Cyber Doomsday Prepping

Brandon (Incident Response Consultant) · 24:02 · 2024

careerincident-response

Brandon, an incident response consultant, delivers a fast-paced walkthrough of IR planning modeled after doomsday prepping. He covers IR plan structure, legal terminology pitfalls, cyber insurance strategy, and response capabilities documentation, grounded in real consulting war stories.

Open on YouTube โ†—

Cyber Doomsday Prepping: Building Your Incident Response Plan

Brandon, an incident response consultant, takes the Doomsday Preppers TV show concept and maps it onto cybersecurity incident preparedness. Originally an hour-long talk compressed to 24 minutes, the pace is relentless but the content is dense with actionable advice from someone who has walked into active incident scenes.

The Language Matters

The talk opens with a critical lesson many overlook: terminology has legal consequences. Using the word "incident" can trigger regulatory obligations and auditor involvement. Using "breach" in any written communication can create legal liability during discovery. Brandon's advice is blunt: an incident is whatever your lawyer tells you it is, and the old CIA-triad definition gets renamed to "adverse security event" in practice. This alone is worth the watch for anyone who has not dealt with legal counsel during a security event.

Your IR Plan Is Not One Document

Brandon's core structural insight is that an incident response plan should be a library of small documents, not one 80-page monolith. Nobody reads the monolith. His breakdown includes a severity classification guide, communication plans, resources and points of contact, roles and responsibilities (RACI), response capabilities documentation, evidence handling procedures, and disaster recovery components. Each should be a digestible 3-page document that someone can review during a bathroom break.

Response Capabilities: The Hidden Gem

The most original contribution is the response capabilities document. Brandon tells a story about arriving at an incident, asking a client to block a malicious IP at their firewall, only to discover they had no firewall at all. A contractor had unplugged it because an application had issues. The response capabilities document maps each indicator type (IP addresses, domains, MAC addresses) to every available blocking method: edge firewall, switch ACLs, host-based firewalls, EDR tools. This way, when one method fails, you have fallbacks documented.

Cyber Insurance Real Talk

Brandon drops practical bombs about cyber insurance: IR retainers are dead and you are getting ripped off if you pay for one. Instead, get a zero-cost retainer through your cyber insurance provider's preferred list. All IR work should flow through a breach lawyer (paid by insurance) to maintain privilege. The Verizon data breach case showed that direct retainer work is discoverable in litigation.

Handling Doomsday Events

The final section covers major incidents: do not panic, do not blame people (he saw an entire IT team quit during an incident after being blamed), set realistic 8-hour shift schedules because incidents are marathons, and always keep your IR plan as a physical copy since ransomware might encrypt your network share.

Who Should Watch

Anyone responsible for incident response planning, especially at small to mid-size organizations without dedicated IR teams. The legal terminology section is essential for anyone who communicates about security events in writing.