→
Know your capabilities
One of the most important first steps is to know your capabilities and align expectations with management. Some tasks — forensics, malware reverse engineering — need special, expensive skills that many organisations choose to hire in.
Even without those capabilities, you can almost always perform a triage: an introductory investigation over a set window (e.g. 2–4 hours) before handing off to a third party. You can still answer a lot of questions in that time.
→
Prepare for the worst
- What is the worst that can happen to your business?
- Which systems hold log data? (cloud, network gear, computers, websites…)
- How do you collect that data? (Police will ask for data that can recreate the scenario.)
- Can you recover data — are backups in place and do they actually work?
- What tools do you want ready, and where are they kept?
→
Create an overview
- Define who does what when something goes wrong — war room, board with task owners.
- Who owns the incident, and who communicates what is happening?
- Distribute responsibility for data collection; in large companies appoint a data manager so data is stored and described correctly with timestamps.
- What data is compromised?
Should authorities/Police be contacted? If so, get them on board early — in Denmark you can request an IT contact from NC3, present in every police district.