A valuable concept that you can use to help conceptualize your incident response planning as well as your operational incident response capability is the OODA loop. The concept was originally developed by military strategist John Boyd and serves as a foundation when considering how to deal with an adversary, which is what the information security professional is doing as they are developing an incident response capability:

• Observe: Ensure that while you are planning your incident response capability that you have as much visibility into your information system as possible. The best defense that you can mount against modern well-funded and highly motivated adversaries is to implement advanced layer monitoring technologies. Your goal is to have in-depth visibility into your information systems' normal operations so that you can catch abnormal behavior.
• Orient: Here, you take the immense amount of information that you are gathering as part of your layered monitoring capability and apply additional tools and techniques to make better sense of the information, allowing you to triage and prioritize your actions.
• Decide: At this point, you have ingested information from your network through your monitoring capability and distilled it into actionable, prioritized work. You do not make decisions based on your:
  • Corporate policy
  • Incident response plan and procedures
  • Regulatory requirements
  • Applicable laws
• Act: You guessed it. It is time to act. This is where you take the necessary following steps:
  • Contain the threat: Make sure that the threat cannot spread any further
  • Eradicate the threat: Remove the threat from the affected information system
  • Recover from the threat: Restore the information system back to a fully operational state

The following image graphically represents the OODA loop as it relates to an effectively implemented incident response capability:

You can see that each phase in the loop feeds another, and that each phase can go back to the beginning. This represents the fact that as you go through the process you may need to go back to a state of observation. This stems from the fact that you may uncover additional information during your incident response investigation which requires you to engage in further analysis.