The last few articles in this blog series have focused on ensuring that organizations have strategies to get ahead of an incident and ensuring that your responses are effective. All of which are part of the “preparation” phase of the information security lifecycle.
However for this article lets jump forward to the day after a successful breach has been resolved and start our preparation as part of the “lessons learned” – thus hopefully saving you from having to go through this process.
Day One – Staff Fatigue: After some very extended days, the incident/breach has now been resolved and where a DFIR team have been on-site assisting, they have now departed. Your IT team and the wider security organization are going to be exhausted and dejected (after all the attacker got into the companies networks in the first place). Now is the time to ensure the team get some rest and come back to work energized and determined that this does not happen again.
Therefore, it is recommended that you stand down a percentage of staff (where possible) with ‘time off in lieu’ (TOIL) appropriate to the extra work they have provided in the emergency response. Not only will this re-energize them, but it will also improve their morale.
Days One-Five – Incident Interviews: Improvements to an organization’s response capability can only come from evidence showing where things went wrong and what mitigations/strategies worked. Therefore, it’s critical that someone from the business sits down with each member of the team who responded to the threat (including service desk, IT Ops, legal, media and any other team involved) and map out what happened during the Incident (the incident timeline).
The wider picture has to be assessed hence why the wider team should be interviewed; were legal effective with client communication, press releases, were senior management receiving the correct information to act on etc. This information allows the business to identify a consistent view of the security incident from multiple sources (thus validating the responses).
The information gained will allow the business to identify gaps in capabilities (people, processes and technologies) but also work out where the team had worked well (and reward recognition). This is the first step of a traditional ‘lessons learned’ meeting but is rarely carried out!
Days One-Five – Build a Timeline: An incident timeline should already be in place from the overall investigation, containment and remediation activities. However, a lot more information will come to the surface from the interviews.
Week Two – Lessons Learned: The most important thing to keep in mind for these meetings is THIS IS NOT TO ASSIGN BLAME! The meetings are to identify how to make the organization secure and more resilient to future attacks. Now that all of the interviews and information has been collected a cross functional team should sit down together to run through the incident and work out what happened and how.
Areas to focus on should be: incident cause, defense in depth (where were there gaps in capability?), initial response activities, response from external teams, containment success/failure, remediation steps and senior management engagement/support.
Weeks Two-Three – Gaps Identification: The output from the lessons learned sessions will identify where the organization has gaps in its incident response planning and response capabilities. This information is key to getting senior management’s buy-in to improve the situation for the future.
Without formulating an improvement plan based on these gaps nothing will improve and the organization is doomed to suffer a future cybersecurity incident/breach. An action plan should be formulated to implement the gaps identified whilst making the recommendations from the incident response team a priority.
Weeks One-Six – Cost to the Business: This is not necessarily something which the security team are going to be a part of, but the organization/business as a whole has to look into all of the costs (including regulatory fines which may take much longer to be forthcoming). Some of this is very hard to identify, such as reputational damage from media coverage and Intellectual Property theft, however conducting an assessment of the costs associated with the incident/breach will also aid any discussion over future security programs.
A review of the existing training provided to facilitate appropriately skilled staff able to protect the organization should also be assessed. As a lack of funding for staff training may have contributed to the incident, or delayed a response.
Day One onwards: Go back to the start of the incident security lifecycle (preparation, identification, containment, eradication, recovery, and lessons learned). Start preparations for the next incident. Make sure every lesson learnt from the incident improves the security of the organization and the staff responding to the threats in the future.
This is a guide to assist with your planning for after an incident however organizations should be proactive in their security, build out an Incident Response plan, test your security controls and with the ultimate aim of not having to utilize any of the information above!