As a former US infantryman, there are acronyms that we have learned to make things easier in times of high stress and conflict. S.A.L.T. is one such acronym which is used in battle and can be just as useful during a cybersecurity incident response (IR) scenario. During an incident response event, things can be very stressful, especially for teams that have not completed a frequent tabletop exercise to test their plan. This is where focusing on S.A.L.T. (which stands for Size, Activity, Location, and Time) can provide tremendous value to cut through the stress and uncertainty that is present during an IR event.
Let’s look at how S.A.L.T. corresponds to IR, and how lessons learned as an infantryman apply to cybersecurity.
Size
When in combat it is always good to know the size of your opposition. This can help to identify how many resources you need to dedicate.
In the case of an IR event, questions that should be asked include: Looking at the environment, how bad is it? How many devices are affected? What seems to be the most affected devices, end points, servers, phone systems, Wi-Fi, Cloud? How many people do I need to put on this IR event?
Activity
Next, it should be established what the threat is doing.
What is being observed? Can the type of attack be determined, ransomware, malware, phishing? Are there log files that are associated with this type of attack that can be gathered? Should we be reaching out to our Cybersecurity Insurance? Do we need to engage a third-party Incident Response firm?
Location
In a combat situation, grid coordinates are given to the location.
Can the internal point of compromise be found? Is the IR event only on one network? Is it localized to only email? Do we have any specific legal requirements due to the location of the event?
Time
Finally, time, in combat just like an IR event building a timeline is critical.
With an IR event, knowing when abnormal behavior was first seen can help the team pull vital information. What time zone is our information recorded in? When was the abnormal behavior seen? When was it reported? When were the first actions taken?
Digital Silence is a World Class Boutique Cybersecurity Firm, with specializations in Incident Response. If you have questions about your current plan, or need help due to an incident please contact us.
