From the course: CompTIA Security+ (SY0-701) Cert Prep

Post-incident activities

From the course: CompTIA Security+ (SY0-701) Cert Prep

Start my 1-month free trial

Post-incident activities

- [Instructor] Once the incident response team returns the organization to a normal operating state, all too often, the response effort ends without completing an important final stage, the post-incident activities. Let's talk about four important post-incident activities: the lessons learned process, evidence retention, the generation of indicators of compromise, and root cause analysis. The lessons learned process is designed to provide everyone involved in the incident response effort an opportunity to reflect on their individual role in the incident and the team's response overall. It's an opportunity to improve the processes and technologies used in incident response to better respond to future security crises. The most common way to conduct lessons learned is to gather everyone in the same room or connect them by video conference or telephone and ask a trained facilitator to lead a lessons learned session. Ideally, this facilitator should have played no role in the actual incident response, leaving them with no preconceived notions about the effort. The facilitator should be a neutral party who simply helps to guide the conversation. Time is of the essence with the lessons learned session because as time passes, details quickly become fuzzy and memories are lost. The more quickly you conduct a lessons learned session, the more likely it is that you'll receive valuable feedback that can help guide future responses. NIST offers a series of questions to use in the lessons learned process. They include exactly what happened and at what times? How well did staff and management perform in dealing with the incident? Were documented procedures followed? Were those procedures adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? What would the staff and management do differently the next time a similar incident occurs? How could information sharing with other organizations have been improved? What corrective actions can prevent similar incidents in the future? What precursors or indicators should be watched for in the future to detect similar incidents? And what additional tools or resources are needed to detect, analyze, and mitigate future incidents? The responses to these questions, if given honestly, will provide valuable insight into the state of the organization's incident response program that can help provide a roadmap for future improvements designed to bolster security. The facilitator should work with the team leader to document the lessons learned in a report that includes suggested process improvement actions. As you make the improvements identified during your lessons learned process, remember to follow your organization's change management process and update your incident response plan as needed. You'll want to make sure that all of your changes are appropriately tested, approved, and documented. In addition to your lessons learned report, you should also prepare an incident summary report. This is a more technical document that details the circumstances surrounding the breach and all of the steps taken by responders during the incident response process. This summary report creates valuable institutional knowledge that may be used during future incidents and for training purposes. The summary report should include the results of a root cause analysis that gets to the underlying technical and procedural issues that contributed to the incident. Understanding the root cause of an incident helps the organization avoid making similar mistakes in the future. If you collected digital evidence during the incident, you should make a decision about evidence retention. You should consult your organization's data retention policy and also determine whether there is any legal action pending before deciding to discard evidence. If you will retain evidence after the incident, be sure to do so in a secure manner with a well-documented chain of custody. Look back at the technical details of every incident and try to identify any new indicators of compromise that might have helped you detect the incident more quickly. If you do find new indicators, be sure to add them to your organization's security monitoring program to better detect future incidents.

Contents