Incident Planning - CompTIA Security+ SY0-701 - 4.8

00:01

Before an actual security event occurs,

00:04

it's always a good idea to perform some testing.

00:07

This gives you a chance to evaluate how well documented

00:10

your response plans might be.

00:12

And it also gives you a chance to test your security skill

00:15

set.

00:15

If you are planning to perform some type of security incident

00:19

testing, you want to be sure to do that with test systems.

00:23

You don't want to affect any of your production systems

00:26

while you're performing these tests.

00:28

Another important consideration is

00:30

you will have a limited amount of time.

00:32

There are usually others who are involved

00:34

during these exercises, and they, of course,

00:36

have other duties to attend to as well.

00:38

The exercises themselves are designed

00:41

to test your processes, your procedures, and any

00:43

of your technical skills.

00:45

But, of course, it's always good to sit down

00:47

after the event is over and evaluate how well you did

00:51

during that particular test.

00:53

There might be some processes or procedures

00:55

that you went through during this exercise that

00:58

might lead you to make some changes for any future events.

01:01

And this is why many organizations will get together

01:04

after the exercise is over to evaluate these processes

01:08

and see where some changes might need to be made.

01:11

At some point, an organization will

01:13

want to test everything associated with their disaster

01:16

recovery plan.

01:17

But running a full-scale disaster event takes time,

01:20

it takes money, and it takes people away

01:22

from their primary jobs.

01:24

There may be times where you might start with a smaller

01:27

version of this type of drill into something

01:30

we call a tabletop exercise.

01:32

Tabletop exercises involve everyone sitting around a table

01:36

and logistically stepping through the policies

01:38

and procedures for these security events.

01:41

One of the advantages, of course,

01:43

is that you are all just sitting around a table

01:45

and discussing what you would do in this scenario.

01:48

This means you don't have to go through the process of putting

01:50

together a full-scale incident drill.

01:53

But it does allow you to step through your processes

01:56

and your procedures to see where there might be places

01:58

you can improve in the future.

02:00

This might be something that you can

02:02

accomplish in just a few hours.

02:03

You get everyone around the table,

02:05

and you step through one specific scenario

02:08

that you can use to evaluate your processes if that

02:11

was to occur.

02:12

This means that everyone in the room

02:14

can talk over what they would do first, what they

02:16

would do second, and so on.

02:18

And since everyone in the room is involved with the incident

02:21

response process, you can, in real time,

02:23

describe what you would do and then see

02:26

what the other parts of the organization

02:28

would do at the same time.

02:30

One type of test that occurs quite a bit

02:32

in actual real-world use is a simulation.

02:36

A test allows us to perform a simulated attack

02:39

and to see what the results of that attack might be.

02:42

For example, you might send phishing emails

02:44

to the organization and see who might click on them.

02:47

You might call the help desk and see

02:48

if someone can change the password for an account

02:51

or take data and send that data outside of your organization

02:55

to see if your monitoring systems would catch it.

02:58

If you're part of a larger organization,

03:00

you might have already been involved

03:02

in a phishing simulation.

03:03

This is when the security team will send a phishing email

03:06

to everyone in the company.

03:08

It might be requesting somebody to click on a link

03:11

to update information in your systems

03:13

or it may be requesting a password change.

03:15

Obviously, this would be something

03:17

that you would not want a user to click on inside

03:20

of their email, and if anyone does

03:22

click those particular links, you'll

03:24

be able to get a report showing exactly

03:26

who clicked and followed up with the information in that email.

03:30

If this phishing simulation is sent by a third party,

03:33

this also gives you a chance to test your internal systems

03:36

to see how well it recognizes the phishing attempt

03:39

and see if your automated filters are able to remove it

03:42

from your mail system before it ever gets to the users.

03:46

And if somebody does click on one of those links,

03:49

you'll also want to evaluate how your anti-phishing systems

03:52

occur when somebody tries to visit a phishing site.

03:56

All of this can now be evaluated after the fact

03:59

to see where you might want to increase

04:01

the security of your systems, and you

04:03

might need to bring in users for additional training

04:06

for email phishing events.

04:08

When a security incident occurs, there

04:10

are usually a number of different smaller

04:13

events within that much larger security event.

04:16

For example, you may have someone

04:18

that breaches one particular vulnerability in a server.

04:21

And from there, they begin transferring data, planting

04:24

other types of malware, and performing other events

04:27

on your network.

04:28

Eventually, you'll want to know how they originally

04:31

got into your network or find the root cause.

04:35

This root cause analysis can give us

04:37

some insight into processes and procedures

04:39

that either did not work as expected

04:42

or we completely neglected a particular part of our security

04:46

infrastructure.

04:46

We can usually evaluate log files,

04:49

look at information that may have been stored

04:51

on servers by the attacker, and recreate

04:54

what really happened when that attacker visited the network.

04:58

This evidence allows us to reconstruct and understand

05:01

how this person got into the network in the first place.

05:05

And in some situations, there are multiple steps or multiple

05:08

processes the attacker went through

05:10

to gain access to your systems.

05:12

So you shouldn't necessarily look at a single root cause

05:16

because there may be multiple root

05:18

causes that allow that user access to your systems.

05:22

As we've already seen with attacks

05:23

that focus on social engineering,

05:25

there are times when a user makes a mistake,

05:29

and that could lead to an attacker gaining access

05:31

to our systems or our data.

05:33

The important part is how we address those mistakes

05:36

and find corrections for them to prevent any future attacks.

05:41

One way to prevent an attacker from taking

05:43

advantage of a vulnerability is to find that vulnerability

05:47

first.

05:47

We do this through the process of threat hunting.

05:50

This might involve us making changes to a firewall rule.

05:54

Maybe we're tracking the types of vulnerabilities that were

05:57

announced in the last few days.

05:58

And we're also checking the systems

06:00

that we have already installed to make sure

06:02

that they are up to date with the latest patches.

06:05

The challenge, of course, is that it's

06:07

difficult to identify an attack until the attack is actually

06:11

occurring.

06:12

And of course, we would like to prevent this attack

06:14

from occurring in the first place.

06:16

So it's useful to monitor our existing systems

06:18

and make sure that everything is up to date.

06:21

There are also a remarkable number

06:23

of monitoring tools and automated systems

06:25

that can identify certain types of attacks

06:28

and stop them before they gain access to your systems.

06:31

Having that type of automation can

06:33

help you prevent an attack from occurring even

06:36

when you're not actively watching for it to occur.