WEBVTT 1 00:00:00.020 --> 00:00:01.800 In this section of the course, 2 00:00:01.800 --> 00:00:04.650 we are going to discuss incident response. 3 00:00:04.650 --> 00:00:06.810 The incident response section of the course 4 00:00:06.810 --> 00:00:10.410 focuses on Domain 1, governance, risk and compliance, 5 00:00:10.410 --> 00:00:13.050 and Domain 4, security operations, 6 00:00:13.050 --> 00:00:17.490 specifically objectives, 1.2 and 4.4. 7 00:00:17.490 --> 00:00:20.010 Objective 1.2 states that given a set 8 00:00:20.010 --> 00:00:22.260 of organizational security requirements, 9 00:00:22.260 --> 00:00:25.770 you must be able to perform risk management activities. 10 00:00:25.770 --> 00:00:29.250 Objective 4.4 states that given a scenario, 11 00:00:29.250 --> 00:00:32.100 you must be able to analyze data and artifacts 12 00:00:32.100 --> 00:00:34.740 in support of incident response activities. 13 00:00:34.740 --> 00:00:37.890 Effective incident response minimizes the impact 14 00:00:37.890 --> 00:00:41.130 of security breaches and ensures swift recovery. 15 00:00:41.130 --> 00:00:42.720 In order to be effective, 16 00:00:42.720 --> 00:00:46.830 organizations must regularly conduct preparedness exercises 17 00:00:46.830 --> 00:00:49.050 to simulate potential incidents. 18 00:00:49.050 --> 00:00:51.210 Preparedness exercises help teams 19 00:00:51.210 --> 00:00:54.330 practice and refine their response strategies. 20 00:00:54.330 --> 00:00:57.120 Then, when an actual event occurs, 21 00:00:57.120 --> 00:01:00.120 immediate and coordinated action to contain the threat 22 00:01:00.120 --> 00:01:02.430 and mitigate damage can occur. 23 00:01:02.430 --> 00:01:05.340 Following that, post-incident analysis, 24 00:01:05.340 --> 00:01:08.790 including attribution and root cause identification 25 00:01:08.790 --> 00:01:12.240 helps the organization understand who was responsible 26 00:01:12.240 --> 00:01:13.650 and how the breach occurred. 27 00:01:13.650 --> 00:01:15.210 As we go through this section, 28 00:01:15.210 --> 00:01:18.660 we will cover many topics related to incident response, 29 00:01:18.660 --> 00:01:22.710 including preparedness exercises, immediate response, 30 00:01:22.710 --> 00:01:27.060 event response, attribution and root cause analysis. 31 00:01:27.060 --> 00:01:30.120 First, let's look at preparedness exercises. 32 00:01:30.120 --> 00:01:34.110 Preparedness exercises are activities designed to evaluate 33 00:01:34.110 --> 00:01:37.080 and improve an organization's readiness 34 00:01:37.080 --> 00:01:38.940 to handle security incidents. 35 00:01:38.940 --> 00:01:41.490 Preparedness exercise types include, 36 00:01:41.490 --> 00:01:46.230 tabletop, walkthrough, parallel and simulation exercises. 37 00:01:46.230 --> 00:01:49.740 Tabletop exercises are a discussion-based activity. 38 00:01:49.740 --> 00:01:51.540 During a tabletop exercise, 39 00:01:51.540 --> 00:01:53.280 team members are led through a scenario 40 00:01:53.280 --> 00:01:54.930 and talk through their responses 41 00:01:54.930 --> 00:01:57.450 without performing any actual actions 42 00:01:57.450 --> 00:01:59.910 and without the pressure of time. 43 00:01:59.910 --> 00:02:03.330 Next, in a walkthrough exercise, the team members review 44 00:02:03.330 --> 00:02:06.690 and practice specific procedures for incident response, 45 00:02:06.690 --> 00:02:08.310 while still low pressure, 46 00:02:08.310 --> 00:02:11.520 a walkthrough is more hands-on than a tabletop exercise. 