Comprehensive Overview of Incident Response and Handling in CCNA Cyber Ops

hello and welcome to the free CCNA cyber ops instructor training brought to you by the Open University Cisco Academy

Support Centre and the Institute of coding my name is Kevin large helping your instructor for this session and

this is the last session or in chapter 13 incident response and handling the final session of the free CCNA cyber ops

instructor training no more Monday online videos after this one it will be down to you with your

revision and your skills based assessments hello Enders how the devil are you sir I hope you're well

oK we've we've got a house gonna say an interesting chapter it's a little bit dry this chapter because it sought to do

with instant response and handling the various models and various things like that so I'm afraid this is not gonna be

the most exciting of chapters but it's an important chapter so we'd better make a start

okay the first thing we're gonna look at is what's known as the cyber kill chain the cyber kill chain was developed by

Lockheed Martin in order to identify and prevent cyber intrusions as you can see in the figure this is a seven step

process and this helps analysts to understand the techniques tools procedures of the threat actors or as

it's known in the cyber kill chain the adversary's so when responding to an incident the objective is to detect and

stop the attack as early as possible in the kill chain progression the earlier the attack is stopped the less

damage is done and the less the attacker will learn about the target Network now the cyber kill chain specifies what an

attacker must complete in order to accomplish their goal and the seven steps are reconnaissance weaponization

delivery exploitation installation commander control and action on objectives if the attacker a threat

actor adversary whatever you want to call them he stops at any stage then the chain of the attack is broken breaking

the chain this will mean that the defender successfully thwarted the threat actors intrusion

okay let's have a little look at the first step of the cyber kill chain so reconnaissance this is where your threat

actor performs research gathers intelligence selects targets and this will inform the threat actor if the

attack is actually worth progressing with any public information may help determine what where and how the attack

could be performed now there's an awful lot of publicly available information especially for

larger organizations these include news articles websites conference proceedings public-facing Network Devices there's an

increasing amount of information surrounding employees also available via social media outlets so the threat actor

will choose to target will choose targets that have been either neglected or are unprotected because they will

have a lot higher likelihood of being able to penetrate and compromised those targets any information obtained by the

threat actor will be reviewed to determine its importance and if it reveals any possible additional avenues

for the attack so we can see adversary tactics Harvison emails identifying employees on social media networks

collecting all public-relations information discovering internet and facing servers we can also see our

Security Operations Center defenses looking at web alerts historical searching data data mine browsing

analytics building a playbook for determining browser behavior that could potentially indicate reconnaissance

activity and prioritizing defense around technologies and people that reconnaissance activity is targeting

moving on to the next step weaponization so the goal of this step is to use the information from the earlier

reconnaissance phase in order to develop a weapon against a specific targeted system in the organization to develop

this weapon the designer will use the vulnerabilities of the assets that were discovered and then build them into a

tool that can be deployed after the tool has been used it is expected that the threat actor has achieved their goal of

gaining access into the target system or network possibly degrading the health of the target or the entire network the

threat actor will then further examine the network and assets security in order to expose additional weaknesses gain

control over other assets or to deploy additional attacks now it's not difficult to choose a weapon for the

attack the threat actor needs to look at what attacks available for the vulnerabilities they've discovered there

are many attacks that have already been created and tested at large one of the big problems here is because the attacks

are so well known they are also most likely to be known by the defenders so it's often more effective to use

zero-day attacks to avoid any detection methods indeed the threat actor may wish to develop their own weapon that is

capable specifically designed to avoid detection and using information about the networks

and systems of which they've learned so we can see err adversary tactics here or we can see as security operations center

defenses next we move on to the delivery phase fairly obvious what happens here during

this step the weapon is transmitted to the target using some form of delivery vector now this may be in via the use of

a web site may be a removable USB media or an email attachment if the weapon isn't delivered then the

attack will be unsuccessful now the threat actor will use many different methods to increase the odds of

delivering the payload such as for example Krypton communications making the code look legitimate or ops for you

