post incident review checklist

3 0 obj Vendors offer a way to efficiently compress and archive data, but no easy way to access and correlate it.Cloud-delivered platforms are a step in the right direction, but the cost of data shifts to the vendors, who have little incentive to store and pay for all that data.When a customer suspects a breach and deploys an incident response team, their first task is to obtain all data available about the incident. <>/XObject<>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 4 0 R/Group<>/Tabs/S/StructParents 0>>

Be practical, clear, and detailed.If there are issues that cannot be addressed immediately, try to find a workaround. Further, they should identify all IOCs and TTPs associated with the attack, as well as internal issues that may have been manipulated by the threat actor to gain entry.A good post-incident review results in a list of practical actions that address each of the issues that allowed the threat actor to succeed. x��ko�8�{����^4�(���(�Iz�a��u��{���(���8�#E���_"%Q�l-�qei8Λ3����bI�GY��"�r����*O^��C�x�*z�9z���Nj�Qrv������7���ɫ7�IDH���������iL�L�q'���?�~��I4�Ot���WW0�����꣜��Y�ffZJE��~�IM�~��iDX��nQ �����>�Ȣ�}�����OO����)�\}:��|��×��\�����s�r��� \�+�h*x�@tCR ._���qVD"M�l �������8{�����MV���M9�&�[�����J�8��I��BxL�`B>��3`��Oз"�ű�i�=L�h������Hh\�H! It is one step in the incident response process that requires a cross-functional effort from all individuals and technologies connected to the incident to truly understand the root cause and full scope of the attack.Use a post-incident review to assess all the processes and people that were impacted by the attack so that it By completing a post-incident review, security teams are able to uncover network vulnerabilities and weaknesses that have been compromised by a threat actor. For example, if a certain server cannot be patched, make sure the detection system covers it and that its connections are limited and secured.Assign each task to the appropriate stakeholder: the one that can accomplish the task in full.

How far back can you find the attacker in your system?Did your team have the visibility it needed to resolve the incident completely?

%PDF-1.5

Think of good wish list items that you want your team to have to succeed.Consider if management was well-prepared for an incident. Fire and Emergency Services Company Officer Assignment Sheet 21-2 Upon arrival fire is visible from the roof. Give them the much-needed details to prevent these incidents and be part of a greater community of defenders.Look back in time to before the incident started.

Do they need training?Retrospectively analyze every piece of the attack.

Further, capturing and storing packet capture is expensive.The main driver for longer data retention is compliance. Identify what happened before detection, during investigation, during response, and after remediation.Talk about if the SOC was well-prepared for the incident.

However, this is a unique ability that takes a long time to hone, and one the majority in the industry does not have.Compounding this, most organizations do not have all data available as part of their regular investigation because of compliance reasons or, alternatively, the inability to store it. 2 0 obj

Further, the initial point of compromise may have happened weeks or months before detection, which could easily go well beyond an organization’s data retention limits.With retrospective hunting, enterprises are able to understand how widespread a campaign is by accessing data as far back as their team needs to go. %����

This must include all relevant data for the scope of the attack, no matter how far back in time the attack started.Once each stakeholder has answered their questions, every member of the team should come together to connect the dots. In the post incident activity phase, often referred to as a postmortem (latin for after death), we Were lines of communication open?

Build a complete timeline using the perspectives of every stakeholder.Assign counteractions, remediations, improvements to the defense, architecture changes, and any other actions that will help prevent this type of attack in the future.

In this case, the attack is only detected in its last stages. Research suggests the response by a unit’s <>

Are there any indications the attacker is already in your environment?Walk through the incident step by step. stream Yet, a corporate response plan is not complete without specific demobilization and post-incident review procedures.

Examining the importance of post-incident review for security teamsPost-incident review is a detailed retrospective that allows an enterprise to carefully understand each part of an incident, from start to finish. Group the questions by the stakeholders identified when assessing roles.Assign each group of questions to a single dominant stakeholder. Set follow-up meetings for accountability and to address any lingering issues.If this type of attack has the potential to impact other enterprises, find a way to inform them of the threat. ��@��A���

2219 Sawdust Road Suite 601 The Woodlands, Texas 77380 U.S

These details fill the holes in the plot and resolve the who, why, and how - the stealthy information viewers try to identify for the first two thirds of the movie. This leaves the network exposed to those same exploits and entry points the attacker used at stage 1.Low and slow attacks easily bypass traditional security defenses by incremental actions that on their own are too small to detect, but put together can devastate an organization.The majority of organizations lack the in-depth visibility to identify the entire lifecycle of a sophisticated attack like this. RISK OF REMAINING BACKDOORS, MALICIOUS USERS, AND MORETOTAL INSIGHT INTO GAPS IN YOUR SECURITY PROGRAM FROM THE STARTUSE TODAYS INTELLIGENCE TO UNCOVER REMAINING ATTACKSTHE FREEDOM TO FIND ATTACKERS THAT ARE DUG IN FOR YEARS It doesn't matter whether you call it a post-incident analysis, an after-action review or simply a debriefing.