WEBVTT 1 00:00:00.000 --> 00:00:01.170 In this lesson, 2 00:00:01.170 --> 00:00:03.690 we will learn about event response. 3 00:00:03.690 --> 00:00:07.380 Event response includes the actions taken to handle, 4 00:00:07.380 --> 00:00:10.620 investigate and mitigate a security incident 5 00:00:10.620 --> 00:00:13.290 after it has been detected and contained. 6 00:00:13.290 --> 00:00:17.400 Event response concepts include timeline reconstruction, 7 00:00:17.400 --> 00:00:21.390 data recovery and extraction, and breach response. 8 00:00:21.390 --> 00:00:24.480 Timeline reconstruction involves piecing together 9 00:00:24.480 --> 00:00:27.330 the sequence of events leading up to 10 00:00:27.330 --> 00:00:28.980 and during the incident. 11 00:00:28.980 --> 00:00:33.510 Next, data recovery and extraction focus on restoring lost 12 00:00:33.510 --> 00:00:35.160 or compromised data 13 00:00:35.160 --> 00:00:38.700 and extracting critical information for analysis. 14 00:00:38.700 --> 00:00:42.660 Finally, breach response encompasses the broader steps 15 00:00:42.660 --> 00:00:46.020 of mitigating damage, securing systems, 16 00:00:46.020 --> 00:00:48.120 and ensuring compliance with legal 17 00:00:48.120 --> 00:00:50.280 and regulatory requirements. 18 00:00:50.280 --> 00:00:53.520 Let's learn more about timeline reconstruction, 19 00:00:53.520 --> 00:00:57.240 data recovery and extraction, and breach response. 20 00:00:57.240 --> 00:01:00.090 First, we have timeline reconstruction. 21 00:01:00.090 --> 00:01:04.440 Timeline reconstruction involves gathering data from logs, 22 00:01:04.440 --> 00:01:07.620 system alerts, and other monitoring tools 23 00:01:07.620 --> 00:01:10.920 to create a chronological account of events. 24 00:01:10.920 --> 00:01:15.060 This timeline is crucial for identifying the attack path, 25 00:01:15.060 --> 00:01:18.690 exploited vulnerabilities, and affected systems. 26 00:01:18.690 --> 00:01:21.600 The National Institute of Standards and Technology, 27 00:01:21.600 --> 00:01:24.210 or NIST, provides guidelines, 28 00:01:24.210 --> 00:01:28.470 such as its special publication 800-61, 29 00:01:28.470 --> 00:01:31.140 for establishing a comprehensive approach 30 00:01:31.140 --> 00:01:35.280 to incident response, including timeline reconstruction. 31 00:01:35.280 --> 00:01:39.480 Key tools for this process include security information 32 00:01:39.480 --> 00:01:42.150 and event management, or SIEM systems, 33 00:01:42.150 --> 00:01:45.420 which centralized log data from across the network 34 00:01:45.420 --> 00:01:47.280 and forensic analysis tools, 35 00:01:47.280 --> 00:01:49.500 like Autopsy or EnCase, 36 00:01:49.500 --> 00:01:53.730 which assist in diving deeper into device level data 37 00:01:53.730 --> 00:01:55.950 to track the attacker's movements. 38 00:01:55.950 --> 00:01:58.770 In the timeline reconstruction process, 39 00:01:58.770 --> 00:02:03.240 investigators carefully examine each event in the logs 40 00:02:03.240 --> 00:02:07.980 to track when and how each component of the attack unfolded. 41 00:02:07.980 --> 00:02:12.180 They look for specific patterns or anomalies in system 42 00:02:12.180 --> 00:02:16.590 and firewall logs, such as unusual login times, 43 00:02:16.590 --> 00:02:19.680 high frequency access to sensitive files, 44 00:02:19.680 --> 00:02:23.460 or atypical use of administrative privileges. 45 00:02:23.460 --> 00:02:26.430 Each data point is examined in sequence 46 00:02:26.430 --> 00:02:30.450 to create a structured view of the attacker's actions. 