Chapter 10. I’ve Got Incidents Now! How Do I Respond?

“We kill people based on metadata.”

General Michael Hayden, former Director of NSA

Up to this point, we’ve explained how to understand threats, how to build and operate a security monitoring system, and how to creatively discover security incidents through log analysis and playbook development. With your well-oiled detection machine, you will discover incidents and new threats, while the team fields incident notifications from employees and external entities alike. Your analysts are researching and creating plays, investigating incidents, and sorting out false positives from confirmed malicious behavior, based on techniques from your playbook. However, an incident response playbook is more than just detection. It must also include instructions on how to respond.

We have discussed a structured approach to prepare for, detect, and analyze malicious behavior. Yet despite the effort involved in the detection phase, it is only the beginning of the incident response lifecycle process. After detecting an incident, the next most important step is to contain the problem and minimize the damage potential to your organization. After all, a key factor in an overall security strategy is to build a monitoring system and playbook to thwart security incidents as soon as possible to reduce downtime and data loss. After an incident has been triaged and the bleeding stopped, it’s time to clean up the original problem. Remediation demands that ...