Prioritization and Grouping COA

Super awesome job! You have your team in a left-of-bang mindset related to cybersecurity, including implementing proactive security measures and monitoring threats as a steady state of cyber readiness. You also conduct Tabletop Exercises (TTX) that include a live-fire cyber range experience for the tactical team members. The practitioners on your team are disciplined and prepared.

Then – BANG – an asset your team did not have on their radar (unaware of its existence) is compromised, providing the threat actor access to other potentially vulnerable systems, and the threat actor is on the move. You’re cool; You breathe; You Observe, Orient, Decide, and Act; You have been here and done that. You know the number one priority is to contain the threat, and you start assigning Courses of Action (COA) to respond, eradicate, and recover. Outstanding!

Want to take how you think about those COA assignments to the next level? Of course, you do! Here’s how: Embrace two mental models: Prioritization and Grouping.

Prioritization is a forced ranking of the COA that will have the most significant impact on effective containment using three approaches for determination:

  1. Containment Without Risk (do these first):
    1. COA that will include no or minor collateral damage accompanied by effective containment
    2. COA that containment teams are familiar with and trained to perform
    3. COA that carry a high probability of execution success and containment effectiveness
  2. Containment With Risk (do these next):
    1. COA that may include collateral damage accompanied by effective containment
    2. COA that containment teams are less familiar with and trained to perform
    3. COA that carry less than a high probability of execution success and containment effectiveness
  3. Risk Without Containment (avoid doing these):
    1. COA that will include collateral damage without effective containment
    2. COA that containment teams are not familiar with and carry low to zero probability of execution success and containment effectiveness

Grouping organizes the COA into execution clusters that identify the desired outcome. Think about this organization using the mnemonic Inventory + 6 Ds:

  1. Inventory
    1. Identify assets that will or could be impacted by the compromise
    2. Enumerate the cyber battlefield for containment assets that will DetectDenyDisruptDegradeDeceive, and Destroy the threat
  2. Detect
    1. Confirm existing assets that are capable of detection and observation
    2. Establish assets that are capable of detection and observation
  3. Deny
    1. Confirm existing assets that are capable of denying the threat
    2. Establish assets that are capable of denying the threat
  4. Disrupt
    1. Confirm existing assets that are capable of disrupting the threat
    2. Establish assets that are capable of disrupting the threat
  5. Degrade
    1. Confirm existing assets that are capable of degrading the threat
    2. Establish assets that are capable of degrading the threat
  6. Deceive
    1. Confirm existing assets that are capable of deceiving the threat
    2. Establish assets that are capable of deceiving the threat
  7. Destroy
    1. Confirm existing assets that are capable of destroying the threat
    2. Establish assets that are capable of destroying the threat

Remember two top-level pursuits when battling a threat actor after a successful compromise: Prioritize the COA based on the relationship between Containment and Risk; and Group the COA into Inventory + 6 Ds.

What does this mean for you as someone already utilizing or considering purchasing one of the GuardSight SECOPS protection packages? Reduced dwell time, improvements to cyber readiness posture, and continuity across teams responsible for response and containment.

Contact us to learn more about how we can help your team succeed in hybrid or surge-ops mode in the cyber fight against the bad guys!

Back to Blog