1
00:00:09,610 --> 00:00:17,890
Incident response is necessary for rapidly detecting incidents and restoring computing services after

2
00:00:17,890 --> 00:00:26,290
a security event to assist organizations in establishing computer security incident response capabilities

3
00:00:26,290 --> 00:00:32,680
and handling the National Institute of Standards and Technology created.

4
00:00:33,130 --> 00:00:42,400
And I asked the Espey hundred six one our two publication which is a guide for computer security incident

5
00:00:42,490 --> 00:00:44,690
handling.

6
00:00:44,860 --> 00:00:51,660
If you follow the link in the resources for this lecture it will take you to a PTF version of this guide.

7
00:00:53,350 --> 00:01:00,880
Now let's take a look at the incident response process handling an incident should include four major

8
00:01:00,880 --> 00:01:17,960
phases preparation detection and analysis containment eradication and recovery and post incident activity.

9
00:01:18,160 --> 00:01:24,010
The preparation phase is used to make sure that you have your ducks in a row in case there is an incident.

10
00:01:24,990 --> 00:01:33,300
Some key examples would be equipment for analyzing compromised devices and the proper communication

11
00:01:33,330 --> 00:01:41,730
channels junkets can be built with all the necessary tools so that you and your team are ready to quickly

12
00:01:41,730 --> 00:01:46,850
respond to an incident.

13
00:01:47,010 --> 00:01:53,760
The detection and analysis phase can be difficult due to there being so many event types and source

14
00:01:53,760 --> 00:01:56,680
technologies.

15
00:01:56,680 --> 00:02:04,660
Here are some and I asked you recommendations for making incident analysis easier and more effective.

16
00:02:04,840 --> 00:02:15,380
Things like network profiling understanding normal behaviors with anomaly detection log retention policies

17
00:02:16,290 --> 00:02:17,460
event correlation

18
00:02:21,030 --> 00:02:31,950
and among other things keeping accurate time to make sure that you can properly correlate events.

19
00:02:31,950 --> 00:02:37,690
Next we have the containment eradication and recovery phase.

20
00:02:37,800 --> 00:02:42,300
This phase is primarily used to prevent additional damages.

21
00:02:42,330 --> 00:02:49,230
Preserve evidence and to maintain now work availability as you'd expect.

22
00:02:49,320 --> 00:02:55,560
The faster you can discover the attacking host and contain it the better off you are.

23
00:02:55,560 --> 00:03:02,190
The longer a compromise host is on the network the more time the attacker has to spread and create back

24
00:03:02,190 --> 00:03:09,600
doors on the network you'll want to look for log ins throughout the network and logs during the time

25
00:03:09,600 --> 00:03:18,160
of the attack to make sure that the attacker didn't compromise other hosts on the network.

26
00:03:18,180 --> 00:03:24,750
Once an incident has been contained evidence should be collected and documented with information such

27
00:03:24,750 --> 00:03:29,440
as computer identifications and collection details.

28
00:03:31,200 --> 00:03:34,080
Especially since you may need it for a legal proceeding.

29
00:03:38,210 --> 00:03:45,950
After the storm clears eradication may be necessary to eliminate components of the incident such as

30
00:03:46,070 --> 00:03:54,770
deleting malware and disabling breached user accounts as well as identifying and mitigating all vulnerabilities

31
00:03:54,830 --> 00:03:59,180
that were exploited for some incidents.

32
00:03:59,220 --> 00:04:04,500
Eradication is either not necessary or has performed during recovery.

33
00:04:05,100 --> 00:04:12,060
In recovery administrators restore systems to normal operation confirm that the systems are functioning

34
00:04:12,120 --> 00:04:18,610
normally and remediate vulnerabilities to prevent similar incidents.

35
00:04:22,420 --> 00:04:31,010
The last to stop the incident response process is the post incident analysis phase is used to take a

36
00:04:31,010 --> 00:04:37,340
step back and assess why the incident happened and what your organization could have done differently

37
00:04:37,760 --> 00:04:40,900
to improve their incident response process.

38
00:04:42,020 --> 00:04:49,160
This can be accomplished by holding internal meetings to discuss lessons learned and update processes

39
00:04:49,230 --> 00:04:50,060
accordingly.