skating the code now security sensors these days are so advanced that they will detect the code as malicious unless

it has been altered in order to avoid detection now the code may be altered to seem

innocent and yet still be able to perform the necessary actions even though it may take longer to execute so

we can see for the delivery phase launching malware at the target we can have a direct attack against a web

server we could have indirect delivery fire malicious emails malware left on a USB stick social media interactions

compromised websites security operations center defenses we could analyze the infrastructure path used for delivery

understand the targeted servers and people and the data available to attack we can infer the intent of the adversary

based on the targeting and we can collect email and web logs for forensic reconstruction

next comes a fun step it shouldn't say that I know but exploitation so this is where the threat actor triggers the

weapon and executes sit in order to compromise the vulnerability and gain control of the target so after the

weapon has been delivered the threat actor will use it to break the vulnerability and gain control of the

target system or target network most common exploit targets are either applications or operating system

vulnerabilities or the users the attacker must use an exploit that gains the effect that they desire this is

extremely important because if the wrong exploit is conducted then obviously the attack will not work and also unintended

side effects such as a denial of service or for instance multiple system reboots could cause undue attention that could

easily inform our cyber security analysts of the attack and the threat actors intentions

installation so this is a step where the threat actor establishes a backdoor into the system to allow for continued access

to the target in order to preserve this backdoor it is important that the remote access does not alert cyber security

analysts or users the method must survive through anti-malware scans and also rebooting of the computer in order

to be effective this persistent access can also allow for automated communications this is especially

effective when multiple channels of communication are necessary for example when commanding a botnet one of the

offences here of course is to make use of host-based intrusion prevention systems to alert or block on common

installation paths okay moving forward now to commander control step number six in this step the

goal is to establish a command and control or CNC with the target system the compromised hosts will usually

beacon out of the network to a controller based on the internet this is because most malware requires manual

interaction in order to exfiltrate data from the network commander control channels are used by threat actors to

issue commands to the software that they're installing on the target a cyber security analyst must be able to detect

the command and control communications in order to discover the compromised host now this may be in the form of an

unauthorized Internet Relay Chat traffic or excessive track of it traffic to suspect domains

and finally the last step of the cyber kill chain this is the action on objective step and this describes the

threat actor achieving their original objective now this could be data theft performing a distributed denial of

service attack or using the compromised network to create and send spam unsolicited email in other words at this

point a threat actor is deeply rooted into the systems of the organization they're hiding their moves and covering

their tracks it is extremely difficult to remove the threat actor from the network

another very important model that you need to know is the diamond model of intrusion now the diamond model of

intrusion is made up of four parts and this represents a security incident or event now the diamond model is an event

that is time-bound activity restricted to specific steps where an adversary will use a capability over some

infrastructure against the victim to achieve a specific end result the four core features of an intrusion event are

the adversary the capability the infrastructure and the victim now the adversary has straightforward enough so

these are the parties that are responsible for the intrusion a capability this is the tool or technique

that the adversary uses in order to attack the victim the infrastructure this is the network paths or paths that

the universe arey uses in order to establish a maintained command and control over their capabilities in the

victim this is the target of the attack now the victim might be the target initially and then they may be used as

part of the infrastructure to launch other attacks now the adversary uses capabilities over

the infrastructure in order to attack the victim and each line in the model shows how each part reaches another part

for example capability such as a malware might be used over email by an adversary in order to attack the victim email

obviously be an infrastructure in this case now we can as a cybersecurity analyst be

called upon to use the diamond model to diagram a series of intrusion events the diamond model is ideal for this

illustration of how an adversary pivots from one event to the next so as an example in this particular figure the

employee reports that his computer is behaving abnormally so a host scan by the security technician indicates that

the computer is infected with malware an analysis of the malware reveals that the malware contains a list of commander

controlled domain names and these domain names are resolved to a list of IP addresses furthermore these IP addresses

are then used to identify the adversary as well as to investigate logs and determine if other victims in the

organisation are using the same command and control channels a key thing to bear in mind now is that

adversaries do not operate in just a single event instead the events tend to be threaded together into a chain in

which each event must successfully be completed before the next event this thread of events can be mapped onto our

cyber kill chain so in the following example shown in the figure on this particular slide we can illustrate the

end-to-end process of an adversary as they vertically traverse the cyber kill chain and use a compromised host to

horizontally pivot to another victim and then begin another activity so if we start with number one up near the

reconnaissance the adversary conducts a web search for a victim the victim's company in this case gadgets

