WEBVTT

0:00:00.540000 --> 0:00:05.140000
 Hello everyone and welcome to the Incident
 Response Preparation course

0:00:05.140000 --> 0:00:09.820000
 summary. So you've made it to the end
 of this course and now it's time

0:00:09.820000 --> 0:00:15.320000
 to look back and get an idea of everything
 that we have learned in this

0:00:15.320000 --> 0:00:18.960000
 course and hopefully give you an idea
 of how much you have progressed.

0:00:18.960000 --> 0:00:22.660000
 So you know what you've learned in this
 course and you know what you should

0:00:22.660000 --> 0:00:28.560000
 be able to do. So to get started just
 as we did in the course overview

0:00:28.560000 --> 0:00:33.680000
 video we're going to revisit or you
 know get a recap of the key concepts

0:00:33.680000 --> 0:00:37.920000
 that we wanted to cover in this course
 and of course the first of which

0:00:37.920000 --> 0:00:41.900000
 was Incident Response Fundamentals to
 sort of you know get an understanding

0:00:41.900000 --> 0:00:48.540000
 of what instant response is, the instant
 response process, so on and so

0:00:48.540000 --> 0:00:51.220000
 forth with which I think
 we covered quite well.

0:00:51.220000 --> 0:00:56.240000
 The second key concept was to do with
 instant response teams and structures

0:00:56.240000 --> 0:01:00.740000
 which we covered quite well
 or quite extensively.

0:01:00.740000 --> 0:01:04.580000
 We took a look at the different structures
 or models of teams as well

0:01:04.580000 --> 0:01:13.220000
 as the types of teams so C-cert, C
-cert as in C-cert and C-cert as in

0:01:13.220000 --> 0:01:18.660000
 S-I-RT the differences between them you
 know why they sort of have different

0:01:18.660000 --> 0:01:24.440000
 names and that also led into rows and
 responsibilities and you know we

0:01:24.440000 --> 0:01:28.580000
 focused primarily first on the rows
 that you typically find within an

0:01:28.580000 --> 0:01:34.180000
 instant response team and then you know we
 took a deep dive into the responsibilities

0:01:34.180000 --> 0:01:40.260000
 and we also explored that in the context
 of or specifically in the context

0:01:40.260000 --> 0:01:48.460000
 of you know using a RAC matrix for assigning
 responsibilities within an

0:01:48.460000 --> 0:01:52.360000
 instant response team and then the final
 key concept had to do with the

0:01:52.360000 --> 0:01:56.580000
 preparation phase and instant response
 which as you know took up a majority

0:01:56.580000 --> 0:02:01.800000
 of the course in terms of length where we
 got an introduction to the preparation

0:02:01.800000 --> 0:02:07.060000
 phase and we got an understanding of
 what it entails and we sort of broke

0:02:07.060000 --> 0:02:16.960000
 it in people processes and technology
 and addressed all three to varying

0:02:16.960000 --> 0:02:23.300000
 degrees primarily given that you know
 we are sort of approaching this

0:02:23.300000 --> 0:02:25.940000
 from the perspective of
 an instant responder.

0:02:25.940000 --> 0:02:31.220000
 So let's now revisit the learning outcomes
 so this is a recap of the learning

0:02:31.220000 --> 0:02:36.360000
 outcomes these are unchanged from the
 learning outcomes that we laid out

0:02:36.360000 --> 0:02:41.520000
 or that I laid out in the course overview
 video so let's tackle them one

0:02:41.520000 --> 0:02:44.720000
 by one starting with the first one so
 by the end of this course you should

0:02:44.720000 --> 0:02:48.720000
 be able to explain the difference sorry
 the importance of instant response

0:02:48.720000 --> 0:02:53.960000
 and the risks of unstructured response
 efforts of course I think we addressed

0:02:53.960000 --> 0:02:59.280000
 that quite well by firstly explaining
 the difference between a log an

0:02:59.280000 --> 0:03:04.860000
 alert and an incident and then you
 know we also explored what instant

0:03:04.860000 --> 0:03:11.540000
 response is the instant response process
 what it looks like and the importance

0:03:11.540000 --> 0:03:17.740000
 of instant response and consequently
 as the learning outcome suggests

0:03:17.740000 --> 0:03:23.820000
 the risks of unstructured instant response
 team or widely speaking an

0:03:23.820000 --> 0:03:28.180000
 instant response process which would
 consequently mean an unstructured

0:03:28.180000 --> 0:03:33.680000
 response effort so I think we covered
 that quite well with second learning

