One question I get asked a lot is, “How do I build an effective workflow or model for incident response situations?” So my first point of advice here is, be prepared. I’ve been involved in hundreds of incident response situations, and I can tell you, the first thing that happens when you’ve just learned that your assets may have been pwned is that you experience a large shot of adrenaline, better described euphemistically as, “Oh, crap!” That adrenaline is either going to be your friend or it’s going to create anxiety that suffocates your ability to think.
First thing, just breathe. Second, use a two- to three-person quick reaction force to best determine the applicable size and type of a force to apply to the compromise. Third, journal as you go. This helps when you have to create an after-action report. Fourth, create an evidence locker with a manifest that identifies the artifacts that you’ve collected and the times when you collected them. This leads me to recording times when events are observed or communicated to you. Finally, use a PICERL model or a variation of it. So this is preparation, identification, containment, eradication, recovery, and lessons learned or opportunities for improvement. Hopefully, these tips will help you build a better incident response workflow.
If you want to learn more, visit our website at guardsight.com or give us a call to schedule a free consultation.