Incident Response 101 – Intro

I have been wanting to write a set of blog posts about this for a while, possibly I will one day turn this into a book! But for now, it can live here.

Over the last year, I have given a few presentations and lectures about incident response, some of which live on our Github in the presentations folder. But they are not tied together and they aren’t “alive” like a series of blog posts could be…

I would like to share alot of the knowledge I gain whilst working within this field, and studying alongside. A lot of the words coming in the next few blog posts, will be coming from experience of delivering exactly what they say.

A problem that I have found whilst trying to understand incident response deeply, is that most incident response books, courses and sales folk seem to really focus on the deep technical parts of incident response… The forensics, the detections, the reverse engineering, the indicators of compromise etc etc. The “sexy” analysis parts, and the easy sell. What I have been missing is a comprehensive guide to the underlying process behind the whole incident response stack.

Then it struck me, most of the people working within incident response are deeply technical and do get down and dirty with the analysis stage. But they aren’t really strong when it comes to the process. A process which is made up of far more stages that just analysis. This ends up creating a vacuum, where incident response seems highly expensive and complex to the outside observer.

So I have decided to write some blog posts to the “2019 me”. So I can help others who are in my shoes, those who need to build something much more than just an analysis team. Those who need to architect the entire process from alert to end report that delivers great actionable results.