:22.420000 And then what's built on top of that? 0:05:22.420000 --> 0:05:25.180000 This is where you now have breath hunting, right? 0:05:25.180000 --> 0:05:26.620000 Or threats as it were. 0:05:26.620000 --> 0:05:29.780000 So who are your adversaries? 0:05:29.780000 --> 0:05:31.020000 What are their capabilities? 0:05:31.020000 --> 0:05:36.120000 So this these two questions asking, do you have threat intelligence? 0:05:36.120000 --> 0:05:38.080000 And do you have threat hunting? 0:05:38.080000 --> 0:05:43.240000 And then this also applies to behaviors and hunting, you know, so can 0:05:43.240000 --> 0:05:46.120000 you detect adversary activity within your environment? 0:05:46.120000 --> 0:05:49.680000 And can you detect an adversary that's already embedded? 0:05:49.680000 --> 0:05:51.540000 And then you have track, right? 0:05:51.540000 --> 0:05:55.100000 So in this case, during an intrusion, can you observe adversary activity 0:05:55.100000 --> 0:06:00.640000 in real time? And then act, can you deploy proven countermeasures to evict 0:06:00.640000 --> 0:06:06.940000 and recover? So you start over the very bottom with, you know, can you 0:06:06.940000 --> 0:06:10.760000 name the assets you're defending all the way to the very top where it 0:06:10.760000 --> 0:06:14.920000 says, you know, can you collaborate with trusted partners to disrupt adversary 0:06:14.920000 --> 0:06:19.040000 campaigns? So really, really fantastic model. 0:06:19.040000 --> 0:06:24.680000 I really like how questions are used, you know, to essentially invoke 0:06:24.680000 --> 0:06:31.880000 or to infer multiple aspects of incident response capability, maturity, 0:06:31.880000 --> 0:06:35.700000 as it were. So very, very cool. 0:06:35.700000 --> 0:06:40.400000 Of course, we'll be diving into these into each of those with a bit more 0:06:40.400000 --> 0:06:42.780000 detail. So you can actually understand what is referring to. 0:06:42.780000 --> 0:06:48.300000 So moving on, Swannmann's pyramid is a visual framework designed to help 0:06:48.300000 --> 0:06:53.740000 organizations understand how to progressively enhance their security posture. 0:06:53.740000 --> 0:06:58.460000 Each layer of the pyramid represents a level of capability, as I said, 0:06:58.460000 --> 0:07:02.040000 starting with foundational needs at the base and advancing toward more 0:07:02.040000 --> 0:07:04.920000 sophisticated proactive strategies at the top. 0:07:04.920000 --> 0:07:06.240000 I forgot to mention that. 0:07:06.240000 --> 0:07:08.660000 Hi, you go the more it becomes proactive. 0:07:08.660000 --> 0:07:10.560000 So you're moving from reactive. 0:07:10.560000 --> 0:07:17.120000 So from, you know, from blocking, ducking, weaving into now, throwing 0:07:17.120000 --> 0:07:21.600000 haymakers. So, you know, moving from reactive to proactive, as you get 0:07:21.600000 --> 0:07:25.040000 to the top, almost symbolic there. 0:07:25.040000 --> 0:07:30.320000 In any case, threat hunting sits at sits near the top of the pyramid, 0:07:30.320000 --> 0:07:34.780000 highlighting that it is a highly specialized activity, which it is, that 0:07:34.780000 --> 0:07:38.600000 relies on the presence of strong foundational elements, such as tools, 0:07:38.600000 --> 0:07:43.400000 visibility, and well-defined processes, which is established in the two 0:07:43.400000 --> 0:07:46.840000 in the lower layers, the ones below that. 0:07:46.840000 --> 0:07:50.560000 So we already, I already showed you where that lies. 0:07:50.560000 --> 0:07:55.740000 But I've sort of broken down each of the 10 layers or levels, as it were, 0:07:55.740000 --> 0:07:58.400000 and I'm sort of going to describe them a little bit better. 0:07:58.400000 --> 0:08:07.020000 So starting off with not starting at the top, we're starting at the bottom, 0:08:07.020000 --> 0:08:08.860000 so asset inventory. 