WEBVTT 0:00:05.020000 --> 0:00:12.080000 So, now that we have an idea as to what an incident response policy is 0:00:12.080000 --> 0:00:17.740000 and what it entails or encompasses, it's time to turn our attention to 0:00:17.740000 --> 0:00:20.300000 the incident response plan. 0:00:20.300000 --> 0:00:24.760000 And we are going to be looking at this from various perspectives. 0:00:24.760000 --> 0:00:31.920000 The first, obviously, is going to account for instances where you're using 0:00:31.920000 --> 0:00:36.820000 this particular video, sort of a reference or a guide to creating your 0:00:36.820000 --> 0:00:40.320000 own incident response plan. 0:00:40.320000 --> 0:00:45.320000 And the other perspective is going to be from the perspective of the incident 0:00:45.320000 --> 0:00:52.440000 responder. So, again, you may have a brief or basic idea of what an incident 0:00:52.440000 --> 0:00:56.100000 response plan is, but we're sort of going to be diving a little bit deeper 0:00:56.100000 --> 0:00:57.440000 into it right now. 0:00:57.440000 --> 0:01:03.080000 So, again, this is part of the preparation phase, more specifically the 0:01:03.080000 --> 0:01:09.140000 processes aspect or component of the preparation phase and incident response. 0:01:09.140000 --> 0:01:13.680000 So, in the previous video, we took a look at the incident response policy. 0:01:13.680000 --> 0:01:18.200000 Now, we're turning our attention to the incident response plan or an IRP. 0:01:18.200000 --> 0:01:23.520000 So, let's sort of get an intro or contextualize the incident response 0:01:23.520000 --> 0:01:29.020000 plan. So, when a cybersecurity incident occurs, many organizations, particularly 0:01:29.020000 --> 0:01:34.720000 small and medium-sized organizations, are often unprepared to respond 0:01:34.720000 --> 0:01:38.740000 effectively. And as a result of that, developing formal incident response 0:01:38.740000 --> 0:01:42.700000 plans or IRPs, as well as playbooks, is critical. 0:01:42.700000 --> 0:01:47.720000 And they're critical because they define how an organization will detect, 0:01:47.720000 --> 0:01:50.700000 respond to, and recover from security breaches. 0:01:50.700000 --> 0:01:54.680000 What this means is that defining an incident response policy, but more 0:01:54.680000 --> 0:01:59.360000 specifically, plans and playbooks, is very important as a starting point 0:01:59.360000 --> 0:02:04.620000 or, you know, its service is a very good starting point or foundation 0:02:04.620000 --> 0:02:12.660000 for an organization because when you start formalizing, you know, whether 0:02:12.660000 --> 0:02:17.320000 it's your playbooks or when you essentially set up a plan, you're sort 0:02:17.320000 --> 0:02:21.960000 of beginning the process of, you know, developing incident response capabilities 0:02:21.960000 --> 0:02:25.160000 within the organization if you haven't already. 0:02:25.160000 --> 0:02:29.580000 So, effective incident response goes beyond simply acquiring tools or 0:02:29.580000 --> 0:02:32.560000 following generic IR guidelines, right? 0:02:32.560000 --> 0:02:36.400000 And it requires building from a well -defined baseline that reflects the 0:02:36.400000 --> 0:02:40.840000 organization's current security maturity, while ensuring that the incident 0:02:40.840000 --> 0:02:45.040000 response program is aligned with the business goals, requirements, and 0:02:45.040000 --> 0:02:49.560000 risk tolerance. What this means is that, again, when you talk about very 0:02:49.560000 --> 0:02:54.340000 good or mature organizations and consequently, instant response plans, 0:02:54.340000 --> 0:02:58.760000 they take into account, or, you know, they essentially factor in a baseline 0:02:58.760000 --> 0:03:03.960000 that reflects the organization's current security maturity. 0:03:03.960000 --> 0:03:09.180000 And this is done while ensuring that the program as a whole is aligned 0:03:09.180000 --> 0:03:14.260000 with the business goals, requirements, requirements, and risk tolerance 0:03:14.260000 --> 0:03:16.140000 of the organization. 