47 00:02:11.520 --> 00:02:14.790 Next, parallel exercises simulate incidents 48 00:02:14.790 --> 00:02:16.950 alongside normal operations 49 00:02:16.950 --> 00:02:19.290 to assess how the response integrates 50 00:02:19.290 --> 00:02:21.120 with day-to-day activities. 51 00:02:21.120 --> 00:02:22.590 In parallel exercises, 52 00:02:22.590 --> 00:02:25.710 response actions are not taken on the production network, 53 00:02:25.710 --> 00:02:27.750 but may be taken in a staging environment 54 00:02:27.750 --> 00:02:30.060 which parallels the production network. 55 00:02:30.060 --> 00:02:33.810 Next, simulations replicate real-world attack scenarios, 56 00:02:33.810 --> 00:02:37.380 requiring teams to respond as if the threat were real. 57 00:02:37.380 --> 00:02:40.380 Simulations and subsequent responses may occur 58 00:02:40.380 --> 00:02:41.850 on the production network. 59 00:02:41.850 --> 00:02:44.940 For example, an organization might run a simulation 60 00:02:44.940 --> 00:02:47.850 of a phishing attack where employees receive realistic 61 00:02:47.850 --> 00:02:49.650 but simulated phishing email. 62 00:02:49.650 --> 00:02:51.690 The incident response team is tasked 63 00:02:51.690 --> 00:02:55.200 with identifying the threat containing any potential damage 64 00:02:55.200 --> 00:02:58.110 and preventing further access in real time. 65 00:02:58.110 --> 00:03:00.510 By simulating a real-world scenario, 66 00:03:00.510 --> 00:03:02.490 the organization can better prepare 67 00:03:02.490 --> 00:03:04.350 for actual phishing attacks. 68 00:03:04.350 --> 00:03:07.170 Next, we will explore immediate response. 69 00:03:07.170 --> 00:03:10.140 Immediate response includes the rapid actions 70 00:03:10.140 --> 00:03:13.230 taken to contain and mitigate a security incident 71 00:03:13.230 --> 00:03:14.910 as soon as it is detected. 72 00:03:14.910 --> 00:03:17.070 Immediate response concepts include, 73 00:03:17.070 --> 00:03:19.530 crisis management and threat response. 74 00:03:19.530 --> 00:03:21.570 Crisis management involves collaborating 75 00:03:21.570 --> 00:03:23.700 with key stakeholders to maintain trust 76 00:03:23.700 --> 00:03:25.710 and transparency throughout the incident, 77 00:03:25.710 --> 00:03:27.630 ensuring that all parties understand 78 00:03:27.630 --> 00:03:29.730 the organization's response efforts. 79 00:03:29.730 --> 00:03:31.950 Crisis management requires careful planning 80 00:03:31.950 --> 00:03:34.080 and execution of recovery strategies 81 00:03:34.080 --> 00:03:36.510 to protect the organization's reputation 82 00:03:36.510 --> 00:03:39.630 and avoid long-term disruptions to operation. 83 00:03:39.630 --> 00:03:42.750 Threat response, on the other hand, involves rapid detection 84 00:03:42.750 --> 00:03:45.180 and investigation of the issue, 85 00:03:45.180 --> 00:03:47.160 often using specialized tools 86 00:03:47.160 --> 00:03:49.560 and teams to assess the situation. 87 00:03:49.560 --> 00:03:51.000 After containing the threat, 88 00:03:51.000 --> 00:03:53.550 response efforts focus on remediation, 89 00:03:53.550 --> 00:03:55.770 including fixing vulnerabilities, 90 00:03:55.770 --> 00:03:57.450 restoring affected systems, 91 00:03:57.450 --> 00:04:00.840 and reinforcing defenses to prevent future incidents. 92 00:04:00.840 --> 00:04:03.390 For example, during a ransomware attack, 93 00:04:03.390 --> 00:04:06.570 the security team may immediately isolate affected systems 94 00:04:06.570 --> 00:04:09.720 to prevent the malware from spreading across the network. 