28 Mar IR Process Questions to ask
How can we reduce analyst fatigue?
Review our Analyst Fatigue post, and develop the steps in the investigative process. Map out the steps and tasks for each process, which will expose where For example, the investigator who searches the email system for a message is probably the same investigator who implements the email blocking signature. While the investigator who analyzes the email headers can perform a threat intelligence lookup for the IP addresses that sent the email.
How can we keep team members cross-trained?
This is the second factor in the analyst fatigue post. Make sure that analysts performing investigations can follow all the steps. This will help cross-train team members and prevent a partial team loss from destroying “tribal process knowledge”.
How can we make analysts smarter?
Give analysts the tools and training to perform investigations. Cross training analysts on all available technologies and data sources, and constantly revamping processes to assure investigative efficiency.
How are we sure investigations are complete?
Investigators should maintain appropriate investigative data and scratch notes and assure that critical data points including remediation dates and times are recorded appropriately.
What investigator tasks can you automate?
Look at the most common tasks and data obtained in each investigation, figure out the best place to automate those tasks whether in a SIEM or in an Incident Response Platform like IR Flow.
How can you make the process collaborative?
Having multiple team members provide input, experience, or different views will dramatically increase the quality and effectiveness of the incident response process. In order to do this, a team environment needs to be created and a tool or data repository needs to exist.