Course 7: Incident Detection and Response
Welcome to course seven, Incident Detection and Response. Having an intruder inside your systems for months unnoticed by your systems, administrators, security specialists, and end-users is tantamount to giving the intruder, the keys to your business or organization. In many cases, organizations discover that they have been subjected to a data breach when they are told by others that their private data has been offered for sale on the dark web. Many leading voices within the security profession state that we all must do better to detect the intruders in our myths. Many people even say that detecting intruders should be the priority for security professionals. Ransomware attacks have become a big business involving not only large scale extortion attacks, but also the sell of ransomware attack tools and services, as well as the exploitation of any data ex-filtrated during the breach. Government officials and industry professionals worldwide have been raising their voices about this new and very troubling variant in the business model of advanced persistent threat or APT attackers. In this chapter, we’ll focus on intrusion and incident detection. Many of the tools, techniques, technologies, and ideas, you’ll see here have already been examined in previous chapters. This course brings them together and begins by discussing the central theme of detecting the intruder. Model one uses the concepts of precursors and indicators, the signals that give us advanced warning and a genuine alert about a risk event and the indicators of compromise concept which are those signals that we’re certain can only mean a hostile agent has gained access. Module two will extend these ideas and concepts around the idea of what to do after you’ve discovered a possible intrusion, expanding your understanding of incident response. Module three continues with a deeper look at supporting forensic investigations. Forensics is an evidence-based process of logically and dispassionately reasoning about a situation or an event. It’s your inner child, looking at something and asking questions. Then following each of those questions with more questions, letting the facts that you find frame and shape your growing understanding of what happened, how why and where, who did it and what impacts it may have. With these questions answered you can circle back to reviewing risk mitigation controls to see which if any, need to be modified, replaced or augmented.
Course 7 Learning Objectives
After completing this course, the participant will be able to:
L7.1 – Review the steps for monitoring, incident detection and data loss prevention using all-source intelligence.
L7.2 – Identify the elements of an incident response policy and members of the incident response team (IRT).
L7.3 – Classify the security professional’s role in supporting forensic investigations.
Module 1: Operate All-source Intelligence for Monitoring and Incident Detection (Domain 3 – Risk Identification, Monitoring, and Analysis)
Module 2: Support Incident Lifecycle (Domain 4 – Incident Response and Recovery)
Module 3: Understand and Support Forensic Investigations (Domain 4 – Incident Response and Recovery)
Who Should Take This Course: Beginners
Experience Required: No prior experience required