0:03:16.140000 --> 0:03:19.160000 So, what is an incident response plan? 0:03:19.160000 --> 0:03:23.220000 An incident response plan is a structured document, you know, very similar 0:03:23.220000 --> 0:03:27.600000 to a policy that outlines the procedures, that's sort of the keyword here, 0:03:27.600000 --> 0:03:32.600000 that an organization follows to detect, respond to, and recover from cyber 0:03:32.600000 --> 0:03:34.020000 security incidents. 0:03:34.020000 --> 0:03:38.380000 So, pretty much, I'll, at the end of this video, we'll go through, you 0:03:38.380000 --> 0:03:42.780000 know, very simple points that will explain the difference between a policy 0:03:42.780000 --> 0:03:48.820000 and a plan, but for the time being, let's sort of proceed with a slide 0:03:48.820000 --> 0:03:54.940000 here. So, the instant response plan generally defines a route to follow, 0:03:54.940000 --> 0:03:56.740000 that's the best way of thinking about it. 0:03:56.740000 --> 0:04:00.020000 So, a route to follow when a security incident occurs. 0:04:00.020000 --> 0:04:04.540000 This plan must be consistent with existing organizational capacity, resources, 0:04:04.540000 --> 0:04:05.480000 and infrastructure. 0:04:05.480000 --> 0:04:08.700000 So, you know, just based on that sentence alone, you're sort of getting 0:04:08.700000 --> 0:04:13.020000 an understanding of what I mean when I referenced the previous point, 0:04:13.020000 --> 0:04:17.060000 that it's sort of the starting point for you formalizing, you know, incident 0:04:17.060000 --> 0:04:21.060000 response or security in general within an organization. 0:04:21.060000 --> 0:04:24.960000 And the first thing that you'll realize is that your plan needs to be 0:04:24.960000 --> 0:04:30.460000 consistent with existing organizational capacity, resources, and infrastructure. 0:04:30.460000 --> 0:04:35.460000 So, the incident response plan essentially serves as a roadmap for managing 0:04:35.460000 --> 0:04:39.560000 incidents effectively, minimizing damage and restoring normal operations 0:04:39.560000 --> 0:04:45.460000 promptly. So, what are the key components of an instant response plan? 0:04:45.460000 --> 0:04:50.040000 And of course, I've sort of outlined these sequentially as, you know, 0:04:50.040000 --> 0:04:55.040000 generally speaking, in the order they'll appear within an instant response 0:04:55.040000 --> 0:04:59.020000 plan document. So, obviously, you're going to have the introduction. 0:04:59.020000 --> 0:05:01.260000 So, this is where you lay out the purpose of the plan. 0:05:01.260000 --> 0:05:06.600000 So, more specifically, why the plan exists and what it aims to achieve, 0:05:06.600000 --> 0:05:07.780000 very, very important. 0:05:07.780000 --> 0:05:11.240000 Then again, similar to the policy, you have the scope. 0:05:11.240000 --> 0:05:14.740000 So, this is where you define what systems, data departments and types 0:05:14.740000 --> 0:05:17.920000 of incidents the plan applies to. 0:05:17.920000 --> 0:05:21.840000 And now, we're sort of getting into the more important, you know, finer 0:05:21.840000 --> 0:05:27.140000 -grained aspects of a plan that, again, may be ignored, but are very important. 0:05:27.140000 --> 0:05:29.020000 And that is the assumption. 0:05:29.020000 --> 0:05:31.220000 So, what does this mean? 0:05:31.220000 --> 0:05:35.420000 Well, this is where you list out any prerequisites or assumed conditions, 0:05:35.420000 --> 0:05:39.800000 you know, and what does that mean? 0:05:39.800000 --> 0:05:45.160000 Well, it means this is where you lay out what already exists or any prerequisites 0:05:45.160000 --> 0:05:47.400000 for implementation of the plan. 0:05:47.400000 --> 0:05:52.100000 So, does logging and monitoring need to be established already? 