adam's notes

Post-Incident Activities

Forensic Process

  • Incident investigation requires analysis techniques designed to reveal the details of what happened
  • forensic techniques look closely at the inner workings of devices, operating systems, and applications to reveal a detailed sequence of events

Lessons Learned

Lessons learned activities review security incidents to determine their cause, whether they were avoidable, and how to avoid them in the future.

  •  starts with a meeting where staff reviews the incident and responses
  • must include staff directly involved along with incident handlers
  • staff must contribute freely and openly to the discussion
    •  avoid pointing blame
    • focus on improving procedures
  • Leadership should manage disciplinary concerns related to staff failing
    • follow established procedures separately
  • should invoke root cause analysis
  • answers crucial questions:
    • Who was the adversary? Was the incident insider driven, external, or a combination of both?
    • Why was the incident perpetrated? Discuss the motives of the adversary and the data assets they might have targeted.
    • When did the incident occur, when was it detected, and how long did it take to contain and eradicate?
    • Where did the incident occur (host systems and network segments affected)?
    • How did the incident occur? What tactics, techniques, and procedures (TTPs) were employed by the adversary? Were the TTPs known and documented in a knowledge base such as ATT&CK, or were they unique?
    • What security controls would have provided better mitigation or improved the response?
  • may need to step through the incident timeline to understand:
    • what was known
    • the reasoning for each decision
    • and what options or controls might have been more beneficial to the response
  • compile a lessons learned report (LLR)
    • aka after action report (AAR)
    • An analysis of events that can provide insight into how to improve response and support processes in the future
    • should form the basis for incident summary reporting and recommendations
    • when writing an LLR, answer the following questions:
      • What were the actions taken?
      • Is this the best solution? In other words, is the solution a stop gap measure or something that could be reproduced consistently?
      • Are there more capable solutions available?
      • How did the teams react to the issue? Could it have been solved more quickly or efficiently?
      • If the same incident occurred again, how would the response differ?
      • Do the answers to these questions require changes in the security policy or an update to the incident response plan? Is a change control process in place that will enable the organization to implement these corrective actions?

Incident Response Plan Update

  • update IRPs to include changes from LLR
  • updates to IRP required updated training and testing programs

Graph View

Backlinks