Incorporated and receives as part of the results the domain gadgets calm the adversary then uses the newly discovered

two main gadgets calm for search for the network administrator of gadgets calm and then discovers by forum postings

from users claiming to be the network administrator of cash gauges calm the user profiles that reveal their email

addresses and dropping down to step three into the delivery phase the adversary sends phishing emails with a

Trojan horse attached to the network administrator of gadgets calm into exploitation and step four one of

our network administrators of gadgets comm opens this malicious attachment this executes the enclosed exploit

allowing for further code X execution five the network administrator's compromised host sends a HTTP POST

message out to an IP address registering it with a command-and-control server the network administrator's compromised host

with tree receives in response a HTTP response 6 it is revealed from reverse engineering that the malware has

additional IP addresses configured these act as backdoors if the first controller does not respond so you've got a bit of

redundancy built into this mount we're at 7 through the command-and-control HTTP response messages sent to the

network administrator's host the malware begins to act as a proxy for new TCP connections jumping up to 8 starting a

new thread through the proxy establishment on the network administrator's host the adversary does

a web search for most important research ever and finds victim number 2 interesting research think 9 the adverse

reach X network administrator ones email contacts list for any contacts from interest in research no ink and

discovers a contact for interesting research dying's chief research officer so that was sort of pivotal in jumping

between the two threads 10 the chief research officer of interesting research to Inc receives a spear phishing email

and I was a targeted phishing attack from gadget store inks network administrator email address sent from

the network administrator's host so it's actually come from legitimate email address from the legitimate host but

with the same payload as was observed in event number 3 trojan now the adversary now has to compromise

victims from which additional attacks could be launched okay

Varys so what is a varus schemer varus is the vocabulary for event recording and

incident sharing this is a set of metrics designed to create a way to describe security incidents in a

structured and repeatable fashion various was created to share quality information about security incidents to

the community anonymously the various community database or VC DB is an open and free collection of publicly reported

security incidents in various formats you can use the unformatted raw data or the dashboard to find various entries

the VC DB is a central location for the security community to learn from experience and help with the

decision-making before during and after a security incident so with a very schemer risk is defined as the

intersection of four landscapes these are the threat landscape the asset landscape the impact landscape and the

control landscape information from each landscape helps to understand the level of risk to an organization and various

helps to determine these landscapes using real security incidents to help risk management assessment

okay so when we create records to add to the database we have to start with the basic facts about the incident and we

use the various elements outlined by the community the only require required fields in the records are those where

the attribute is present as more is known about the attribute then additional data can be added additional

information can be recorded by adding various labels to an existing record so with a very schemer we have top level

and second level elements there are five top level elements in the various schema each of which provides a different

aspect of the incident each top level element contains several second level elements and these elements are useful

in classifying data that has been collected about an incident so starting at the beginning with the first

top-level element we have the impact assessment so for any incident there is going to be an impact whether this is

minor or widespread is often very difficult to determine the scope of the impact until well after the incident has

occurred and in fact sometimes even after it has been remediated the second level elements used for impact

assessment are lost categorization this identifies the type of losses that are occurred during the incident loss

estimation this is an estimate of the total losses that were occurred because of the incident estimation currency this

uses the same currency where multiple different types are involved the impact rating this is the rating that indicates

the overall impact of the incident it could be a number between 1 and 100 or another scale such as a grading scale

