https://blog.teamascend.com/6-phases-of-incident-response

https://www.securitymetrics.com/blog/6-phases-incident-response-plan

Recent vulnerabilities got Bryan thinking about incident response. 

Are organizations speedy enough to keep up?

If the spate of vulns continue, what can we do to ensure we are dealing with the most important issues?

How do we communicate those issues to management?

How should we handle the workload?

Testing of your IR costs money, do you have budget for that? (verodin, red-team)

Restoring backups, extra VPC or azure environment

Incidents occur

You have to minimize issues, right? But is there a good way of doing that?

Simplify your environment? 

Spend time working on the CIS 20? You gotta plan for that and show value vs effort.

 

Incident response is an ever changing landscape. 

 

What is the goal of IR?

Minimize damage

Identify affected systems

Recover gracefully and quickly?

Does your environment allow for quick recovery?

What does ‘return to normal’ look like?

The goal of business

Make money

Incidents should just be considered part of doing business (risks)

The more popular, the more likely the attack

Incident timeframe = criteria for getting back to normal.

PICERL is a cycle, and one of continual improvement. Incident response is not ‘one and done’.