47 00:02:30.450 --> 00:02:34.650 However, attackers may attempt to manipulate logs 48 00:02:34.650 --> 00:02:38.880 to obscure their trail, inserting false timestamps 49 00:02:38.880 --> 00:02:41.400 or deleting specific entries. 50 00:02:41.400 --> 00:02:45.510 So recognizing these manipulations is important 51 00:02:45.510 --> 00:02:49.680 and often requires comparing logs across different systems 52 00:02:49.680 --> 00:02:54.240 and devices, to identify gaps or inconsistencies. 53 00:02:54.240 --> 00:02:58.530 For example, one way to detect a log manipulation, 54 00:02:58.530 --> 00:03:03.390 is by correlating activity from various independent sources, 55 00:03:03.390 --> 00:03:07.020 such as networking logs, application logs, 56 00:03:07.020 --> 00:03:09.240 and even endpoint logs. 57 00:03:09.240 --> 00:03:14.010 So if a critical action, like accessing a secured server, 58 00:03:14.010 --> 00:03:17.010 appears in one log, but not in another 59 00:03:17.010 --> 00:03:20.100 that typically records all access attempts, 60 00:03:20.100 --> 00:03:22.200 this could indicate tampering. 61 00:03:22.200 --> 00:03:25.980 Tools like Splunk and LogRhythm are invaluable here, 62 00:03:25.980 --> 00:03:30.540 as they can automate comparisons and flag consistencies. 63 00:03:30.540 --> 00:03:34.230 Analysts may also look for log gaps, 64 00:03:34.230 --> 00:03:37.260 which are unexplained breaks in log entries 65 00:03:37.260 --> 00:03:39.330 where no activity is recorded, 66 00:03:39.330 --> 00:03:42.180 which could suggest log deletions. 67 00:03:42.180 --> 00:03:45.990 So cross-referencing these logs with system alerts 68 00:03:45.990 --> 00:03:49.230 and user behavior helps to reveal attempts 69 00:03:49.230 --> 00:03:51.090 at log manipulation. 70 00:03:51.090 --> 00:03:55.170 Second, we have data recovery and extraction. 71 00:03:55.170 --> 00:03:59.250 Data recovery and extraction aim to restore compromised, 72 00:03:59.250 --> 00:04:00.690 or lost data, 73 00:04:00.690 --> 00:04:04.950 and to extract useful information for further analysis. 74 00:04:04.950 --> 00:04:08.760 NIST's special publication 800-61, 75 00:04:08.760 --> 00:04:11.850 the Computer Security Incident Handling guide, 76 00:04:11.850 --> 00:04:15.930 and special publication 800-184, 77 00:04:15.930 --> 00:04:19.140 the Guide for Cybersecurity Event Recovery, 78 00:04:19.140 --> 00:04:21.150 as well as the Cybersecurity 79 00:04:21.150 --> 00:04:24.450 and Infrastructure Security Agency, or CISA, 80 00:04:24.450 --> 00:04:27.450 Incident Response and Recovery Playbook, 81 00:04:27.450 --> 00:04:31.560 and the data backup options for cyber incident recovery, 82 00:04:31.560 --> 00:04:36.210 offer protocols for effective data recovery and extraction, 83 00:04:36.210 --> 00:04:38.130 ensuring that organizations 84 00:04:38.130 --> 00:04:41.280 approach these processes systematically. 85 00:04:41.280 --> 00:04:43.950 Additionally, tools like Disk Drill, 86 00:04:43.950 --> 00:04:46.890 or Stellar Data Recovery allow teams 87 00:04:46.890 --> 00:04:50.970 to recover data from damaged or encrypted drives. 88 00:04:50.970 --> 00:04:53.850 And for more complex data extraction, 89 00:04:53.850 --> 00:04:57.120 especially in cases involving mobile devices, 90 00:04:57.120 --> 00:05:00.690 a tool called Cellebrite is commonly used. 91 00:05:00.690 --> 00:05:05.550 In practice, data recovery starts by securing backup copies 92 00:05:05.550 --> 00:05:09.180 of data before restoring from recent backups, 93 00:05:09.180 --> 00:05:11.040 or decryption attempts. 