0:05:52.100000 --> 0:05:55.820000 Is there an incident response team already defined if the responsibility 0:05:55.820000 --> 0:06:00.980000 is defined? So, it's sort of two ways in that, you know, if this is sort 0:06:00.980000 --> 0:06:06.620000 of a, if this is a foundational incident response plan, then you lay out 0:06:06.620000 --> 0:06:10.560000 what needs to be in place in order for the plan to be enacted, right, 0:06:10.560000 --> 0:06:17.480000 or implemented. Alternatively, the assumptions, if you use that word, 0:06:17.480000 --> 0:06:22.720000 you know, if you use that word as its definition intends, in this case, 0:06:22.720000 --> 0:06:26.340000 you would be essentially saying that this is what already exists, right? 0:06:26.340000 --> 0:06:28.180000 And then you have references. 0:06:28.180000 --> 0:06:31.540000 So, this is where you have links to related policies, standards, and external 0:06:31.540000 --> 0:06:38.000000 regulations. So, you reference the IR policy, or, for example, GDPR requirements, 0:06:38.000000 --> 0:06:42.780000 etc. You then have section two or part two, which is where you have rules 0:06:42.780000 --> 0:06:46.720000 and responsibilities, but you're going, you know, further than what was 0:06:46.720000 --> 0:06:50.920000 defined in the policy, because, you know, you lay out a the IR team structure. 0:06:50.920000 --> 0:06:56.200000 So, you identify, there's identification of the core incident response 0:06:56.200000 --> 0:06:58.580000 team members and their roles. 0:06:58.580000 --> 0:07:02.580000 You then have a definition or specification of specific or specialist 0:07:02.580000 --> 0:07:08.660000 roles. These would be rules like the IR manager, you know, SOC analysts, 0:07:08.660000 --> 0:07:12.660000 forensic analysts, legal communications, PR, etc. 0:07:12.660000 --> 0:07:16.460000 And then, again, very, very important, the escalation contact. 0:07:16.460000 --> 0:07:20.760000 So, who must be notified at different instance severity levels? 0:07:20.760000 --> 0:07:23.460000 This is inclusive of executive leadership. 0:07:23.460000 --> 0:07:25.640000 So, very, very important. 0:07:25.640000 --> 0:07:29.860000 You then have, again, this is something that, you know, the policy does 0:07:29.860000 --> 0:07:33.980000 not have in detail, and that is the incident classification and severity 0:07:33.980000 --> 0:07:38.260000 levels. So, you know, you have your incident categories, they need to 0:07:38.260000 --> 0:07:41.960000 be defined. So, you define the types of incidents, so malware, malware 0:07:41.960000 --> 0:07:44.480000 infections, insider threats, etc. 0:07:44.480000 --> 0:07:46.440000 And then you have your severity level. 0:07:46.440000 --> 0:07:51.800000 So, you have a severity scale, either one that is based on, you know, 0:07:51.800000 --> 0:07:57.440000 an existing or, you know, already adopted severity scale. 0:07:57.440000 --> 0:08:02.220000 So, low, medium, high, critical is the typical one that is based on impact, 0:08:02.220000 --> 0:08:03.620000 urgency, and scope. 0:08:03.620000 --> 0:08:06.700000 You then have your criteria for classification. 0:08:06.700000 --> 0:08:10.880000 So, how do you categorize incidents based on the initial evidence or initial 0:08:10.880000 --> 0:08:12.840000 markers, as it were? 0:08:12.840000 --> 0:08:14.760000 So, very, very important. 0:08:14.760000 --> 0:08:18.940000 And then you have, this is sort of the core of what we focused on earlier 0:08:18.940000 --> 0:08:22.880000 in this course. That is the incident response process and procedures. 0:08:22.880000 --> 0:08:27.340000 So, this is where you lay out the incident response process that the organization, 0:08:27.340000 --> 0:08:29.120000 you know, will be adopting. 0:08:29.120000 --> 0:08:33.220000 And it's typically going to be based on the NIST incident response process 0:08:33.220000 --> 0:08:36.900000 or lifecycle or the SANS incident response process. 0:08:36.900000 --> 0:08:39.460000 In this case, I'm calling them frameworks. 