• Initial Detection: Suspicious Event, System Alert
  MSSP Reported (They only report, YOU Have to respond!)
  
• Initial Assessment (Damage Assessment):
  System Analyst check reports: ID intruder? ID vulnerability?
  ID level? - Upper and Lower Control Limits/Trends
  
• Can you isolate, image, clean, patch and return to operation?
  
• Do you need to disconnect - possible pervasiveness of attack?
  
• Communicate to leadership for possible intel/surveillance value
  
• Respond: Determine level of effort and type of response
  
  • 1st Tier: Threat against safety/security
    Disconnect/Isolate!
    
  • 2nd Tier: Network Attack, Loss of Funds, Loss of Service
    Disconnect, Image, Clean, Rebuild, Reintroduce
    to network, Investigate images using Forensic Methods
    
  • 3rd Tier: Policy Violations, Insider Suspicions
    Covertly do Forensic Preview, Image, Consider
    Reintroduction to users to not “tip-off” insider
  
  
• Isolation and Imaging: Company “1st Responder” immediately isolates forensic evidence
  
  • Avoid evidence contamination at all costs!
    
  • Act quickly as evidence has expiration “characteristics” and be lost as time progresses
    
  • Reference Tier 1-3 response for help in prioritization and actions
  
  
• Determine Source and Size: Is it Legitimate activity, Virus activity, Network attack, Insider Fraud, Account compromise, Trojanized or Covert Channels
  
  • Look at other systems and cross correlate
    
  • Ensure incident is isolated to known systems
  
  
• Quantify: Initial assessment of loss and Specialist assistance
  
• Start IR Cycle Over: Deter/Protect: Cleaned, patched, and security upgrades considered

Always look for other forms of cyberevidence: Electronic Organizers; Cellular phones, Pagers; Facsimile Machines; Caller ID Devices; Smart Cards; Storage medium: Floppies; Tapes; Compact Disks; Hard Disks; Removable media.