0:03:33.680000 --> 0:03:37.520000
 outcome has to do with you know identifying
 different types of security

0:03:37.520000 --> 0:03:40.700000
 incidents and common attack vectors
 which you know I sort of explained

0:03:40.700000 --> 0:03:46.680000
 we covered in relation to the first
 outcome so moving on you know you

0:03:46.680000 --> 0:03:49.840000
 should be able to describe various types
 of instant response teams their

0:03:49.840000 --> 0:03:53.120000
 structures and their roles and indeed
 as I mentioned in the previous slide

0:03:53.120000 --> 0:03:58.100000
 we covered that quite extensively you
 know tackling the themes aspects

0:03:58.100000 --> 0:04:02.500000
 or the types names etc the structures
 and then we took a look at roles

0:04:02.500000 --> 0:04:05.720000
 and then we took a look at responsibilities
 and then we took a look at

0:04:05.720000 --> 0:04:10.520000
 you know the process and tools that
 can be used for signing or defining

0:04:10.520000 --> 0:04:16.320000
 tracking managing the responsibilities
 and you know more specifically

0:04:16.320000 --> 0:04:22.980000
 we utilized a RACI matrix there as sort
 of a framework for managing defining

0:04:22.980000 --> 0:04:32.080000
 and managing differentiating between
 major instant response frameworks

0:04:32.080000 --> 0:04:38.660000
 or processes as it were and the key ones
 we touched on were the NIST instant

0:04:38.660000 --> 0:04:43.620000
 response process or framework and the SANS
 instant response process lifecycle

0:04:43.620000 --> 0:04:47.860000
 and you know we explored both of them
 and saw the similarities between

0:04:47.860000 --> 0:04:52.100000
 them in terms of the phases or how
 the process is broken down as well

0:04:52.100000 --> 0:04:56.020000
 as the differences and as you're able to
 tell they both have their advantages

0:04:56.020000 --> 0:05:01.760000
 or their preferred use cases and the
 differences between the two are very

0:05:01.760000 --> 0:05:05.980000
 very minimal it just comes down to
 a grouping of certain phases within

0:05:05.980000 --> 0:05:13.940000
 the process in the case of NIST and sort
 of a breakdown or further categorization

0:05:13.940000 --> 0:05:19.720000
 of certain phases into independent
 phases or steps in the case of SANS

0:05:19.720000 --> 0:05:25.540000
 so again we covered that quite well
 and we then moving on to the next

0:05:25.540000 --> 0:05:28.940000
 linear outcome that has to do with you
 know the the fact that you should

0:05:28.940000 --> 0:05:32.860000
 be able to develop foundational IR artifacts
 and documents like policies

0:05:32.860000 --> 0:05:37.280000
 plans playbooks and you know responsibility
 matrices indeed we touched

0:05:37.280000 --> 0:05:43.300000
 on all of those components so we talked
 about IR policies how they should

0:05:43.300000 --> 0:05:46.600000
 be structured we then took a look at
 examples and I provided you with

0:05:46.600000 --> 0:05:51.800000
 templates the same thing we did for
 instant response plans or IRPs and

0:05:51.800000 --> 0:05:55.080000
 the case of playbooks we actually went
 a step further by taking a look

0:05:55.080000 --> 0:06:01.940000
 at some really great examples of well
-defined or well-designed playbooks

0:06:01.940000 --> 0:06:06.700000
 and you know we've got an idea as to
 what you know playbooks look like

0:06:06.700000 --> 0:06:13.380000
 in the real world moving on by the end
 of this course you should be able

0:06:13.380000 --> 0:06:16.740000
 to apply the hierarchy of needs model
 to build instant response readiness

0:06:16.740000 --> 0:06:23.240000
 we did cover the hierarchy of needs
 model and we sort of explored how

0:06:23.240000 --> 0:06:27.820000
 we can be used you know as a framework
 or a model to build and develop

0:06:27.820000 --> 0:06:33.400000
 the organization's instant response capability
 as it were in this context

0:06:33.400000 --> 0:06:38.700000
 readiness so moving on by the end of the
 course you should have an understanding

0:06:38.700000 --> 0:06:42.200000
 of the role of technology infrastructure
 and supporting instant response

0:06:42.200000 --> 0:06:47.780000
 activities this is related to the technology
 aspect of the preparation

0:06:47.780000 --> 0:06:52.500000
 phase where we covered you know what
 it entails or what it's referring

