Summary: Respond

Incident management

Very few security alerts turn into incidents. The majority are treated as events and need to be handled accordingly using playbooks. For incidents, the ability to efficiently and adequately respond requires an incident response plan (IRP) rehearsed and reviewed periodically. There will be more than one plan to cover different scenarios. How a team responds to a data exfiltration incident will be different from handling an email worm eating its way through employee inboxes.

Ensure that IRP requirements are met on time

Team members various roles, the communications tree, and a list of the required resources are all part of a good IRP. Team members should be prepared to perform their required roles, the communications plan should be reviewed and updated, and the required resources should be ready to use and have the connectivity required at the time of the incident. The worst time to discover that something is missing or misconfigured is when incident response begins.

Data management during the incident

Plan execution should be done assuming that legal proceedings will be involved. All data, such as log files, documentation, memory captures, and data on storage devices, should be treated as if they will be evidence in a future legal proceeding. Data handling requirements should be included in the plan, and all team members should be made aware and reminded of them at the time of the incident. The organization’s data retention policy should also inform the procedures to be used for the preservation of artifacts involved in incident response.

Post-incident insights

An incident is a great learning opportunity. The team should review after-action results to identify what went right and what could be improved. Performing a lessons learned exercise is integral to a successful IRP. This allows the team to improve the plan for next time, and it should always be assumed that there will be a next time. Some IRPs may never be used, but when they are, the team and the organization will be thankful for the work done to prepare for it.


Get hands-on with 1200+ tech skills courses.