When they come across something that they don't know, that is an excellent opportunity to assign a task. While someone is researching, everyone else follows the plan without getting ahead of themselves.
In order to make the best use of the table top exercises, throw some bombs into a simulation, then the team will find out what they don't know. That awareness of the unknown will inevitably unearth questions that demand answers.
"What are you allowed to do? We have to ask those questions," said Sheedy. "What are we going to do? How do you tell? What kind of system do you use? Can we shut down completely? Isolate? Route away? Disable certain transactions? What latitude do we have to make those calls?"
To start, choose one application and monitor the transactions of that one application. Develop the patterns that are normal, then move forward one step at a time. "Know your top applications, create run books, run simulations, then build your IR plan," said Sheedy.
As part of the plan, be clear about assigning tasks. "It's what I call feeding the cat. You assign one person to feed the cat. Otherwise, if everybody feeds the cat, the cat will die," said Redmon.
Be prepared to communicate, select points of contact, know when to engage with legal and/or law enforcement, and share threat intelligence because proper planning prevents poor performance. Know that the work is never really done, continue to practice and give life to policies as they will inevitably need to change.
Sign up for Computerworld eNewsletters.