"Not only is an incident responder presented information from end users, but from numerous other teams, from technical to non-technical. Even the smartest malware analysts, engineers, forensic analysts, and C-level executives can and will make mistakes. During a stressful, hectic security incident, it can be incredibly tempting to take facts or conclusions we're presented with at face value instead of verifying or considering them," Carhart says.
The scientific method should be applied to incident response. Start from the beginning, gather and verify all of the facts, and then confirm or correct anything that doesn't seem right.
"One incorrect assumption can cause our entire investigation to go in the wrong direction, and totally derail remediation. As security professionals, we're constantly bombarded with horror stories and paranoia. This also can easily influence the conclusions we draw early on in an investigation."
In short, don't find facts to fit a conclusion, draw a conclusion from the facts.
Other assumptions to avoid include the line of thought that everyone has the necessary skills and experience to do technical tasks incident response teams consider simple. Moreover, there's the assumption that everyone has the tools and resources necessary to perform those tasks. Both are far removed from the truth.
Educate and Document
Incident response teams need to keep rigorous notes on the training, day-to-day work, and incidents. This includes any task the team does more than once, tasks only one person knows how to do, and lessons learned after every incident.
The point, Carhart said, is that being able to quickly reference processes and notes will save us added stress and confusion while working under pressure. Moreover, management should allow time and funding to train their security team. But there's more to it than simply attending a class or taking a certification test.
"Incident response skills should be drilled until they are easily recalled under pressure," she said.
"Police and military train with firearms until shooting properly is second nature. Disaster response personnel have regular response and mass casualty training exercises. Firefighters practice in condemned buildings. The objective is to do critical tasks and processes so many times that in a high stress environment, they can be done without much effort. There is no reason we should not be doing the same."
However, education for end users and other business units is just as important. The more support and comprehension that an incident response team receives from the rest of the organization, the easier their jobs will be.
Further, incident responders need to take a personal responsibility in their own training and security knowledge. To put it bluntly, there is no excuse for an incident responder that lacks a general understanding about what's making headlines that day in security news. Access to such information is just too readily available.