Single Source of Truth: Documenting Incident Response

Presented at CactusCon 11 (2023), Jan. 27, 2023, 10 p.m. (60 minutes).

When we think Incident Response, the focus is all too often on the technical investigation of solving the mystery and getting the business back to normal. However, when you've got a team of brilliant minds turning over rocks and chasing shiny leads, who's keeping track of all the technical details? In a worst-case situation where IR is a multi-day or multi-week engagement, with or without a third-party engaged, can you confidentially say you've captured all the details if it's no one's job to do so? This talk dives into the interrelated roles in incident response of the IR Lead and Scribe and how they support and guide the incident response process by ensuring that details are captured accurately, investigations are consistent, information is translated into non-technical language for management, and generating a report that is going to be a lifesaver when suddenly someone needs specific details six months down the line. We'll cover the importance of pre-planning ranging from big picture policy and process to playbooks, IR standup documentation, and hashing out those pesky details like where this documentation is even kept or how you communicate with the team in one secure place. Then, it's go-time: the overview document, host and artifact tracking spreadsheets, timelines, and generation of an after action briefing to make recommendations to the business and capture process successes and improvements needed.

Presenters:

  • Casey Beaumont - Incident Response Manager at Marsh McLennan
    Casey Beaumont is an Incident Response Manager at Marsh McLennan, a global financial and professional services firm in risk, strategy, and people. Prior to that, she was forged in the fires of the defense industry. With over a decade of direct Incident Response experience, she has evolved from pure investigation to incident lead and specializes in major incident documentation and tracking. She is heavily involved in IR policy, process, and playbook creation, and operates an enterprise phishing training program and associated training. An Arizona native, she holds various industry certifications, and originally got started with a B.S.E in Computer Systems Engineering from Arizona State University.

Links:

Similar Presentations: