How do you use external resources to respond to incidents?

1 Identify external resources

Prior to using external resources, it is essential to identify what kind of resources are available and applicable for your incident response needs. Sources could include public sources such as threat intelligence feeds, vulnerability databases, security blogs, forums, and newsletters that provide important information and knowledge on the latest threats, indicators of compromise, mitigation strategies, and best practices. Additionally, private sources such as security vendors, consultants, law enforcement, regulators, and industry peers can offer specialized services, tools, guidance, and support for particular incident response scenarios. Lastly, internal sources such as your own security team, IT staff, legal counsel, public relations and management can supply valuable expertise, resources and authority for your incident response efforts. It is wise to have a list of potential external resources that you can contact or access in case of an incident and to set up clear roles, responsibilities and communication channels with them.

2 Evaluate external resources

Once you have identified external resources, you need to evaluate their quality, reliability, and suitability for your incident response goals. Not all external resources are equal, as some may pose additional risks or challenges. When evaluating external resources, consider their credibility, relevance, compatibility, and cost. Assess the pros and cons of each resource and prioritize the ones that offer the most value and benefit for your incident response objectives. Credibility looks at the source of the external resource and how they verify and validate their information or service. Relevance checks how applicable, timely, and accurate the information or service is. Compatibility examines how easy, secure, and compliant it is to integrate the external resource with your existing incident response tools. Lastly, cost considers how much it costs to use the external resource directly or indirectly.

3 Apply external resources

After you have evaluated external resources, you need to apply them effectively and efficiently to support your incident response activities. Depending on the phase and task of the incident response lifecycle, you can use external resources to prepare, detect, contain, analyze, eradicate, recover, and learn. For example, you can subscribe to threat intelligence feeds to enhance readiness, use external scanning or testing tools to identify vulnerabilities or breaches for detection, request assistance from law enforcement or regulators for containment, collaborate with external researchers or analysts for analysis, use external tools or services to remove malware or backdoors for eradication, use external tools or services to test or verify restoration for recovery, and use external tools or services to conduct post-incident reviews or audits for learning. You should use external resources strategically and selectively based on your incident response needs and priorities and coordinate and document their usage and results.

4 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?