Preparing for and Executing Incident Recovery

Whenever an incident happens, you have to figure out the “Who, What, Where, When”. This course will help you understand how to conduct an investigation, eradicate the incident and how to build out your own CSI (Cyber-Security Investigator) Jump-Bag.
Course info
Level
Beginner
Updated
Mar 19, 2018
Duration
3h 24m
Table of contents
Course Overview
Your Objectives Here
What Should Be in Your “Jump-bag”?
What About the Digital “Jump-bag”
Understanding the Incident Recovery Process
The Techniques of Recovery: Containment
The Techniques of Recovery: Eradication
The Techniques of Recovery: Validation and Corrective Actions
That’s a Wrap
Description
Course info
Level
Beginner
Updated
Mar 19, 2018
Duration
3h 24m
Description

Cybersecurity investigations are used to determine what events, changes, and other actions have happened on a device, who or what performed them, and what data is stored there. In this course, Preparing for and Executing Incident Recovery, you'll leanr how to conduct an investigation, eradicate the incident and how to build out your own CSI (Cyber-Security Investigator) Jump-Bag. First you'll learn how to be ready to conduct your own forensic investigations. Next, you'll learn what computer forensic techniques are used in a variety of scenarios, including police investigations, system misuse, compromise and malware analysis, and investigations related to internal policy violations. Then, you'll learn about how to create your own forensics kit, their contents, and the use of these devices and tools. Finally, you'll be shown some forensic suites and tools that provide you what you'll need to capture and preserve forensics data and to perform forensic investigations. By the end of this course, you will have discovered and developed new skills to tackle many cyber-security scenarios.

About the author
About the author

Dale Meredith received his Certified Ethical Hacker and Certified EC-Counsel Instructor certifications back in 2006, as well as being a Microsoft Certified Trainer since 1998 (yes we had computers back then). Dale takes great pride in helping students comprehend and simplify complex IT concepts.

More from the author
Ethical Hacking: Vulnerability Analysis
Intermediate
3h 14m
27 Sep 2018
More courses by Dale Meredith
Section Introduction Transcripts
Section Introduction Transcripts

Course Overview
Hi everyone, my name is Dale Meredith, and I'd like to welcome you to my course, Preparing for and Executing Incident Recovery. And this is an exciting course because it actually covers the domains from the CSA+, the GCIH, and ECIH certification path. I know, it's like a buy one, get two free deal. I've been a trainer since 1998, as well as a cybersecurity trainer and consultant. I've worked with several corporate 500 companies, as well as the Department of Homeland Security on several different projects, I'd love to tell you about them, but then I'd have to kill you. Today's world is a complex and different world from five years ago, it's one marked by increased cyber attacks, some of which are forcing us to rewrite new rules. Beyond the increase and frequency of the attack, we're also facing an increase of the type of organizations that have become targets. It goes well beyond the traditional financial or government organizations. It's spreading to places like health care, retailers, as well as really any organization that has access to customer information and data. Look, the hard truth is we can't stop all breaches, but a rapid response and recovery to a security event can go a long way when it comes to minimizing the impact. Whether it's a financial or a reputation based impact. So let's get you trained on how to recover from an incident, okay? Some of the major topics we'll cover in this course will include how to create your own incident response team as well as how to write an appropriate recovery plan. And I've got some fun stuff for you too. We'll look at how to make sure you have all the tools you need by creating a jump bag. Both a physical one and a digital one that'll be full of cool tools, brah. By the end of this course you should have a great understanding of how to prepare yourself and your organization on how to handle the recovery process from containment to eradication to validation and finally to take corrective action. I've got you covered, before beginning this course, you should be familiar with the basic network typologies like TCP/IP and devices like routers and switches. You should also be somewhat familiar with different operating systems, such as Windows and Linux. Listen, I hope you'll join me in this adventure in learning with preparing for and executing incident recovery. Here at Pluralsight.

