Incident Response Workflow

1. Identify Friend or Foe (IFF) 2. Use WHOIS, and DNS to identify the source 3. Create a network object to auto-identify the CIDR (registered public IP) block for the source in the future 4. Add the system to an elevated risk watch list (Risk Booster for future events) 5. Move from Production VLAN to Patch Only/Guest VLAN (Switch Port) 6. Update anti-virus 7. Update OS 8. Run a full AV scan If clean, run a vulnerability scan to check patches were successful, If success, return to production VLAN If failed AV or Patch check Notify IT team to reimage system, or Perform a full reimage of system and repeat a-d 9. Add the system to an elevated risk watch list (Risk Booster for future events)