welcome back to CyberRays is. Of course I'm your instructor. Bread Roads. Let's talk about incident. Response.
So by training and trade, I am an incident responders, a defender, And so this is near and dear to my heart.
So in this video, we're gonna talk about the incident response cycle is defined by the National Institutes for Standards and Technologies. We're gonna talk about communications during an incident and why that is vital. Now we're gonna talk about why it's important to have an IR checklist.
So this is the incident response cycle as defined by NIST. And so you see preparation. You see detection and analysis. You see containment eradication, recovery and post incident activity. Obviously, we want to do a lot of work in preparation. That's putting those controls in place. Is, is that's what we do, right?
We don't want to do that detection analysis. So that's continuous monitoring. We want to be able to
No, what's happening right? If something does happen, we have to have the means to contain, eradicate and recover very quickly. And that's where we talk about things like, you know, business continuity, recovery time objectives, recovery point objectives. We think about the disaster recovery plans, all of that stuff. We have to do that here and then post incident activity.
Obviously, we're going to assess how well we did in the incident response.
Now we're going to look to improve upon what we did, and that's how we captured that there. And this is obviously cyclical, and clearly you can see you can do a lot of work in preparation but still have to detect something and still have to contain something. So it's not perfect. But at least it's a framework to work with.
So communications during an incident is very important for the Incident response team. As you can see them here centered in this graphic. They talked to lots of other people. They could be talking toe SPS. They could be talking to law enforcement. They could be talking to customers. Goodness, I hope you don't have to do an incident response where you talk to customers because that's no fun. Um,
you may be talking to other response teams and say the same industry vertical that you're in to understand if they're seeing the same kinds of things.
And maybe maybe you have to talk to vendors as well. Maybe it was their product. That was the cause of the breach. And so the point here is that incident responders talkto lots of people. In the case of an ISI, if Thean student is related to a control you helped to build, our employer deployed an organization, right?
You're likely going to be interacting with the incident response team
and communicating with them. But here's the thing. And here's the most important point. Here is the secret of communications in an incident. Have a plan. Know who you're supposed to talk to. Know your reporting change? No. The old military term chain of command?
No. That know who's got the authorities to make decisions on expenditure of funds if you don't communicate during an incident or don't know who to or how to.
If you don't have a plan, you're just gonna be sunk out of the gate and you're gonna be grasping at straws.
Uh, incident responders always walk in the door of the checklist, and it's not because they don't remember stuff where they for gotten things. No, this is so that we standardize what we do in an incident response. If we go into every incident and we don't do the same processes, policies, procedures, guidelines, that kind of thing.
We're going to miss something when it comes to trying to detect,
contain, eradicate and recover. It's just a given fact. And oh, by the way, in the midst of an incident response when the quote unquote cyber bullets are flying, if you don't have some process that you follow, i e an incident response checklist. It is very likely, very likely that you will
miss something and having significant problems because
the adversarial just established persistence and hang out because you missed it. So please, please understand having instant response checklists. And if incident responders come to us and ask for your inputs, talk to them. Figure out what they need, get them what they need because you probably know the controls a za good as if not better than they do.
So in this lesson, we talked about the incident response cycle. We talked about communications during an incident and the fact that you need to have a plan. And we talked about the fact that an incident response checklist in many cases is the plan that that keeps you on track and focused and calm in the heat of an incident.
We'll see you next time