0:08:08.860000 --> 0:08:12.620000 So the base of the pyramid is an accurate inventory of assets. 0:08:12.620000 --> 0:08:16.800000 So organizations must first identify and classify their assets, including 0:08:16.800000 --> 0:08:20.100000 hardware, software, and data. 0:08:20.100000 --> 0:08:24.020000 So you can just be saying, you know, just laptops and workstations, everything 0:08:24.020000 --> 0:08:26.180000 hardware, software, and data. 0:08:26.180000 --> 0:08:30.740000 So databases, sensitive data, data stores, all that good stuff. 0:08:30.740000 --> 0:08:34.860000 So understanding what needs protection is critical before any detection 0:08:34.860000 --> 0:08:37.860000 or response strategies can be implemented. 0:08:37.860000 --> 0:08:42.240000 That if there's anything, there's nothing truer than that statement right 0:08:42.240000 --> 0:08:45.940000 over here. If you don't, if you don't have a clear idea of what you're 0:08:45.940000 --> 0:08:50.560000 supposed to be detecting or defending or protecting, you can move beyond 0:08:50.560000 --> 0:08:54.000000 that, because you will get hacked. 0:08:54.000000 --> 0:08:56.780000 The organization will suffer from a breach. 0:08:56.780000 --> 0:08:58.040000 You then have telemetry. 0:08:58.040000 --> 0:09:01.520000 So telemetry encompasses the collection of system network and endpoint 0:09:01.520000 --> 0:09:04.960000 data that is essential for security monitoring. 0:09:04.960000 --> 0:09:08.600000 This land shows that organizations have the necessary data to identify 0:09:08.600000 --> 0:09:12.060000 potential threats and observe normal and abnormal activity. 0:09:12.060000 --> 0:09:16.120000 So this is referring to detection engineering as a process. 0:09:16.120000 --> 0:09:23.540000 So the process of ensuring that all systems, you know, in your inventory, 0:09:23.540000 --> 0:09:27.560000 that you've already classified, identified and classified are actually 0:09:27.560000 --> 0:09:31.880000 sending logs. And more importantly, they're sending the correct logs, 0:09:31.880000 --> 0:09:36.780000 you know, formatted or passed in a format that actually allows for the 0:09:36.780000 --> 0:09:41.080000 detection of abnormal or malicious activity. 0:09:41.080000 --> 0:09:46.380000 You then have the name suggests focuses on the tools and mechanisms used 0:09:46.380000 --> 0:09:48.380000 to identify threats. 0:09:48.380000 --> 0:09:51.880000 This could include intrusion detection systems, SIEM solutions and other 0:09:51.880000 --> 0:09:56.280000 automated detection tools that generate alerts for suspicious activity. 0:09:56.280000 --> 0:10:00.740000 This layer is vital for providing visibility into potential security incidents. 0:10:00.740000 --> 0:10:03.560000 Self-explanatory, you then have triage, right? 0:10:03.560000 --> 0:10:06.900000 So triage involves the process of analyzing and prioritizing detected 0:10:06.900000 --> 0:10:11.360000 incidents to determine their severity and potential impact. 0:10:11.360000 --> 0:10:15.520000 Security teams assess the alerts and focus on the most critical incidents 0:10:15.520000 --> 0:10:18.620000 that need immediate attention or action. 0:10:18.620000 --> 0:10:22.360000 Efficient triage is crucial for avoiding alert fatigue, very important 0:10:22.360000 --> 0:10:25.700000 and ensuring a quick response to genuine threats. 0:10:25.700000 --> 0:10:28.640000 So this is actually the level of triage. 0:10:28.640000 --> 0:10:34.580000 So level four from the ground up is where you now start to have what I 0:10:34.580000 --> 0:10:37.740000 would consider to be a good IR program. 0:10:37.740000 --> 0:10:41.960000 Again, IR program consists of the team and the process. 0:10:41.960000 --> 0:10:46.740000 So it's at this level that you now solve what you would call a professional 0:10:46.740000 --> 0:10:51.880000 semi, you know, professional incident response team as it were. 0:10:51.880000 --> 0:10:55.280000 You then have, you know, moving upwards threats, right? 