94 00:05:11.040 --> 00:05:14.250 Then the extraction of key incident data 95 00:05:14.250 --> 00:05:17.940 involves isolating specific pieces of information 96 00:05:17.940 --> 00:05:20.580 critical for understanding the breach, 97 00:05:20.580 --> 00:05:25.200 such as compromised credentials or exfiltrated files. 98 00:05:25.200 --> 00:05:30.000 This extraction also aids in refining forensic analysis, 99 00:05:30.000 --> 00:05:32.310 giving investigators clear targets 100 00:05:32.310 --> 00:05:34.830 to explore within the network. 101 00:05:34.830 --> 00:05:39.060 Here the objective is not only to restore functionality, 102 00:05:39.060 --> 00:05:41.130 but also to gather evidence 103 00:05:41.130 --> 00:05:44.370 that can assist in identifying vulnerabilities. 104 00:05:44.370 --> 00:05:48.060 For example, imagine a scenario where a breach leads 105 00:05:48.060 --> 00:05:52.260 to the loss of critical files on a financial server. 106 00:05:52.260 --> 00:05:55.380 By using a combination of backup recovery 107 00:05:55.380 --> 00:05:57.000 and extraction tools, 108 00:05:57.000 --> 00:06:00.930 the security team restores files from recent backups 109 00:06:00.930 --> 00:06:04.980 and pulls key transaction data for further analysis. 110 00:06:04.980 --> 00:06:08.880 They find that attackers accessed financial records 111 00:06:08.880 --> 00:06:12.810 two days before the breach was detected, signaling a need 112 00:06:12.810 --> 00:06:15.510 to upgrade monitoring systems. 113 00:06:15.510 --> 00:06:18.960 Finally, the team documents each recovered file 114 00:06:18.960 --> 00:06:20.580 and extracted item, 115 00:06:20.580 --> 00:06:24.270 building an evidence trail that provides clarity 116 00:06:24.270 --> 00:06:26.490 on what data was compromised 117 00:06:26.490 --> 00:06:29.310 and where security gaps existed. 118 00:06:29.310 --> 00:06:33.000 Third and last, we have breach response. 119 00:06:33.000 --> 00:06:36.150 Breach response covers the critical steps taken 120 00:06:36.150 --> 00:06:40.020 to mitigate damage, secure compromise systems, 121 00:06:40.020 --> 00:06:43.920 and fulfill legal or regulatory obligations. 122 00:06:43.920 --> 00:06:48.030 NIST special publication 800-61 123 00:06:48.030 --> 00:06:51.270 and the ISO 27035, 124 00:06:51.270 --> 00:06:53.940 Information Security Incident Management, 125 00:06:53.940 --> 00:06:57.630 provide robust frameworks for breach response, 126 00:06:57.630 --> 00:07:01.020 advising on measures like incident notification, 127 00:07:01.020 --> 00:07:05.580 stakeholder communication, and system lockdown procedures. 128 00:07:05.580 --> 00:07:08.610 In this effort, a core set of tools, 129 00:07:08.610 --> 00:07:12.060 such as endpoint detection and response solutions, 130 00:07:12.060 --> 00:07:14.550 like CrowdStrike or Carbon Black, 131 00:07:14.550 --> 00:07:18.360 aid in identifying an isolating infected endpoints 132 00:07:18.360 --> 00:07:20.250 to stop further spread. 133 00:07:20.250 --> 00:07:23.940 Additionally, vulnerability scanners like Nessus, 134 00:07:23.940 --> 00:07:28.080 help assess and mitigate weaknesses that allowed the breach. 135 00:07:28.080 --> 00:07:32.850 So during a breach response, the security team acts swiftly 136 00:07:32.850 --> 00:07:36.750 to contain and remove any traces of the attacker 137 00:07:36.750 --> 00:07:39.930 from the network, working to secure systems 138 00:07:39.930 --> 00:07:42.090 against future intrusions. 