and then we have the notes so these are additional details which may be recorded next top level element discovery and

response so this section is for recording the timeline of events and the method of incident discovery and also

what the X what the response was to the incident indicating how it was remediated the second level elements for

the discovery response are the incident timeline this is the timeline of all events from the discovery of the

incident to the time that the incident has been contained or restored back to a fully functional state

so this section is extremely important for gathering metrics such as the readiness the actions of the threat

actors the response of the affected organization and many others as well the discovery method this identifies the

way in which the incident was discovered now this could be accidental or by design the root cause this identifies

any weaknesses or failure in security allowing the incident to take place corrective actions and now this variable

is for recording what will be done the detect or prevent this type of incident in future and targeted versus

opportunistic this identifies if the incident was a deliberate targeted attack or if it was a random incident

based on an opportunity found by the attacker next top level we have the incident description so to describe the

incident the various uses what's known as the eye for threat model this was developed by the risk team at varus on

the second level elements used for incident description are also known as the four A's actors actions assets and

attributes so the actors whose actions affected the incident the actions what actions affected the asset the assets

which assets were affected and the attributes how the assets were affected we then move on to victim demographics

so this section is used for describing the organization that has experienced the incident and that we have the

characteristics of the organization and these can be compared to other organizations to determine if there are

any aspects of an incident that are common the second level elements in this case for victim demographics are the

victim ID identifies the incidents with the organization that experienced them the primary industry this identifies the

industry where the affected organization conducts business and basically uses the

six-digit North American industry classification system codes the country of operation used to record the country

in which the primary location of the organization operates the state this is only used when the organization operates

in the USA the number of employees this is used for recording the size of the entire organization not just a branch or

a department the annual revenue so this variable would be rounded for privacy locations affected this identifies any

additional regions or branches that were affected by the incident and notes so any additional details that could be

recorded here and then finally we have the last of the top-level elements which is incident tracking and this is for

recording general information about the incident so organizations can identify store retrieve incidents over time

second level at level elements here would be the incident ID so this is a unique identifier for storage and

tracking the source ID is identifies the incident in context of who reported it the incident confirmation so this

differentiates the incident from those that are known or suspected as being non incidents the incident summary provides

a short description of the incident related incidents this allows the incident to be associated with any

similar incidents the confidence rating provides a rating as to how accurate the reported incident information is and

again incident notes allows the recording of any information that is not captured in any of the other various

fields the various community database or the VC DB so the various community databases is

very useful shared database for organizations that are willing to participate the organization's can

submit security incident details of the VC DB for the community to use and the larger and more robust the VC DB becomes

the more useful it will be in the prevention detection and remediation of security incidents it will also become a

very useful tool for risk management saving organizations data time effort and money

see certs c-cert is a computer security incident response team and this is a group commonly found within an

organization that provides services and functions in order to secure the assets of that organization generally computer

security incident is any malicious or suspicious Act which violates a security policy or any event that threatens the

security confidentiality integrity or availability of an organization's assets information systems or data networks

typical security incidents could be related to malicious code denial of service unauthorized entry data theft

malicious scans or probes security breaches or violations of security policy items so when a security incident

takes place the organization needs a way to respond and the computer security incident researched response team C cert

is an internal group commonly found within the organization that provides the services and functions to secure the

assets of that organization C cert does not necessarily only respond to incidents that have already happened

the C cert may also provide proactive services and functions such as penetration testing incident detection

or even security awareness training okay now you can be pretty certain that you'll get some questions related to

this in the end of chapter test types of c-cert so in larger organizations the SI certs will focus on investigating

computer security incidents information security teams so I fo InfoSec teams will focus on implementing security

policies and monitoring of security incidents however many times in smaller organizations the SI certs will handle

the tasks of the InfoSec teams every organization is different of course and the goals of the SI sir must be in

alignment with the goals of the organization so there are many different types of SI certs and related

organizations if we start with the internal c-cert this provides incident handling for organizations in which they