0:06:52.500000 --> 0:06:56.940000
 to when you break down preparation
 into components like people process

0:06:56.940000 --> 0:07:02.320000
 and technology we covered what technology
 means what it entails with regards

0:07:02.320000 --> 0:07:06.680000
 to instant response and you know we
 got an understanding of the role it

0:07:06.680000 --> 0:07:12.320000
 plays you know we explored the various
 tools that you need to have in

0:07:12.320000 --> 0:07:19.280000
 place or specifically in reference to
 preparing for an incident or when

0:07:19.280000 --> 0:07:24.180000
 developing your instant response capabilities
 this then led into the into

0:07:24.180000 --> 0:07:29.960000
 the other learning outcome here the
 second from the bottom which is you

0:07:29.960000 --> 0:07:33.660000
 should be able to manage security incidents
 using an instant management

0:07:33.660000 --> 0:07:38.980000
 platform in this case the Hive and
 indeed we got an introduction into

0:07:38.980000 --> 0:07:44.320000
 the instant management process what
 instant management platforms are the

0:07:44.320000 --> 0:07:48.160000
 features that they typically offer
 and then we took a look at the Hive

0:07:48.160000 --> 0:07:52.920000
 in quite a bit of detail of course
 nothing operational in the sense of

0:07:52.920000 --> 0:07:56.020000
 instant response but we took a look at
 a very good example of a ransomware

0:07:56.020000 --> 0:08:02.740000
 incident and I sort of demonstrated or
 showed you what it would look like

0:08:02.740000 --> 0:08:07.660000
 within the Hive you know how to create
 templates and how to set those

0:08:07.660000 --> 0:08:12.340000
 templates up and you know create tasks
 that would operate like playbooks

0:08:12.340000 --> 0:08:16.900000
 to sort of address different types
 of incidents but more specifically

0:08:16.900000 --> 0:08:21.640000
 different aspects or different phases
 of the incident response process

0:08:21.640000 --> 0:08:27.140000
 when responding to a particular type
 of incident so that was very very

0:08:27.140000 --> 0:08:30.480000
 interesting so I think we covered that
 in quite a bit of detail as well

0:08:30.480000 --> 0:08:34.900000
 and finally by the end of this course
 you should be able to build a basic

0:08:34.900000 --> 0:08:39.580000
 yet effective incident response to get
 tailored for operational use and

0:08:39.580000 --> 0:08:43.900000
 in this case we actually you know again
 got an introduction to what IR2

0:08:43.900000 --> 0:08:49.120000
 kits are what they're referred to as in
 terms of their common or colloquial

0:08:49.120000 --> 0:08:55.700000
 names so that you actually know you're
 aware of what they're called in

0:08:55.700000 --> 0:09:01.220000
 the field and you you know you're able
 to actually tell yeah that is referring

0:09:01.220000 --> 0:09:06.320000
 to an IR2 kit we also took a look at
 various tools you're likely defined

0:09:06.320000 --> 0:09:14.020000
 in an IR2 kit based on specialization or
 requirements operational requirements

0:09:14.020000 --> 0:09:22.120000
 and then we took a look at you know
 various procedures or the framework

0:09:22.120000 --> 0:09:28.220000
 for building your own your own incident
 response toolkit and this was

0:09:28.220000 --> 0:09:33.440000
 not just a general framework or set
 of procedures but one that is geared

0:09:33.440000 --> 0:09:43.960000
 or tailored for operational use which
 means if you follow it by the end

0:09:43.960000 --> 0:09:49.080000
 of for your requirements and one that
 is repeatable which means you know

0:09:49.080000 --> 0:09:52.700000
 you can use over and over again so
 those are the learning outcomes and

0:09:52.700000 --> 0:09:57.600000
 I think as a whole we covered everything
 you know 100% in certain cases

0:09:57.600000 --> 0:10:03.300000
 we went a bit over what we were supposed
 to cover in terms of scope but

0:10:03.300000 --> 0:10:10.220000
 all in all I would say good job and
 you know obviously this will feed

0:10:10.220000 --> 0:10:14.600000
 into the next course which is sort of
 the second phase of incident response

0:10:14.600000 --> 0:10:19.560000
 which is has to do with detection and
 analysis so very good foundation

0:10:19.560000 --> 0:10:26.620000
 now you know and this course sort of
 will make it a very very pleasant

0:10:26.620000 --> 0:10:31.640000
 experience moving into the next one so
 with that being said before I leave

