Incident Response assets inventory and identification
What are some IR assets?
People
Tools
Hardware
Software
What assets belong to IR?
Which are outright IR asset?
Which are shared with other teams?
SIEM, IDS, etc ...
Inventory what you have
Discovery through technical means
Port scans, memory scans, etc
Discovery through administrative means
Work with account payable and procurement to see what's being paid for
Discovery through work observation
Recently found that some of the tools the organization depended on the most were not documented
Work with IT
Already likely to have matured in the areas of asset identification
Will probably share a lot of resources, so some are already inventoried
May already have systems in place for this process
Uneducated end users
End-user attacks are the most common reasons for breach
Phising attacks, other social engineering, etc.
Training programs should include some knowledge of IR
Also often first indicators of attack
Validate the need for discovered tools
Sometimes, tools are outdated or no longer used but still being paid for
This will help with budgeting
Will also help with getting an idea of tools training requirements
Incident Response Stage 1 – Preparation
Last updated