Avoid These 3 Things In An Incident

1. Do Not Use The Word “Breach” Incorrectly

The word breach has lots of implications legally. Unless you have definitive confirmation of such an event, then you really don’t want to use this word casually internally and in discussions.

Of course as a responder, you always want to “assume breach”, but when the term is used so casually, especially when there has been no confirmation it can cause confusion, panic, and have legal ramifications.

Terminology is a big thing actually during an incident.

Here are some additional examples:

• Say “at this time” to help make your declarations a point in time statement, vs definitive

• Use “event” when triaging or investigating until you have an actual “incident”

2. Don’t Panic

If you had too much coffee that day, or are not experienced with incidents, then you might not want to be the lead responder in an incident. 😅

Having someone in the room that can be collected, think through a scenario, and calm the room down, is really essential.

Unfortunately, not every ship has a Deanna Troi or Captain Picard to assuage fears and panic. However, if you can find that person, have them there.

Hasty decisions in an incident may cost you later on.

3. Avoid Large Assumptions Without Data

When responding to an event and trying to determine an incident, you will have to go through several scenarios and suss each one out. Assume nothing, but everything, or a combination thereof, is on the table.

Go through as many possible scenarios and don’t have over or under confidence from a likelihood perspective.

To help you with this, I recommend reading incident write-ups to learn more about all the ways an attacker can get into a system.

If you liked this article, share with your peers!