reside so any organization such as a hospital a bank a university or a construction company can have an

internal c-cert a national c-cert this provides instant handling for an entire country coordination centres these would

coordinate incident handling across multiple SI certs typical example of this in the u.s. would be the u.s. cert

the u.s. cert responds to major incidents analyzes threats and exchanges information with other cyber security

experts and partners around the world analysis centers the analysis centers use data from many sources to determine

incident activity trends these trends help to predict a future incidents and provide early warning about how to

prevent and mitigate damage as quickly as possible so the various community is an example of an analysis center we also

have vendor teams vendor teams provide a remediation for vulnerabilities in an organization's software or hardware and

these teams often handle customer reports concerning security vulnerabilities so this team may also

act as an internal C cert for an organization typical example being Cisco's product

security incident response team P cert managed security service providers an MSSP they provide incident handling to

other organizations on a fee-based service so Cisco Symantec verus on IBM are all examples of managed security

service providers now cert see ERT in this case is the computer emergency response team and

these are similar to C certs but they're not exactly the same cert is actually a trademarked acronym owned by the

Carnegie Mellon University now a C cert is an organized organization responsible for receiving reviewing and responding

to security incidents whilst a cert provides security awareness best practice and security vulnerability

information to populations so certs do not directly respond to security incidents

the National Institute of Standards and technology's NIST so when we're establishing an incident

response capability the nest recommendations for incident response are detailed in their special

publication 800-53 vision - this is entitled to computer security incident handling guide NIST 861 r2 provides

guidelines for incident handling particularly for analyzing incident related data and determining the

appropriate response to each incident the guidelines can be followed independently of a particular hardware

platform operating systems protocols or applications so the first step is for an organization to establish a computer

security incident response capability and NIST recommends creating policies plans and procedures for establishing

and maintaining the aforementioned - computer security incident response capability

policy an incident response policy details how incidents should be handled based on the organization's mission size

and function the policy should be reviewed regularly to adjust it to meet the goals of the roadmap that has been

laid out as your policies we also have incident response plans so

a good incident response plan would help to minimize the damage caused by an incident it also helps to make the

overall incident response program better by adjusting it according to the lessons that have been learned it will ensure

that each party involved in the incident response has a clear understanding of not only what they will be doing but

what others will be doing as well finally we have the Incident Response procedures so the procedures that are

followed during an incident response should follow the incident response plan the procedures such as following

technical processes using techniques filling out forms following checklists our standard operating procedures these

standard operating procedures should be detailed so that the mission and the goals of the organization are kept in

mind when these procedures are followed standard operating procedures minimize errors that may be caused by personnel

who are under stress while participating in incidents handling is important to share and practice these procedures

making sure that they are useful accurate and also appropriate looking at incident response

stakeholders so other groups and individuals within the organization may also be involved with incident handling

and it's important to ensure that they will cooperate before the incident is underway

their expertise and abilities can help the CIE certs to handle the incident quickly and correctly so some of the

stakeholders that may be involved in handling a security incident would be not surprisingly the management so the

managers create the policies that everyone must follow they also design the budget and are in charge of the

staffing for all departments so management must coordinate incident response with other stakeholders and

minimize the damage of the incident information assurance so this group may need to be called in to change things

such as firewall rules during some stages of incident management such as the containment or recovery IT support

this is the group that works with the technologies in the organization and understands it the most because IT

support has a deeper understanding and is most likely that they will perform any corrective actions to minimize the

effectiveness of the attack and to preserve any evidence properly the legal department it's always best practice to

have the legal department review the incident policies plans and procedures to make sure that they do not violate

any local or federal guidelines also if any incident has legal implications a legal expert will need to be involved

this might include prosecution evidence collection or lawsuits public affairs and media relations there are many times

when the media and the public might need to be informed of an incident such as when their personal information has been

compromised during the incident HR human response resources the human resources department might need to perform

disciplinary measures if an incident was caused by an employee we've got the business continuity

