Most international management standards stress the importance of continuous improvement. This involves constantly examining your operation for opportunities to enhance your efficiency and effectiveness. As we mentioned in Chapter 2, “Incident Readiness,” incident response is not a stand‐alone process but an integral part of a cycle of prevention, detection, and response. The desired output from incident handling should not simply be mitigating a specific incident, but also providing valuable information to network defenders to improve preventive and detective controls. This chapter will explore ways to ensure that your incident response process feeds back into your overall network defense.

Document, Document, Document

One of your most important jobs as an incident handler is to accurately document your actions. Throughout your career, you may work hundreds of incidents or more. Recalling specific technical details from each of these, particularly when asked to do so months after the incident has concluded, is impossible without detailed notes made at the time of the incident. As an incident is unfolding, you do not know in advance if it will resolve quickly or evolve into a massive, public data breach, placing you in the center of legal proceedings. You must therefore take accurate notes for every incident, including dates and times for your actions, to ensure that you are ready to respond correctly to any questions that may arise.

Each incident ...