0:10:55.280000 --> 0:10:56.840000 So that's layer five. 0:10:56.840000 --> 0:11:01.000000 At this stage, organizations actively monitor for specific threat actors, 0:11:01.000000 --> 0:11:05.980000 tactics, techniques and procedures, TTPs, as it, you know, as it is abbreviated 0:11:05.980000 --> 0:11:10.680000 as. And this layer utilizes threat intelligence to identify known and 0:11:10.680000 --> 0:11:14.320000 emerging threats, enabling security teams to stay out of adversary. 0:11:14.320000 --> 0:11:18.280000 So as I said, after alert triage moving up, this is now where you move 0:11:18.280000 --> 0:11:20.380000 from reactive to proactive. 0:11:20.380000 --> 0:11:24.660000 And you remember we went through sort of a similar type of discussion 0:11:24.660000 --> 0:11:28.480000 in the previous course when we were talking about SOC maturity levels. 0:11:28.480000 --> 0:11:34.420000 And the fact, you know, the various frameworks or models used to, to assess 0:11:34.420000 --> 0:11:36.600000 the maturity level of a SOC. 0:11:36.600000 --> 0:11:42.460000 And a lot of that starts to hinge on, you know, whether the operation 0:11:42.460000 --> 0:11:46.460000 is reactive or whether it's proactive. 0:11:46.460000 --> 0:11:48.860000 So moving on, you then have behavior. 0:11:48.860000 --> 0:11:54.020000 So the behavior, the behavior is layer involves analyzing anomalous or 0:11:54.020000 --> 0:11:58.020000 suspicious behaviors that could indicate a security incident rather than, 0:11:58.020000 --> 0:12:01.900000 you know, relying solely on signature base detection, organizations focus 0:12:01.900000 --> 0:12:06.760000 on identifying abnormal activity patterns and deviations from normal behavior. 0:12:06.760000 --> 0:12:11.920000 So you can see there's sort of a turn now from being proactive to, sorry, 0:12:11.920000 --> 0:12:15.020000 from being reactive to proactive. 0:12:15.020000 --> 0:12:18.460000 And now we are sort of moving along those lines. 0:12:18.460000 --> 0:12:21.220000 And it comes as no surprise that the next layer is hunt. 0:12:21.220000 --> 0:12:23.260000 So layer seven moving up. 0:12:23.260000 --> 0:12:26.980000 So threat hunting is a proactive approach to cyber security where security 0:12:26.980000 --> 0:12:30.700000 teams actively search for hidden threats across networks, endpoints and 0:12:30.700000 --> 0:12:34.860000 data sources. Rather than waiting for alerts to be triggered threat hunters 0:12:34.860000 --> 0:12:38.380000 dig deeper into the data to uncover signs of compromise that they may 0:12:38.380000 --> 0:12:41.520000 have that may have evaded traditional detection system. 0:12:41.520000 --> 0:12:46.260000 So now you're not just relying on the other layers, you know, so that 0:12:46.260000 --> 0:12:50.060000 being telemetry detection triage, not triage, you know, telemetry and 0:12:50.060000 --> 0:12:54.360000 detection. So you're not just relying on the security tools or technology, 0:12:54.360000 --> 0:12:57.780000 you're actually going a step, you know, you're actually taking a step 0:12:57.780000 --> 0:13:04.320000 forward by saying, hey, these tools may have missed something. 0:13:04.320000 --> 0:13:09.540000 And which is, you know, usually the case when you're dealing with, let's 0:13:09.540000 --> 0:13:14.840000 say, PTS or advanced adversaries, you now need your sort of taking the 0:13:14.840000 --> 0:13:20.540000 step forward to try and see whether, you know, data logs, etc. 0:13:20.540000 --> 0:13:24.620000 uncover signs of compromise that, as it says, here may have evaded traditional 0:13:24.620000 --> 0:13:26.620000 detection systems. 0:13:26.620000 --> 0:13:27.800000 You then have track. 