Incident Response MindMap (2 of 6) | CISSP Domain 7

hey I'm Rob Witcher from destination certification and I'm here to help you pass the cissp exam we're going to go through a review of the major instent response topics in domain 7 to understand how they inter relate and to guide your studies this is the second of six videos for domain 7 I've included links to the other mindmap videos in the description below these mindmap videos are one part of our complete cissp Master [Music] Class before we get into the incident response process let's define two terms we'll start with an event what's an event an

event is an observable occurrence someone logging in is an event a file being written to a drive is an event someone scanning the external firewall is an event we do not particularly care about the vast majority of events now what is an incident an incident is an event that negatively impacts the organization in some way a server crashing a password being brute forced an attacker getting through the firewall these are all incidents we definitely care about incidents incident response is focused on detecting incidents providing an effective and efficient response to reduce the impact of the

organization maintaining or restoring business continuity and defending against future attacks this diagram I'm showing you here is a typical incident response process there's an important point I want to make while I'm showing you this though there are lots of different instant response processes out there from different authoritative sources such as nist and caert these different instent response process Frameworks Define slightly different numbers of steps or names of steps I wouldn't overly focus on the exact steps and names all of these instant response processes have the same underlying goals in mind be prepared for an incident

be able to detect an incident and then respond quickly minimize the damage return to normal operations and learn from the incident so you can improve things and try to prevent future incidents so given that warning about not overly focusing on the exact steps let's now go through these exact steps to effectively respond to an incident you must first do a fair bit of preparation create an instant response policy and procedures identify and train appropriate people put in place monitoring capabilities etc etc the instant response process can be categorized into three highlevel buckets triage action and

investigation the instant response process can be categorized into three high level buckets triage action investigation and Recovery we'll start at the beginning of the instant response process triage the first and absolutely most important step in the instant response process is detection if you cannot detect that an incident has occurred there is no way you can activate your response process and do all the rest of the stuff we're going to talk about here shortly if you are asked on the exam to put the instant response process steps in order always look for deduction as the first

step there are all sorts of ways that you can identify and detect incidents from the flood of events that are constantly occurring we can use tools like inion detection systems which feed into our security information and event management systems or building monitoring systems like fire alarms or a report from an employee among many other ways and remember the difference between an event an observable occurrence and an incident which is an event that has a negative impact on the organization once we've detected an incident the next step is to respond by activating our instant response team

and one of the first things the instant response team is going to do is conduct an impact assessment they're going to try to determine the severity of the incident and how long it will take to recover this impact assessment deres the rest of the process and if the maximum tolerable downtime is going to be exceeded the MTD then this will not be treated as an incident but rather will declare a disaster and enact our BCP or DRP plans more on that in video six of domain 7 here when I talk about business continuity management I'll

link to that video below the next category is action and investigation and the next step is mitigation this is where we try to minimize the damage and contain the incident for example if we have a worm ripping through our Network we may decide to disconnect systems from the network or if we have a fire activate the fire suppression system these are ways to try to minimize the damage reporting is actually conducted throughout the incident response process what is important to remember is that there should be one dedicated person on the incident response team who is

reporting out to all the relevant stakeholders management investors Regulators customers the media Etc while the rest of the team in response team stays focused on responding to the incident the recovery category is where we work on getting things back to business business as usual and making improvements so the same incident doesn't occur again the recovery step is where we work on returning things to business as usual in the example of the worm outbreak we eradicate the worm and begin reconnecting systems to the network or in the example of the fire we clean up the charred

soaking mess of the office install new carpeting paint the walls move in new furniture Etc these are all examples of recovering to get back to business as usual remediation actually begins in parallel with mediation remediation is where we are performing root cause analysis to determine how we can prevent say for example the continu spread of the worm while we recover systems or prevent the reignition of the fire remediation continues through the recovery process and the closure of the incident and leads into Lessons Learned Lessons Learned is the PO incident step where we do some soul

searching how did this happen how can we prevent this from happening again why the goal of lessons learns is to improve processes and systems and teach people to try and prevent future incidents and if they do occur detect them more quickly and respond more effectively all right and that is an overview incident response within domain 7 covering the most critical Concepts you need to know for the exam if you're looking for a pdf version of these mind maps you can download a completely free version link is in the description [Music] below