0:08:39.460000 --> 0:08:44.660000 And, you know, you lay out all the phases depending on the, on the process 0:08:44.660000 --> 0:08:46.540000 or framework that you're going to be using. 0:08:46.540000 --> 0:08:49.860000 So, you'll typically see NIST or the SANS one, you know, we covered them 0:08:49.860000 --> 0:08:51.140000 in the previous section. 0:08:51.140000 --> 0:08:53.280000 So, you need to lay out each phase. 0:08:53.280000 --> 0:08:56.760000 So, preparation, this is where you essentially lay out a, you know, review 0:08:56.760000 --> 0:09:01.740000 of tools, training, access and incident response readiness requirements, 0:09:01.740000 --> 0:09:05.500000 which is pretty much what we're doing in this section of the course. 0:09:05.500000 --> 0:09:09.480000 And then in the case of detection and analysis, you lay out how to detect 0:09:09.480000 --> 0:09:11.680000 potential incidents. 0:09:11.680000 --> 0:09:13.460000 So, you know, seem alerts, etc. 0:09:13.460000 --> 0:09:17.960000 The triage process, initial evidence gathering, event correlation, etc. 0:09:17.960000 --> 0:09:23.200000 And then, you know, another aspect of that is the initial incident logging 0:09:23.200000 --> 0:09:25.060000 and ticket creation. 0:09:25.060000 --> 0:09:28.760000 In the case of containment, of course, I'm being very basic here. 0:09:28.760000 --> 0:09:34.360000 That's important because, again, many organizations will sort of have 0:09:34.360000 --> 0:09:37.900000 this section defined differently. 0:09:37.900000 --> 0:09:41.800000 So, in the case of containment, you're going to have short-term and long 0:09:41.800000 --> 0:09:43.800000 -term containment strategies. 0:09:43.800000 --> 0:09:47.960000 And then the criteria for isolating systems and restricting access, which 0:09:47.960000 --> 0:09:48.780000 is very important. 0:09:48.780000 --> 0:09:53.560000 You need to actually define when you're going to isolate systems and when 0:09:53.560000 --> 0:09:55.380000 you're going to restrict access. 0:09:55.380000 --> 0:09:57.760000 So, very, very important. 0:09:57.760000 --> 0:10:01.740000 Continuing on, you have, you know, in this case, I'll sort of use the 0:10:01.740000 --> 0:10:06.380000 SANS process or phases as it were. 0:10:06.380000 --> 0:10:12.420000 So, eradication, in this case, removing the threat, you know, what that 0:10:12.420000 --> 0:10:16.520000 will look like. So, you need to be quite specific. 0:10:16.520000 --> 0:10:21.480000 For example, malware removal, patching, vulnerabilities, etc. 0:10:21.480000 --> 0:10:24.680000 And then verification steps, post eradication. 0:10:24.680000 --> 0:10:28.480000 So, all the steps that need to be performed, post eradication to ensure 0:10:28.480000 --> 0:10:34.300000 that the threat has been eliminated or, again, eradicated from the affected 0:10:34.300000 --> 0:10:36.820000 system or systems. 0:10:36.820000 --> 0:10:38.020000 And then you have recovery. 0:10:38.020000 --> 0:10:42.280000 So, you need to lay out, you know, the different procedures or the plan, 0:10:42.280000 --> 0:10:46.720000 as it were, for restoring systems and validating security post incident. 0:10:46.720000 --> 0:10:49.240000 So, very, very important. 0:10:49.240000 --> 0:10:51.000000 And then post incident activity. 0:10:51.000000 --> 0:10:56.260000 So, you know, things like conducting a post incident review or PIR. 0:10:56.260000 --> 0:10:59.780000 Capturing lessons learned in updating the IRP or security controls. 0:10:59.780000 --> 0:11:03.960000 So, you need to essentially document how this is going to be performed 0:11:03.960000 --> 0:11:09.440000 or the means or processes through which this will be done. 0:11:09.440000 --> 0:11:12.260000 So, you know, how will lessons be captured? 0:11:12.260000 --> 0:11:18.180000 How will these lessons feed back into, you know, the updating of the IRP 0:11:18.180000 --> 0:11:21.660000 or various security controls, etc. 0:11:21.660000 --> 0:11:24.700000 And then you have another dedicated section. 