Why does the template ask for worst-case and best-case scenarios?
Imagine this. You see an administrator account on your file server that shouldn’t exist. The best case scenario is that the hacker somehow got access to the file server without touching any other system in your entire network. Best case, they just looked at a few things then decided to log off, eat some twinkies, and change careers to become a priest. Probably not. But maybe. The worst case scenario is that every system on your entire network has been breached, fully exported, and your identity is already for sale on the black market for $0.05. And the criminal is using your web servers to host child porn. Probably not. But maybe. At the beginning of an incident, no one knows how bad it is except for the attacker. It can take months or years of specialized investigation and forensics to identify the full damage and method. Or you might never get the full story. In other words, no pressure. Take your best guess, mark the time and date, then update it as you learn more. Be conservative on the worst-case scenario. If you see evidence that a system is compromised, or that an account had access to it, then yes put it into the worst case estimate. But if you don’t see any evidence of breach, then hold off for now. I recommend this because your company might be sued or go to court, and you really don’t want to give the prosecution more ammunition to use against your company if there is no evidence to support it. The template needs this information so that your managers, investigators, and the courts can see the progression of information over time. They can see that your organization escalated and notified appropriately depending on what you knew at the time.
Selfish plug time (sorry!)
Thanks for reading this article! I hope it helps you! If you have tips or feedback, please comment or send me an email so that others can benefit. I am a consultant in the Maryland/DC area in the USA. My specialties are Windows migrations (to 2016 and to Office 365 / Azure), VMware migrations, Netapp and SAN, and high availability / disaster recovery planning. If your business would like help with your complex project, or would like a architectural review to improve your availability, please reach out! More information and contact can be found on the About page. – Amira Armond Copyright Kieri Solutions LLC 2019
I LOVE the section on performing test restores of backups! That’s the 1st Law of backups – if a test restore hasn’t been performed, it’s not a good backup! 🙂
J S
January 6, 2019 @ 8:07 pm
Great article thanks!
About the new DoD CMMC Audit and Certification - CUI
June 11, 2019 @ 6:17 pm
[…] Next article: Free Incident Response template, definitions, and training scenarios […]
sajid
July 2, 2019 @ 12:09 am
Thanks lady, such a nice work…
Rick Radzville
July 5, 2019 @ 7:55 am
I LOVE the section on performing test restores of backups! That’s the 1st Law of backups – if a test restore hasn’t been performed, it’s not a good backup! 🙂