139 00:07:42.090 --> 00:07:46.290 This includes identifying potentially compromised accounts, 140 00:07:46.290 --> 00:07:50.310 ensuring secure backups and resetting credentials. 141 00:07:50.310 --> 00:07:52.230 Throughout the breach response, 142 00:07:52.230 --> 00:07:54.660 effective communication with stakeholders 143 00:07:54.660 --> 00:07:56.760 and regulators is essential 144 00:07:56.760 --> 00:08:00.510 and often required by data protection regulations, 145 00:08:00.510 --> 00:08:04.440 such as GDPR or CCPA. 146 00:08:04.440 --> 00:08:07.590 So by notifying affected parties, 147 00:08:07.590 --> 00:08:10.470 organizations build transparency 148 00:08:10.470 --> 00:08:13.260 and ensure compliance with legal standards, 149 00:08:13.260 --> 00:08:16.650 which can reduce penalties and maintain trust. 150 00:08:16.650 --> 00:08:19.650 For instance, after a healthcare breach, 151 00:08:19.650 --> 00:08:24.650 a hospital security team may execute a breach response plan. 152 00:08:24.780 --> 00:08:27.780 Here they isolate affected systems, 153 00:08:27.780 --> 00:08:30.030 disable compromised accounts, 154 00:08:30.030 --> 00:08:32.430 and conduct vulnerability scans 155 00:08:32.430 --> 00:08:35.274 to determine the extent of the breach. 156 00:08:35.274 --> 00:08:37.560 Then they notified patients 157 00:08:37.560 --> 00:08:41.250 whose records may have been accessed and report the incident 158 00:08:41.250 --> 00:08:45.300 to regulatory bodies within the required timeframe. 159 00:08:45.300 --> 00:08:47.100 Following this response, 160 00:08:47.100 --> 00:08:49.950 they implement stricter access controls 161 00:08:49.950 --> 00:08:52.770 and update their incident response plan, 162 00:08:52.770 --> 00:08:55.140 demonstrating a proactive commitment 163 00:08:55.140 --> 00:08:58.200 to improving security and compliance. 164 00:08:58.200 --> 00:09:02.070 So remember, event response involves 165 00:09:02.070 --> 00:09:04.890 the coordinated actions taken to handle, 166 00:09:04.890 --> 00:09:08.490 investigate, and mitigate a security incident 167 00:09:08.490 --> 00:09:11.580 once it has been detected and contained. 168 00:09:11.580 --> 00:09:14.250 Event response includes key concepts, 169 00:09:14.250 --> 00:09:18.390 like timeline reconstruction, data recovery and extraction, 170 00:09:18.390 --> 00:09:21.930 and breach response, each addressing different aspects 171 00:09:21.930 --> 00:09:24.840 of managing the aftermath of a breach. 172 00:09:24.840 --> 00:09:28.260 Timeline reconstruction is the process of gathering 173 00:09:28.260 --> 00:09:30.540 and analyzing log data 174 00:09:30.540 --> 00:09:33.330 to create a detailed sequence of events, 175 00:09:33.330 --> 00:09:36.990 which helps identify exploited vulnerabilities 176 00:09:36.990 --> 00:09:38.910 and the attacker's path. 177 00:09:38.910 --> 00:09:43.470 Next, data recovery and extraction aim to restore lost 178 00:09:43.470 --> 00:09:45.000 or compromise data, 179 00:09:45.000 --> 00:09:48.450 and pull essential information for further analysis, 180 00:09:48.450 --> 00:09:52.620 which is crucial for minimizing operational impact. 181 00:09:52.620 --> 00:09:56.910 And finally, a breach response focuses on mitigating damage, 182 00:09:56.910 --> 00:10:00.990 securing systems, and ensuring regulatory compliance, 183 00:10:00.990 --> 00:10:05.190 minimizing the incident's impact on the organization 184 00:10:05.190 --> 00:10:08.133 and upholding legal responsibilities.