IncidentResponsev2

Interview Network Owner Task

Purpose

Identify available tools, sensors, and network monitoring capabilities through structured discussion with the mission owner. Use this information to understand the environment and propose additional capabilities as needed.

Standards

An IR Team deploys to an existing network that may or may not have adequate sensors to complete the mission.
It is important to discuss existing sensors, network monitoring and cyber defense tools (firewalls, SIEM, malware detection, discovery/mapping tools) with the mission owner.
Based on this interview, determine what tools are already in place and discuss additional needs.

Procedural Steps (Checklist)

Prepare for the Interview

• Assign team member to lead the interview.
• Gather existing network documentation if available.
• Prepare interview packet (see references).

Example interview preparation resources:

• Mission Owner Interview Packet (Questionnaire)

Conduct the Interview

• Schedule and conduct meeting with mission owner.
• Use prepared questions to guide the discussion:
  • What tools are currently used for network monitoring and detection?
  • Are there gaps or coverage issues (unmonitored zones)?
  • Are logs centralized or dispersed?
  • Is there endpoint visibility (EDR or AV)?
  • What is the process to request additional tools or capabilities?

Capture Findings and Determine Additional Needs

• Document current tools and coverage.
• Identify any gaps or blind spots.
• Propose additional sensors or tools if needed.
• Coordinate approval with network owner.

Record and Distribute Findings

• Summarize findings and recommendations.
• Share with IR team for integration into response planning.

Tools and Resources

Purpose	Tools
Interview documentation	Incident Response Victim Questionnaire
Communication	MS Teams, Email

References

• Incident Response Owner Interview Packet

Revision History

Date	Version	Description	Author
2025-05-02	1.1	Expanded procedural checklist	Leo