Introduction

The purpose of this report is to introduce the concept of incident response to those who may not be familiar with the idea. For those who have some familiarity with incident response, but think of it as performing an investigation, the report will hopefully broaden your overall view of the complete breadth of incident response, since the investigation is just a small part of a complete incident response program.

In Chapter 1, we will cover foundational concepts so everyone is working from the same dictionary. For those who are already familiar with some aspects of incident response, it may be useful to skim through this chapter just to make sure we are all in agreement about the ideas and boundaries.

Chapter 2 is about identifying and categorizing incidents. This is important to help establish the workflow going forward. Different categories will have associated workflows based on the needs of that category. A malware installation, for example, will kick off a very different process from an account compromise. Prioritization is also important, based on resources that are being impacted, so you can have a sense of how quickly you need to respond and also whether there are regulations that have to be followed.

Ideally, incident response doesn’t happen in a vacuum. This means that having some information that can guide the investigation and overall response is helpful. Threat intelligence can help appropriately scope the investigation, which can save time. Threat intelligence can also help an organization get prepared for imminent attacks, based on the industry it is in.

Of course, this is a brief report and covering a full incident response plan is a large project, so we aren’t going to get through everything. Chapter 4 looks at next steps that should be considered when thinking about an incident response program within an organization.