0:11:24.700000 --> 0:11:28.880000 That's, again, very, very important, which is communication and reporting. 0:11:28.880000 --> 0:11:33.860000 So, in this case, you're, you know, you're laying out the internal communication 0:11:33.860000 --> 0:11:38.380000 procedures. So, pretty much who needs to know and when. 0:11:38.380000 --> 0:11:42.080000 So, this is within technical teams and leadership. 0:11:42.080000 --> 0:11:45.020000 And then you have external communication procedures. 0:11:45.020000 --> 0:11:48.420000 So, this is where you lay out, you know, various regulatory authorities, 0:11:48.420000 --> 0:11:51.340000 law enforcement, clients, partners, etc. 0:11:51.340000 --> 0:11:54.140000 And then public relations or disclosure procedures. 0:11:54.140000 --> 0:11:58.220000 So, you know, press releases, breach notification, obligations, media 0:11:58.220000 --> 0:12:02.840000 handling, etc. Depending on, you know, different types of incidents, but, 0:12:02.840000 --> 0:12:04.920000 you know, you need to have these defined. 0:12:04.920000 --> 0:12:10.440000 So, in the event of a breach, not an instant, but a breach where you need 0:12:10.440000 --> 0:12:13.540000 to do public disclosure. 0:12:13.540000 --> 0:12:18.120000 You need to have, you know, a plan defined for press releases, breach 0:12:18.120000 --> 0:12:21.440000 notifications, so on and so forth. 0:12:21.440000 --> 0:12:24.900000 And then you have documentation and evidence handling. 0:12:24.900000 --> 0:12:27.780000 So, you typically have evidence handling protocols. 0:12:27.780000 --> 0:12:31.380000 So, chain of custody procedures, you know, things like forensic imaging, 0:12:31.380000 --> 0:12:35.460000 etc. And then incident tracking and ticketing. 0:12:35.460000 --> 0:12:37.000000 So, this is very important. 0:12:37.000000 --> 0:12:41.860000 So, systems or methods that are used to log track and close incidents. 0:12:41.860000 --> 0:12:44.840000 And then retention requirements, something that, you know, a lot of organizations 0:12:44.840000 --> 0:12:48.940000 overlook in the beginning, which is how long incident records are kept. 0:12:48.940000 --> 0:12:54.020000 This is often driven by legal or regulatory mandates. 0:12:54.020000 --> 0:12:58.540000 And then you also have, you know, sections that have to do with testing 0:12:58.540000 --> 0:13:03.020000 the plan or putting the plan to test, as it were, and obviously reviewing 0:13:03.020000 --> 0:13:07.120000 the plan. So, this is where you'll typically have tabletop exercises, 0:13:07.120000 --> 0:13:12.400000 TTXs, as they're called, or abbreviated as, as well as simulations. 0:13:12.400000 --> 0:13:16.580000 So, think of red team operations, purple team operations. 0:13:16.580000 --> 0:13:21.920000 So, this is where you schedule instructor and structure, you know, for 0:13:21.920000 --> 0:13:24.060000 regular incident response testing. 0:13:24.060000 --> 0:13:28.460000 So, think of a red team operation or a purple team exercise, where you 0:13:28.460000 --> 0:13:32.320000 pit, you know, an offensive team against the defensive team in order to 0:13:32.320000 --> 0:13:38.620000 test the incident response plan, as it, you know, as it were, in operation. 0:13:38.620000 --> 0:13:40.760000 Or tactically, I should say. 0:13:40.760000 --> 0:13:43.160000 And then a plan review cycle. 0:13:43.160000 --> 0:13:45.700000 So, frequency of reviews. 0:13:45.700000 --> 0:13:50.620000 In the case of incident response plans, generally speaking, the review 0:13:50.620000 --> 0:13:53.340000 and update cycle is annually. 0:13:53.340000 --> 0:13:58.320000 So, every year, as well as, you know, post major incidents, obviously. 0:13:58.320000 --> 0:14:03.400000 And then it's always recommended to have, you know, an appendix or appendices 0:14:03.400000 --> 0:14:05.280000 that have contact lists. 