0:13:27.800000 --> 0:13:30.660000 So layer eight, almost at the top now. 0:13:30.660000 --> 0:13:33.780000 So tracking involves continuously monitoring and following the actions 0:13:33.780000 --> 0:13:37.840000 of adversaries once they have been identified organizations maintain visibility 0:13:37.840000 --> 0:13:42.460000 over the threats, the, you know, threat or threat actors movement and 0:13:42.460000 --> 0:13:46.480000 evolution providing the context needed to be the next step. 0:13:46.480000 --> 0:13:51.100000 So this is really now for very large organizations that, you know, actually 0:13:51.100000 --> 0:13:54.720000 have proper threat intelligence and, you know, have profiles, several 0:13:54.720000 --> 0:13:57.060000 threat actors or APT groups. 0:13:57.060000 --> 0:14:02.080000 And, you know, they actually know that those threat actors or APT groups 0:14:02.080000 --> 0:14:04.200000 have been targeting the organization. 0:14:04.200000 --> 0:14:08.820000 So what this means is that the organization knows who the, the likely 0:14:08.820000 --> 0:14:14.160000 attackers are or are going to be and what TTPs they're going to utilize, 0:14:14.160000 --> 0:14:18.780000 etc. You then have layer nine, which is act right. 0:14:18.780000 --> 0:14:23.800000 So the act there involves taking appropriate actions in response to identified 0:14:23.800000 --> 0:14:28.380000 threats. This could include containment, remediation, and recovery efforts. 0:14:28.380000 --> 0:14:33.360000 And at this stage, security teams take devices, decisive, sorry, steps 0:14:33.360000 --> 0:14:36.300000 to neutralize the threat and prevent further damage. 0:14:36.300000 --> 0:14:38.820000 And then finally, layer 10 collaboration. 0:14:38.820000 --> 0:14:45.920000 So the final layer emphasizes the importance of collaboration with the 0:14:45.920000 --> 0:14:49.700000 policies and threat intelligence groups by working together. 0:14:49.700000 --> 0:14:53.900000 Organizations can share valuable insights and intelligence to disrupt 0:14:53.900000 --> 0:14:58.220000 adversary campaigns and improve defenses on a broader scale. 0:14:58.220000 --> 0:15:01.880000 This is where you have threat intelligence or intelligence sharing platforms, 0:15:01.880000 --> 0:15:05.500000 which we'll also touch on in this course as well, because they're quite 0:15:05.500000 --> 0:15:11.560000 important. So, you know, alien vault, etc, where organizations are sharing 0:15:11.560000 --> 0:15:13.220000 IOCs and all of this. 0:15:13.220000 --> 0:15:16.760000 So that's the Guillotine of Needs. 0:15:16.760000 --> 0:15:21.100000 I've added the, you know, link to the GitHub repo, the official GitHub 0:15:21.100000 --> 0:15:24.520000 repo, where you can find more, you can learn more about the instant response 0:15:24.520000 --> 0:15:25.840000 hierarchy of needs. 0:15:25.840000 --> 0:15:28.800000 So that's Swanman's GitHub repo. 0:15:28.800000 --> 0:15:31.880000 And then I've also added a very useful reference. 0:15:31.880000 --> 0:15:36.800000 This is more so to do a threat hunting, but it's a, you know, on a website 0:15:36.800000 --> 0:15:38.700000 called predefender, great. 0:15:38.700000 --> 0:15:40.280000 Make sure you check it out. 0:15:40.280000 --> 0:15:44.620000 It'll sort of explain what I may have gone over with regards to the plateaus. 0:15:44.620000 --> 0:15:48.600000 But with that being said, I think we're in a good position now to start 0:15:48.600000 --> 0:15:53.180000 moving into the processes aspect of preparation, where we'll be taking 0:15:53.180000 --> 0:15:58.940000 a look at, you know, an IR policy or instant response policies, how to 0:15:58.940000 --> 0:16:03.800000 create one, what should be included, instant response plans, all that 0:16:03.800000 --> 0:16:06.860000 good stuff. So that brings us to the end of this video. 0:16:06.860000 --> 0:16:09.940000 And with that being said, I'll be seeing you in the next video.