you
hello and welcome to this course i'll
advance cyprus and into the management I
prefer to roll around this listen we'll
discuss bringing reachability analysis
into incident response in a previous
lesson we talked about the general
internet explorer process how
information flows into the security
information and event management system
the scene and how the people in the soft
reviewed incidents and take action and
how bringing business context into this
process makes decision-making much
better today we'll talk about a
different aspect of incident response
and this is identifying how severe is
the incident so when the salt people
look at the information available to
them there is clear evidence of certain
things going on malicious actions taken
by the software or the person connected
through the infected system but that's
not all we need to know in order to
identify how severe the threat really is
and if we want to enrich our
understanding of the severity of the
threat one system or tool that we can
use is traffic simulation to try to
understand what types of traffic can
emanate from the infected server or
reach the infected server from various
other systems and in the world based on
the patterns of connectivity that are
allowed by the network surrounding and
the fire walls surrounding the system we
can identify whether this threat is a
height tray at the critical threat or
pergolas mid-level trends etc so how
would we do this well here are a few
examples if we take the intricate
servers like is risk and check whether
it has access out towards addresses in
the internet if it does then this system
could be used to access the command and
control center of the adversary it could
be used to participate in spam campaigns
that can send out on unfiltered email it
could participate in these activities
basically trying to disrupt activity on
other systems outside of our
organization it could even be used to
exit rate data from our organization
stole information and send it out
towards systems controlled by the
attacker so full outbound access or
unlimited outbound axis is something
that elevates the severity of a safe
trip what about internal access where we
can do the same capability of traffic
simulation through which we can check
what the internal filtering is allowing
to see what type of access the infected
system has to other more sensitive areas
of our internal network for instance if
we have a an area of servers and systems
that store credit card data PCI zone if
the interactive system has access to the
PCI zone then it can it can steal
sensitive information likewise if it can
access servers that contain personally
identifiable information then again that
is sensitive and that having access to
such information could could lead to
compliance violation so we need to
report on if a server that infected has
access to systems that store account
numbers and social security numbers
other pieces of personal data we would
have to report to the authorities that
this incident is affecting such systems
so again this elevates the severity of a
particular threat the other direction is
also as important if we are if the
attacker can take information from these
sensitive servers and push them into the
server we're looking at right now then
maybe you can make the system can can
function as a stepping stone
for traffic and / sensitive information
being excellent rated out toward
internet so a combination of actions
from a secured security sensitive area
to or from the system that is trying to
be being investigated in combination
with broad access out bounds would make
an even more severe system incident so
what we can see from all of this is once
we've identified a system that's being
infected or owned by the attackers doing
an investigation of two traffic
simulation of what which the attacker
has thrown into that system both to
external IP addresses and too sensitive
internal systems gives us a much better
picture of the severity of the incident
and helps us make better decisions when
we're deciding on how to remediate thank
you for your attention
