EMS and IR Professionals Have a Lot More in Common Than Just a Bunch of Acronyms

EMS and IR professionals are the “first responders” to incidents that people never want to happen. Whether the incident is a ransomware infection at your local hospital; or a respiratory infection caused by a virus that spreads through the air; the people on the front lines of responding to both of those incidents share many similarities in their work. Moreover, even NIST uses an ambulance to symbolize the Containment and Recovery step in the “Computer Security Incident Handling Guide” (NIST SP 800-61 Section 3), which inspired this talk.

We as cyber incident responders can learn a lot from the IR professionals who must interact with the most unpredictable systems in the world: human beings.

In this presentation, we will examine how these EMS professionals execute this type of high-stress, high-stakes work on a daily basis, including hearing real-world examples from professionals on the ambulance. We will gain insight into triage techniques including the START (simple triage and rapid treatment) triage system, the most common triage system in the United States, as well as learning tips on gathering evidence while under pressure to aid in incident response.

The Blue Teamers who attend this presentation will learn traditional incident management practices, triage strategies, “soft skills” and communication tips that can complement their security program’s incident response procedures.