0:10:31.640000 --> 0:10:36.960000
 you and bid you farewell at least for
 now I would like to you know give

0:10:36.960000 --> 0:10:42.700000
 you some next steps or you know things
 that you can do stuff you can read

0:10:42.700000 --> 0:10:48.840000
 as to augment what you've learned in
 this course but you know to sort

0:10:48.840000 --> 0:10:52.420000
 of to augment and supplement what you've
 learned in this course but also

0:10:52.420000 --> 0:10:58.360000
 in preparation for the next course
 no pun intended with regards to my

0:10:58.360000 --> 0:11:04.180000
 use of the word preparation there the
 first step or my recommendation

0:11:04.180000 --> 0:11:08.220000
 is to deepen your understanding of the
 IR frameworks covered in the course

0:11:08.220000 --> 0:11:13.560000
 namely the NIST special publication
 861 revision 2 which is the computer

0:11:13.560000 --> 0:11:18.420000
 security incident handling guide and
 the sand instant handlers handbook

0:11:18.420000 --> 0:11:23.440000
 which is you know practical IR process
 guidance I would also recommend

0:11:23.440000 --> 0:11:30.560000
 that you practice using deploying and
 using instant management using open

0:11:30.560000 --> 0:11:36.700000
 source tools so set up a personal lab with
 the Hive and I would also recommend

0:11:36.700000 --> 0:11:40.900000
 that you simulate handling different types
 of instance like fishing malware

0:11:40.900000 --> 0:11:49.080000
 outbreaks etc as we did within the Hive
 demo video I would also this is

0:11:49.080000 --> 0:11:52.360000
 something that I think is very important
 I would also recommend that you

0:11:52.360000 --> 0:11:57.400000
 create your own IR documents a very good
 framework for this or model mental

0:11:57.400000 --> 0:12:02.840000
 model is to just picture yourself as
 you know the IR manager or team lead

0:12:02.840000 --> 0:12:08.880000
 of your own company and develop the
 instant response policy the plan and

0:12:08.880000 --> 0:12:13.040000
 playbooks as you would again if you
 are doing this for your own company

0:12:13.040000 --> 0:12:17.100000
 the company doesn't have to be real
 we just create a fictional scenario

0:12:17.100000 --> 0:12:22.960000
 and the key thing is to sort of you
 know ensure that you're addressing

0:12:22.960000 --> 0:12:28.320000
 in each of these documents the you
 know the core or the the important

0:12:28.320000 --> 0:12:32.280000
 aspects that need to be included so in
 the case of the policy very important

0:12:32.280000 --> 0:12:37.020000
 that you define the objective of you
 know the policy you define the IR

0:12:37.020000 --> 0:12:43.860000
 capability the scope the the IR team
 in in your case if it's fictional

0:12:43.860000 --> 0:12:48.320000
 it would be the ideal IR team but that's
 very good exercise and sort of

0:12:48.320000 --> 0:12:54.720000
 recalling the various rules that you
 typically find and then you can also

0:12:54.720000 --> 0:12:58.880000
 include or utilize the resource that
 I shared in this course which was

0:12:58.880000 --> 0:13:04.880000
 the erasing matrix or you know use that framework
 or model to assign responsibilities

0:13:04.880000 --> 0:13:09.260000
 which will help you understand a little
 bit better who does what within

0:13:09.260000 --> 0:13:13.520000
 an instant response team so on and so
 forth and I would also extend the

0:13:13.520000 --> 0:13:20.620000
 same level of rigor as a recommendation
 when you know exploring already

0:13:20.620000 --> 0:13:25.460000
 existing public IR playbooks but also
 developing your own as I said I

0:13:25.460000 --> 0:13:29.540000
 covered or provided you with a great
 starting point in the form of the

0:13:29.540000 --> 0:13:34.680000
 public playbooks GitHub GitLab repository
 and also showed you that you

0:13:34.680000 --> 0:13:38.940000
 know a lot of the files in there also
 contain templates that allow you

0:13:38.940000 --> 0:13:44.360000
 to make modifications so those are
 my next steps or my recommendations

0:13:44.360000 --> 0:13:56.000000
 for you as you complete this course
 again to augment what you've already

0:13:56.000000 --> 0:14:02.060000
 with that being said that brings us
 to the end of this course and I hope

0:14:02.060000 --> 0:14:06.620000
 you found value in it if you've made
 it this far congratulations and thank

0:14:06.620000 --> 0:14:11.040000
 you as I said hope you found value in
 it and I'll be I'm really looking