planning so security incidents may alter an organization's business continuity if if it's important that those changes in

the business continuity planning are aware of the security incidents and the impact that they have had on an

organization as a whole and this will allow them to make any changes to any risk and plan assessments and finally

physical security and facilities management so when a security incident happens because of a physical attack

such as tailgating or shoulder surfing these teams might need to be informed and involved it is also their

responsibility to secure the facilities that contain evidence for an investigation

okay if we look at our NIST incident response lifecycle NIST defines four steps in the incident response process

these are preparation detection and analysis containment eradication and recovery and post incident activities so

preparation the members of the C certs are trained in how to respond to an incident detection and analysis so

through continuous monitoring the C certs quickly identify analyze and validate and incident containment and

eradication and recovery so the C certs implement procedures to contain the threat to eradicate the impact on

organizational assets and also to use backups to restore data and software so this phase may so call back to the

detection and analysis in order to gain more information or expand the scope of the investigation and we've got post

incident activities so the C certs will then document how the incident was handled recommend any changes for future

response and also specify how to avoid any recurrence of the incident if we look a little bit deeper at the

preparation phase preparation phase is when the c-cert is created and trained so this phase is also when the tools and

assets that will be needed by the team to investigate the incident are acquired and deployed so the following list of

examples of actions also need to take place during the preparation phase organizational procedures are created to

address communication between people on the response team this includes things such as contact information for

stakeholders other si certs and law enforcement as well as issue tracking systems smartphones encryption and

software facilities to host the response team and Security Operations Center need to be created necessary hardware and

software for the incident analysis and mitigation need to be required acquired so this may include forensic software

spare computers servers network devices backup devices packet sniffers and protocol analyzers

risk assessment is used to implement controls that will limit the number of incidents and validation of security

hardware and software deployment is performed on end-user devices servers and network devices and user security

awareness training materials need to be developed and deployed detection and analysis okay now because

there are so many different ways in which a security incident can occur it is impossible to create instructions

that completely cover each step to follow in handling them different types of incidents will require different

responses so attack vectors an organization should be prepared to handle any incident but I should focus

on the most common types of incidents so they can be dealt with swiftly some of the most common types of attack vectors

are web any attack this initiated from a website or an application hosted by a website email any attack that's

initiated from an email or email attachment loss and theft any equipment that is used by the organization such as

laptops desktops smartphones that can provide the required information for someone to initiate an attack

impersonation when someone or something is replaced for the purpose of malicious intent attrition any attack that uses

brute force to attack a device network or services and media this is any attack which is initiated from external storage

or removable devices incident analysis is difficult because not all of the indicators are accurate

in a perfect world each indicator will be analyzed to find out if it was accurate however this is nearly

impossible due to the number and variety of logged and reported incidents the use of complex algorithms and machine

learning often helps determine the validity of the validity of security incidents however this is more prevalent

in large organizations that have thousands or even millions of incidents daily so one method that can be used is

network consistent profiling so profiling is the measure of the characteristics of an expected activity

in the network device or system so that any changes can be more easily identified

containment eradication and recovery so after a security incident has been detected and sufficient analysis has

been performed to determine that the incident is actually valid it must be contained in order to determine what to

do about it so strategies and procedures for incident containment need to be in place

before the incident occurs and implemented before there is any widespread damage

we need a containment strategy so every type of incident a containment strategy should be created and enforced some of

the conditions to determine the type of strategy to create for each incident would be how long will it take to

implement or complete a solution how much time and how many resources will be needed to implement the strategy what is

the process to preserve evidence can the attacker be redirected to a sandbox so as a computer security incident

response team can safely document the attackers methodology what will the impact to availability of services what

is the extent of damage to resources or assets and how effective is a strategy okay during incident evidence must be

gathered to resolve it evidence is also important for subsequent investigation by the authorities so clear and concise

documentation surrounding the preservation of evidence is critical for evidence to be admissible in court

the evidence collection must conform to specific regulations after evidence collection it must also be accounted

