Often overlooked in training, triage is perhaps the most basic and integral skill an incident response team can have.
"There are overwhelming days as an incident responder when everything goes wrong simultaneously. Fortunately, the skills used in triage in other industries are fairly universal and many can easily be applied to security," Carhart said.
"First of all, the few minutes taken during an incident to breathe and figure out next steps are almost always worth it. It's at this point, during triage, that our previously documented processes, methodology, and training become key."
The recommendation is to use a risk matrix, which will offer a rough evaluation of an incident's risk and priority ranging from low to extreme. This triage method also enables the incident response teams to explain their decisions to management.
To get a better understanding of this item, one should look at the two types of people who panic during a security incident.
The first are the extremely technical people who have found minutiae. They may be experts in their fields, but they're likely missing the big picture, or failed to stop and think about the situation.
The second group are the non-technical people who have seen something that's alarmed them. This could have come from an email, a news article, or a conversation in passing.
"We as security people can fall into both groups depending on the situation - no person is an expert at every field. Panicked security (as with anything else), is not good security. Once again, we fall back to our scientific method, and 'peer review' any information we are receiving that doesn't seem factual or reliable," Carhart says.
"This is a good time to bring up the distinction between 'Incident Responders' and 'Incident Handlers', again. In an ideal situation, both job functions should exist, and the Handler should be talking to panicking team members, management, and end users while the Responder works on the investigation relatively uninterrupted."
Remember the basics: Practice, good documentation and training, and triage skills. When feeling overwhelmed, incident response teams should fall back on these lifelines.
Specialization is for Insects
"The trend in information security is to start out as a log analyst, and then move to a specialized role such as penetration testing, malware analysis, exploit development, or digital forensics. Most people are drawn more to some of these fields than others. As an incident responder, we must return to being a generalist. This isn't to say that specialized expertise isn't useful. However, the risk is that our specialization will color the way we perceive an incident," Carhart explained.
"My expertise is in digital forensics. If I look at the same compromised system as a forensic analyst as my colleague who is a malware analyst, I may see a very different case. While he will see the details of malware binaries and their communication on the compromised system, I will note files modified, deleted, and moved, and remote systems accessed."