95 00:04:09.720 --> 00:04:12.630 Furthermore, they may disconnect compromised machines 96 00:04:12.630 --> 00:04:14.940 from the network, disable remote access 97 00:04:14.940 --> 00:04:17.070 and shut down affected servers. 98 00:04:17.070 --> 00:04:20.160 Simultaneously, crisis management could be activated 99 00:04:20.160 --> 00:04:22.350 to coordinate internal communications, 100 00:04:22.350 --> 00:04:25.410 informing executives and employees of the situation 101 00:04:25.410 --> 00:04:28.020 and outlining steps being taken to address it. 102 00:04:28.020 --> 00:04:31.290 Externally, the team could engage with customers, partners, 103 00:04:31.290 --> 00:04:34.230 and media to manage the flow of information, 104 00:04:34.230 --> 00:04:37.230 ensuring transparency while avoiding panic. 105 00:04:37.230 --> 00:04:40.020 After that, we will look at event response. 106 00:04:40.020 --> 00:04:43.110 Event response includes the actions taken to handle, 107 00:04:43.110 --> 00:04:46.050 investigate, and mitigate a security incident 108 00:04:46.050 --> 00:04:48.210 after it has been detected and contained. 109 00:04:48.210 --> 00:04:51.480 Event response concepts include timeline reconstruction, 110 00:04:51.480 --> 00:04:55.470 data recovery, and extraction, and data breach response. 111 00:04:55.470 --> 00:04:57.810 Timeline reconstruction involves piecing together 112 00:04:57.810 --> 00:04:59.310 the sequence of events 113 00:04:59.310 --> 00:05:01.890 leading up to and during the incident. 114 00:05:01.890 --> 00:05:04.410 Timeline reconstruction helps the team identify 115 00:05:04.410 --> 00:05:07.950 exploited vulnerabilities and the path of the attack. 116 00:05:07.950 --> 00:05:11.130 Data recovery and extraction focuses on restoring 117 00:05:11.130 --> 00:05:12.960 lost or compromised data 118 00:05:12.960 --> 00:05:16.080 and extracting critical information for analysis. 119 00:05:16.080 --> 00:05:18.720 Breach response encompasses the broader steps 120 00:05:18.720 --> 00:05:21.450 of mitigating damage, securing systems, 121 00:05:21.450 --> 00:05:23.460 and ensuring compliance with legal 122 00:05:23.460 --> 00:05:25.320 and regulatory requirements. 123 00:05:25.320 --> 00:05:28.860 Effective breach response minimizes operational impact 124 00:05:28.860 --> 00:05:31.080 and protects the organization from legal 125 00:05:31.080 --> 00:05:32.970 and financial repercussions. 126 00:05:32.970 --> 00:05:34.890 For example, after a data breach, 127 00:05:34.890 --> 00:05:38.250 the security team might reconstruct the timeline of events 128 00:05:38.250 --> 00:05:40.320 to determine how the breach occurred 129 00:05:40.320 --> 00:05:42.150 and which systems were affected. 130 00:05:42.150 --> 00:05:44.550 The reconstruction process helps pinpoint 131 00:05:44.550 --> 00:05:46.890 the exact entry point of the attack 132 00:05:46.890 --> 00:05:50.460 and uncovers exploited weaknesses in security controls. 133 00:05:50.460 --> 00:05:53.400 Simultaneously, they may work on data recovery 134 00:05:53.400 --> 00:05:55.500 to restore compromised files, 135 00:05:55.500 --> 00:05:57.930 ensuring critical data is recovered quickly 136 00:05:57.930 --> 00:06:00.210 to minimize operational disruption. 137 00:06:00.210 --> 00:06:02.700 Concurrently, the security team might execute 138 00:06:02.700 --> 00:06:04.320 breach response protocols 139 00:06:04.320 --> 00:06:07.170 to notify stakeholders and regulators. 140 00:06:07.170 --> 00:06:09.480 Next, we will explore attribution. 141 00:06:09.480 --> 00:06:12.600 Attribution is the process of identifying the source 142 00:06:12.600 --> 00:06:15.810 or threat actor responsible for a security incident. 