As we've dealt with several attacks recently, I thought it would be helpful to share some incident response tips that came to mind.

• Have an incident response plan, but remember that when an attack happens, you aren't going to stop everything to pull out the plan. The key is to hit the big items and follow up after the fire has been put out to make sure you got everything.
• As you work on the incident, always keep artifacts and evidence along the way. We put them in a shared folder that we continuously update throughout the incident. If you wait until the incident is done, you will miss something.
• Try to document the timeline and update it continuously. You will likely need to reference it repeatedly as you share what happened with others.
• Stay calm and breathe. I actually checked my heart rate a few times to see how I was doing. Fortunately or Unfortunately, I've been through many incidents, so I usually stay pretty calm, but it's easy to get overwhelmed when everything is on fire. It's normal. Take a minute to do some deep breaths, then jump back in.
• Detach, take a step back and observe where things are and what is going on. When you are heads down and in the fray, it's possible you will miss something. When you detach and look at the bigger picture, you would be surprised what you see.

I have many others, but these are the ones that come to mind right now.

I hope you won't need this advice soon, but you will at some point. That's what we are here for. Incidents are going to happen. Like Agent Smith tells Neo in the Matrix, "You hear that Mr. Anderson. That is the sound of inevitability."

-John