What Should Be in Your “Jump-bag”?
Okay, so let's talk about what should be in your forensic kit, or as I like to call it, your jump-bag. In this module, we're going to go through and actually have a little bit of fun. I'm going to first go through and show you how to choose a jump-bag. We'll then go through and talk about the different items that we need to have inside the jump-bag including storage items, as well as network items. We'll also cover the wireless items that you need to have. Again, we're just trying to create a bag that we can grab on the fly if we need to go do some forensics. We'll also go through and take a look at some additional physical tools that we want to include, as wall as what we refer to as our digital workstations. And then of course I've got some other items that I didn't physically have myself but I want to talk to you guys about them because you might see them in your immediate future. So when you're ready to get going, let's go ahead and get to the next clip.

What About the Digital “Jump-bag”
Okay, so now that we've talked about or showed you what should be in your physical jump-bag, let's talk about what digital devices you need to have. Now, I know I mentioned that this was in our digital jump-bag, but there's actually some differences as far as things we need to have that could be either digital or physical, and I'll talk to you about those. We'll then go through and take a look at the different types of forensic software, including the suites of software that's available to us, as well as hashing, and we'll look at password cracking. There's actually three different types of password cracking that you need to be aware of for your immediate future. In fact, most of these you'll need to be aware of for your immediate future. We'll also take a look at something called imaging. This is kind of a combination of physical and digital. We're going to take physical images of the hard drives or the storage devices. So, now that we kind of understand what we're going to be looking at, let's get into this.

Understanding the Incident Recovery Process
Okay, before we get into the nitty gritty, let's actually first talk about making sure we understand the incident recovery process. Again, everything is always going to be, at least when it comes to incident recovery, it's always going to be laid out very methodically. Because we need to make sure we follow certain steps, and we'll talk about those. In fact, we're going to go through in this particular module, we'll talk a look at a couple of things. We'll go through and make sure you understand what we mean by incident recovery. We'll also go through and look at the steps of IR or that's obviously short of incident recovery. And we'll take a look at the plans that we need to have in place. We'll then go through and look at the individuals that are involved with incident recovery. Who's on our team? Dale, Dale, he's our man, if he can't do it, pretty much anyone could. No, we'll then go through and take a look at the impact analysis. It's actually really important because it's going to determine how or which machines you bring up in which order. And then we'll also talk about some other things that revolve around incident recovery. So, now that we've got a game plan here, what we're going to be talking about, go ahead and click next and we'll get going.

The Techniques of Recovery: Containment
Okay, let's now take a look at the techniques of recovery and in particular containment. There's actually a couple of different levels we'll look at. Containment, eradication as well as recovery but in this module we'll actually go through and take a look at containing the damage that may be occurring or may have occurred. We'll also take a look at something called segmentation as well as isolation, removal and reverse engineering. Each of these steps are important in the containment process, so when you're ready to continue, go ahead and hit Next.

The Techniques of Recovery: Eradication
Our next step after containment is the eradication stage. That just sound so violent, doesn't it? It actually sounds like maybe it's a line for an Austrian actor. "Listen to me now or hear me later. "I will eradicate it, yeah. " In this module, we're actually going through and take a look at those eradication steps or the different options. We also have the ability to reimage or some people even call it reconstruct. And then of course we have disposal process. And so, I know it doesn't look like a lot to talk about. It really isn't because we're going to get right to the point. We will eradicate with extreme prejudiced.

The Techniques of Recovery: Validation and Corrective Actions
Okay, in this module we're going to look at the techniques of recovery for validating and the corrective actions that need to take place, so what we'll do is we'll go through and first take a look at the validation process. In it we're going to break that down into things like patching, permissions, scanning and logging. Then we'll go on and look at the corrective actions that should be part of your plan and that you should be doing and that will include what did we learn from this particular incident and any change control that takes place and of course updating the plan itself. So, now that we've got our road map, let's get going.

That’s a Wrap
Okay, let's talk about how we wrap this all up, as far as incident handling is concerned. So in this module, we'll go through and take a look at couple of things, when it comes to reporting, but before we do that, we need to understand why crimes go unreported, there's actually some reasons behind it and then we'll take a look at who do you tell? Sometimes that's one of the reasons why it goes unreported, I'm going to tell you who you can actually notify and then we'll go through and take a look at how do we get the report out, that's really quite easy. So, when you're ready to continue, go ahead and hit Next.