143 00:06:15.810 --> 00:06:19.260 A type of actor that an incident may be attributed to 144 00:06:19.260 --> 00:06:20.880 is an insider threat. 145 00:06:20.880 --> 00:06:23.100 Insider threats occur when an individual 146 00:06:23.100 --> 00:06:25.380 within the organization, such as an employee 147 00:06:25.380 --> 00:06:28.650 or contractor, intentionally or unintentionally 148 00:06:28.650 --> 00:06:30.510 compromises systems or data. 149 00:06:30.510 --> 00:06:31.740 In this situation, 150 00:06:31.740 --> 00:06:34.050 attribution focuses on gathering evidence 151 00:06:34.050 --> 00:06:36.720 such as access logs and behavior analytics 152 00:06:36.720 --> 00:06:39.450 to confirm the threat originated internally 153 00:06:39.450 --> 00:06:41.190 and determine if the incident was caused 154 00:06:41.190 --> 00:06:44.340 by negligence, error or malicious intent. 155 00:06:44.340 --> 00:06:47.790 For example, if sensitive files were accessed by an employee 156 00:06:47.790 --> 00:06:49.800 outside of their usual rule, 157 00:06:49.800 --> 00:06:53.070 attribution efforts would focus on analyzing access logs 158 00:06:53.070 --> 00:06:56.010 and communications to determine if this activity 159 00:06:56.010 --> 00:06:58.170 was conducted by an insider threat. 160 00:06:58.170 --> 00:07:00.090 Identifying the individual responsible 161 00:07:00.090 --> 00:07:02.880 allows the organization to respond appropriately 162 00:07:02.880 --> 00:07:04.680 and prevent future incidents. 163 00:07:04.680 --> 00:07:07.500 Finally, we will look at root cause analysis. 164 00:07:07.500 --> 00:07:09.450 Root cause analysis is the process 165 00:07:09.450 --> 00:07:12.900 of identifying the underlying reason for a security incident 166 00:07:12.900 --> 00:07:14.910 to prevent future occurrences. 167 00:07:14.910 --> 00:07:17.730 This involves tracing the issue back to its origin 168 00:07:17.730 --> 00:07:20.850 by analyzing technical failures, vulnerabilities, 169 00:07:20.850 --> 00:07:23.430 or human errors that enabled the incident. 170 00:07:23.430 --> 00:07:26.610 The goal is to understand how the incident occurred, 171 00:07:26.610 --> 00:07:28.980 whether it was due to misconfigurations, 172 00:07:28.980 --> 00:07:32.100 unpacked software or procedural failures 173 00:07:32.100 --> 00:07:34.740 and then to implement long-term solutions 174 00:07:34.740 --> 00:07:37.080 that address these root causes. 175 00:07:37.080 --> 00:07:40.290 For example, after a successful phishing attack, 176 00:07:40.290 --> 00:07:42.090 root cause analysis might reveal 177 00:07:42.090 --> 00:07:45.180 that the organization lacks sufficient email filtering 178 00:07:45.180 --> 00:07:46.680 and employee training. 179 00:07:46.680 --> 00:07:48.120 By addressing these gaps, 180 00:07:48.120 --> 00:07:50.340 the organization can reduce the likelihood 181 00:07:50.340 --> 00:07:52.230 of similar incidents in the future. 182 00:07:52.230 --> 00:07:54.690 To finish things off, we'll take a short quiz 183 00:07:54.690 --> 00:07:57.330 to see what you learned during this section of the course, 184 00:07:57.330 --> 00:08:00.690 and we will review each of those quiz questions fully 185 00:08:00.690 --> 00:08:03.570 to ensure you can explain why the right answers were right 186 00:08:03.570 --> 00:08:05.280 and the wrong answers were wrong. 187 00:08:05.280 --> 00:08:08.580 So, let's get ready to dive into incident response 188 00:08:08.580 --> 00:08:10.563 in this section of the course.