WEBVTT 0:00:03.620000 --> 0:00:08.380000 Building a technological backbone for instant response. 0:00:08.380000 --> 0:00:12.640000 So in this section, we're going to be exploring the technological aspect 0:00:12.640000 --> 0:00:18.940000 of the preparation phase in the instant response lifecycle or process. 0:00:18.940000 --> 0:00:24.060000 And this video specifically is sort of going to introduce the various 0:00:24.060000 --> 0:00:29.220000 elements of, you know, technological preparation or as I've titled this 0:00:29.220000 --> 0:00:34.760000 video, how to build a technological backbone or foundation for instant 0:00:34.760000 --> 0:00:41.760000 response. So before an incident ever occurs, instant responders must ensure 0:00:41.760000 --> 0:00:47.400000 that the right technologies are in place, properly configured and of course 0:00:47.400000 --> 0:00:51.800000 ready to support detection, investigation, containment and recovery. 0:00:51.800000 --> 0:00:53.820000 So this is very important. 0:00:53.820000 --> 0:00:57.760000 You never want to be in a position where, and I think I mentioned this 0:00:57.760000 --> 0:01:03.380000 in a previous video, where, you know, keeping aside the people and processes 0:01:03.380000 --> 0:01:07.300000 aspect of preparation, you never want to be in a position where, you know, 0:01:07.300000 --> 0:01:10.960000 you have to respond to an incident and you don't have the tools required 0:01:10.960000 --> 0:01:11.740000 to do something. 0:01:11.740000 --> 0:01:18.520000 Let's say, you know, memory dumps or, you know, acquiring, you know, performing 0:01:18.520000 --> 0:01:25.560000 disk forensics, so actually, you know, creating an image of a disk as 0:01:25.560000 --> 0:01:30.160000 an example, you know, you need to be proactive in this sense. 0:01:30.160000 --> 0:01:33.980000 So in this video, what we're going to do is we'll break down the key technological 0:01:33.980000 --> 0:01:39.200000 preparations. Every instant responder needs to understand and why these 0:01:39.200000 --> 0:01:43.540000 preparations are critical to successful incident handling or incident 0:01:43.540000 --> 0:01:45.980000 response more specifically. 0:01:45.980000 --> 0:01:52.520000 So let's revisit the, you know, technology in regard to the preparation 0:01:52.520000 --> 0:01:54.740000 phase of incident response. 0:01:54.740000 --> 0:01:59.520000 So technology provides the visibility access and tools that incident responders 0:01:59.520000 --> 0:02:04.440000 rely on. That's the key word there during a security incident. 0:02:04.440000 --> 0:02:08.840000 Without the right technology, even the best trained response teams can 0:02:08.840000 --> 0:02:13.260000 find themselves blind in a sense, in that they don't know what to do next 0:02:13.260000 --> 0:02:16.380000 or they don't know what to use as it were. 0:02:16.380000 --> 0:02:20.340000 They'll also be slow because of this blindness or they sort of interrelated 0:02:20.340000 --> 0:02:21.920000 and, of course, ineffective. 0:02:21.920000 --> 0:02:26.540000 If you don't know, you know, what tools to use to achieve a particular 0:02:26.540000 --> 0:02:30.200000 objective or to complete something, then you're going to be ineffective. 0:02:30.200000 --> 0:02:35.960000 So in the preparation phase, technology needs to be ready before the breach 0:02:35.960000 --> 0:02:41.620000 happens. So the technology supporting incident response consists of the 0:02:41.620000 --> 0:02:47.920000 system tools and the platforms used by security analysts or, you know, 0:02:47.920000 --> 0:02:52.880000 incident responders to conduct investigations, execute response actions, 0:02:52.880000 --> 0:02:56.600000 and, of course, manage incidents, and we'll touch a little bit on the 0:02:56.600000 --> 0:02:58.680000 management side within this course. 0:02:58.680000 --> 0:03:03.940000 So effective incident response relies on having the necessary infrastructure, 0:03:03.940000 --> 0:03:08.460000 hardware, so not just software, hardware and software in place to support 0:03:08.460000 --> 0:03:12.820000 all activities required during a security breach breach or when dealing 0:03:12.820000 --> 0:03:15.120000 with when responding to an incident. 0:03:15.120000 --> 0:03:21.080000 So what is this technology that I'm referring to with regard to incident 0:03:21.080000 --> 0:03:24.560000 response, but more specifically, you know, the preparation phase? 0:03:24.560000 --> 0:03:30.020000 So an effective incident response capability should be supported by a 0:03:30.020000 --> 0:03:34.400000 range of essential tools and resources, including, and these are very 0:03:34.400000 --> 0:03:39.220000 specific to incident response or to your role as an incident responder. 0:03:39.220000 --> 0:03:45.720000 Of course, I'm not really referring to the various detection-based tools 0:03:45.720000 --> 0:03:48.480000 or tools like a SEAM. 0:03:48.480000 --> 0:03:52.160000 At least we'll not be covering that within this particular course, but 0:03:52.160000 --> 0:03:56.340000 when we get to detection, we'll then start exploring detection, engineering 0:03:56.340000 --> 0:03:58.260000 and all of that good stuff. 