| The Advanced Persistent Threat (APT) presents an ever present and more growing threat to organizations across the globe. Traditional Information Technology (IT) incident response falls short in effectively addressing this threat. This researcher investigated the use of single-loop and double-loop learning in two organizations with internal incident response processes designed to combat the APT. Two cases were examined within organizations employing an internal incident response team. The third case was examined from an organization providing incident response as a service in addressing APT compromises. The study developed four themes: the inefficacy of single-loop learning in addressing APT, the need for better visibility within corporate infrastructure, the need for continuous improvement and bi-directional knowledge flow, and the need for effective knowledge management. Based on these themes, a conceptual model was developed modifying the traditional incident response process. Three implications were derived from the research. First, perimeter defense falls short when addressing the APT. Second, the preparation phase of incident response requires modification along with the addition of a new baseline loop phase running contiguously with the entire process. Finally, opportunistic learning needs to be encouraged in addressing the APT. |