properly so this is known as a chain of custody we also have what's known as the post

incident activity so it is important to perform a post-mortem and to periodically meet with all of the

parties involved to discuss the events that took place in the actions of all individuals whilst handling the incident

so a major incident has been handled the organization should hold a lessons-learned meeting in order to

review the effectiveness of the incident handling process and identify any necessary hardening needed for existing

security controls and practices so typical questions to ask would be exactly what happened and at what times

how well did the staff manage so how would did the staff and management perform while dealing with the incident

where the documented procedures followed and were they adequate what information was needed sooner where any steps or

actions taken that might have inhibited the recovery what would the staff and management do

differently next time if a similar incident occurred how could information sharing with other

organizations be improved what corrective actions can prevent the similar incident in the future what

precursors or indicators should be watched for in the future to detect similar incidents and what additional

tools or resources are needed to detect analyze and mitigate future incidents now incident data collection and

retention so in our lessons learned meeting the collected data can be used to determine the cost of an incident for

budgeting reasons to determine the effectiveness of the computer systems incident research team to identify any

possible security weaknesses in the system the NIST special publication 800-53

forming an objective assessment of an incident and there should be an evidence retention policy that outlines how long

evidence from an incident should be retained evidence is often retained for many months or years after an incident

has taken place the reason is affecting evidence retention include prosecution

type of data and also cost of storage so for instance prosecution so when an attack sir will be prosecuted because of

a security incident then the evidence should be retained until after all legal action has been completed this may be

several months or years in legal action no evidence should be overlooked or considered insignificant an

organization's policy may state that any evidence surrounding an incident that has been involved in legal action must

never be destroyed or deleted data type an organization may specify that specific types of data should be kept

for a specific period of time so items such as email or text may only need to be kept for 80 days

sorry 90 days whereas more important data such as that used in incident response that has not had any legal

action may be kept for three years or more and cost so there is a lot of hardware owned storage media that needs

to be stored for a long time this can become costly and also remember that technology changes functional devices

can become outdated hardware and storage media must also be stored as well so reporting requirements and

information sharing government regulations should be consulted by the legal team to determine precisely the

organization's responsibilities for reporting the incident in addition management will need to determine what

additional communication is necessary with any other stakeholders such as customers vendors partners etc beyond

the legal requirements and stakeholder considerations NIST actually recommends that an organization coordinates with

organizations to share the details of the incident for example the organization could lock the incident in

the various community database a critical recommendation from nest for sharing information is as follows plan

incident coordination with external parties before the incident occurs consult with the legal department before

initiating any coordination efforts perform incident information sharing throughout the incident response

lifecycle attempt to automate as much of the information sharing process as possible balance the benefits of

information sharing but the drawbacks of sharing sensitive information and share as much of the appropriate incident

information as possible with other organizations and wow we're here we've met the end of

the last chapter of the CCNA cyber ops not the most exciting chapter a little bit dry with all of the different models

for instant response however it is now the point where I'm gonna hand everything over to you guys and girls

and he's now the point where you've got rear vision and the skills based assessment so please keep a close eye on

the Open University Cisco Academy Support Center Facebook page you've got the study calendars study calendar is

also on the is on the webpage so let me see if I can quickly find that link to the study calendar there we go alright

let's bring that one across okay this is the big study calendar with all of the course is on it but

nevertheless we can see that chapter 13 it's the response and analysis and instant response and handling we've got

a two week break over Christmas and then we've got one two three weeks for the SBA finals and accreditation so what I'm

hoping is very soon we'll have a situation where we have a considerable number of CCNA cyber ops accredited

instructors so thank you very very much for joining me for all of these sessions and I wish you all the very best with

your revision and your further studies and the final exam and I hope very soon that I will be accrediting everybody as

fully qualified Cisco CCNA cyber ops instructors best wishes to everybody for Christmas and who knows I'll probably

see you again on one of the oh you Cisco Academy courses in the future thank you very much