0:14:05.280000 --> 0:14:10.840000 So, these are inclusive of the IRT, various escalation paths, external 0:14:10.840000 --> 0:14:16.220000 supports, that would be ISPs, forensic firms, vendors that, you know, 0:14:16.220000 --> 0:14:23.040000 sort of are inclusive of, you know, the technologies you use, your ISP, 0:14:23.040000 --> 0:14:26.720000 etc. So, in the event something happens, you may need to reach out to 0:14:26.720000 --> 0:14:28.020000 an ISP, for example. 0:14:28.020000 --> 0:14:33.060000 Or you may need to reach out to a particular firm or vendor of, you know, 0:14:33.060000 --> 0:14:35.300000 a particular tool that you're using. 0:14:35.300000 --> 0:14:37.900000 It's also very important to have a glossary. 0:14:37.900000 --> 0:14:41.660000 So, this is where you'd have definitions of technical or legal terms that 0:14:41.660000 --> 0:14:43.440000 are used in the plan. 0:14:43.440000 --> 0:14:45.340000 And then templates and forms. 0:14:45.340000 --> 0:14:49.760000 So, think of incident reporting forms, checklists, notification templates, 0:14:49.760000 --> 0:14:54.400000 etc. So, to sort of summarize what we've covered in this video, as well 0:14:54.400000 --> 0:14:59.000000 as to distinguish an incident response policy from a plan, I have this 0:14:59.000000 --> 0:15:02.740000 slide that I think does, will sort of make it very, very clear. 0:15:02.740000 --> 0:15:06.940000 So, let's start off with what we covered in the previous video, an incident 0:15:06.940000 --> 0:15:08.200000 response policy. 0:15:08.200000 --> 0:15:13.140000 So, an incident response policy is a high level formal document that establishes 0:15:13.140000 --> 0:15:18.660000 an organization's intent and commitment to managing cyber security incidents. 0:15:18.660000 --> 0:15:24.440000 An incident response plan is a detailed operational document that describes 0:15:24.440000 --> 0:15:28.820000 how the organization will detect, respond to, contain, and recover from 0:15:28.820000 --> 0:15:33.400000 incidents. So, the best way to understand it is policy is equal to strategic 0:15:33.400000 --> 0:15:37.840000 directive and a plan is a tactical execution guide. 0:15:37.840000 --> 0:15:41.620000 Now, the plan is obviously going to be high level and that's why below 0:15:41.620000 --> 0:15:45.300000 the plan, you're going to have playbooks which sort of address specific 0:15:45.300000 --> 0:15:51.380000 types of incidents and, you know, the process of preparing for a specific 0:15:51.380000 --> 0:15:57.980000 type of incident, detecting it, analyzing it, shown and so forth. 0:15:57.980000 --> 0:16:03.180000 So, we'll be taking a look at incident response playbooks in the next 0:16:03.180000 --> 0:16:06.800000 video, but hopefully this clarifies it for you now. 0:16:06.800000 --> 0:16:11.120000 There's some very good examples of incident response plans as well as 0:16:11.120000 --> 0:16:13.900000 templates that I've provided in the slides here. 0:16:13.900000 --> 0:16:17.820000 We're not going to be taking a look at any of these specifically. 0:16:17.820000 --> 0:16:20.440000 You know, this is something that you can do yourself, because again, it's 0:16:20.440000 --> 0:16:24.520000 really very, very similar to the policy that we looked at, but I would 0:16:24.520000 --> 0:16:28.400000 highly recommend that you go through the Cesar incident response plan 0:16:28.400000 --> 0:16:35.640000 basics, which will essentially lay out pretty much what we covered in 0:16:35.640000 --> 0:16:39.360000 this video, what should be included, so on and so forth. 0:16:39.360000 --> 0:16:43.900000 You then have a very good example of an incident response template in 0:16:43.900000 --> 0:16:48.620000 the form of the Govram incident response plan template, and then a very 0:16:48.620000 --> 0:16:53.040000 good example, not in this case, not a template, but a very good reference, 0:16:53.040000 --> 0:16:57.360000 which is the University of Connecticut incident response plan, which you 0:16:57.360000 --> 0:16:59.080000 can access there. 0:16:59.080000 --> 0:17:02.240000 So, that's going to be it for this video and I'll be seeing you in the