“Immediately after an incident, especially a major one, there seems to be about 36 hours of chaos. A period of time in which there is a lot of running around, trying to figure out what to do and where to start to answer those questions above. But, if you’ve previously threat modeled the compromised system, it should short circuit a lot of the running around. It eliminates the “where do I start?” because the questions have already been answered.
Without threat modeling, you are forced into a more generalized response. But having done threat modeling, you can zero in on important things faster. Since you’ve already modeled how your applications work, you know things like attack surfaces, exploitability and impact”
Those of you who’ve been unlucky enough to have to respond to an incident, does this match your experience?