0:03:58.260000 --> 0:04:02.700000 But generally speaking, when we talk about the technology that supports 0:04:02.700000 --> 0:04:06.500000 incident response as a process, you'll typically see an incident response 0:04:06.500000 --> 0:04:11.940000 management software, which as I said, we'll cover in another video soon 0:04:11.940000 --> 0:04:15.420000 after this one, a threat intelligence platform. 0:04:15.420000 --> 0:04:19.040000 We'll touch on threat intelligence platforms within the threat intelligence 0:04:19.040000 --> 0:04:21.120000 and threat hunting course. 0:04:21.120000 --> 0:04:26.100000 A well-equipped incident response toolkit will cover that in this course. 0:04:26.100000 --> 0:04:28.800000 And then of course, you have computers with specialized investigation 0:04:28.800000 --> 0:04:31.660000 software. We'll touch on that as well. 0:04:31.660000 --> 0:04:37.740000 Isolated network segments for secure responder operations, basic network 0:04:37.740000 --> 0:04:42.060000 equipment and cabling, you know, that is required in certain instances. 0:04:42.060000 --> 0:04:46.360000 And, you know, quite important, sanitized storage drives for evidence 0:04:46.360000 --> 0:04:50.580000 collection. So you need to have a mix of hardware and software ready. 0:04:50.580000 --> 0:04:54.420000 And in this case, you know, in the case of hardware using this as an example, 0:04:54.420000 --> 0:04:58.000000 you know, you're going to be copying or you're going to be, you know, 0:04:58.000000 --> 0:05:00.400000 imaging quite a few disks. 0:05:00.400000 --> 0:05:05.340000 You know, dumping, performing memory dumps and all of that good stuff. 0:05:05.340000 --> 0:05:07.400000 You need a place to store it. 0:05:07.400000 --> 0:05:11.860000 And, you know, in this particular case, you need to have sort of sanitized 0:05:11.860000 --> 0:05:16.700000 storage drives. You also require secure communication tools. 0:05:16.700000 --> 0:05:20.680000 So this would include voice messaging and of course email. 0:05:20.680000 --> 0:05:23.860000 And very important, it's usually overlooked. 0:05:23.860000 --> 0:05:27.620000 You need to have encryption software to protect sensitive information 0:05:27.620000 --> 0:05:32.480000 during investigations because you don't want to be, you don't want to 0:05:32.480000 --> 0:05:37.720000 sort of make the breach worse by, you know, yourself sort of revealing, 0:05:37.720000 --> 0:05:40.680000 you know, company data. 0:05:40.680000 --> 0:05:44.620000 So you need to make sure that, you know, wherever, whatever data you're 0:05:44.620000 --> 0:05:50.480000 sort of saving or storing for analysis is actually stored securely to 0:05:50.480000 --> 0:05:52.720000 pro, you know, to, to prevent. 0:05:52.720000 --> 0:05:57.920000 Unauthorized access to it, you know, inadvertently that can happen. 0:05:57.920000 --> 0:06:01.120000 It has happened many, many times, you know, you leave a particular file 0:06:01.120000 --> 0:06:05.980000 on one of your systems and years go by and, you know, you get the idea. 0:06:05.980000 --> 0:06:07.340000 It can be quite messy. 0:06:07.340000 --> 0:06:14.540000 So the bottom line here is or to sort of summarize what's in this particular 0:06:14.540000 --> 0:06:17.720000 slide, you need to have an IR kit. 0:06:17.720000 --> 0:06:22.160000 As I said, we'll talk a little bit about an IR kit, probably in the final 0:06:22.160000 --> 0:06:24.380000 video within this section. 0:06:24.380000 --> 0:06:29.420000 And you need to have at least to the extent that, you know, what we'll 0:06:29.420000 --> 0:06:34.620000 be covering here, an instant response or instant management platform. 0:06:34.620000 --> 0:06:38.940000 And you need to be obviously trained in using it. 0:06:38.940000 --> 0:06:43.820000 The rest of the stuff sort of deals with hardware and software. 0:06:43.820000 --> 0:06:49.260000 But generally speaking, within a C cert or even a SOC, you'll typically 0:06:49.260000 --> 0:06:54.720000 see the use of tools or platforms like MISP for, you know, intelligence 0:06:54.720000 --> 0:06:59.720000 for threat intelligence and the Hive, which I'll actually be covering 0:06:59.720000 --> 0:07:04.600000 in the next video for incident management, case management, so on and 0:07:04.600000 --> 0:07:08.020000 so forth. It'll become apparent why that's important if you haven't used 0:07:08.020000 --> 0:07:10.280000 these tools before. 0:07:10.280000 --> 0:07:15.860000 But yeah, so that's going to be it for this video now that we sort of 0:07:15.860000 --> 0:07:21.720000 understand, you know, what the role, you know, technology plays with regard 0:07:21.720000 --> 0:07:24.480000 to the preparation phase and incident response. 0:07:24.480000 --> 0:07:30.500000 We can start exploring some of these technological components or aspects. 0:07:30.500000 --> 0:07:33.560000 So with that being said, that's going to be it for this video. 0:07:33.560000 --> 0:07:35.500000 And I'll be seeing you in the next video.