In part one, part two, and part three of this blog series, we have discussed how to prepare, detect, analyze, contain, eradicate and recover from an incident as outlined in NIST Special Publication 800-61, Guide for Computer Security Incident Handling. Now that you are confident the threat has been removed and business is back to normal, there is still some work to do. In the final part of this blog series, we will discuss the post-incident activities that should be considered to continue to strengthen your organization’s cyber resiliency.
Post-Incident Activity Phase:
The Post-Incident Activity phase is the final piece of the puzzle when looking at the incident response lifecycle. They are key considerations and action items your organization should look to incorporate to gain a full understanding of the scope of the incident, the impact, and what measures should be implemented to prevent future occurrences.
Key Considerations
Thorough Incident Documentation: This exercise will include documentation of all information and events that occurred during the incident response process, including the timeline of events, affected data and systems, and the tactics, techniques and procedures (TTPs) used by the threat actors. All evidence that was collected during the incident should be securely stored for further review and potential legal or law enforcement requirements.
Root Cause Analysis: Now that the dust has settled, there is an opportunity to conduct a comprehensive analysis to determine the root cause of the incident and uncover any potential unknown impact. Having knowledge of the TTPs utilized, how initial access was gained, or which systems or data were targeted can help prioritize safeguard improvements.
Impact Assessment: Understanding the full picture of the impact on the organization is critical. This can include impact to operations, data or reputation. The impact assessment is important to be able to understand what further actions your organization is required to take. As part of the impact assessment, it is also critical to consider a communication strategy to ensure all stakeholders (internal and external) remain informed.
Regulatory Compliance: Depending on your organization and the impact of the incident, there may be regulatory reporting requirements that need to be considered. Ensure that all reporting timelines are met for any regulatory requirements that apply.
Continuous Monitoring: While there may be a high level of confidence that the threat has been removed from the environment, continuous monitoring of the environment, including affected systems and accounts, should take place to ensure any residual effects are detected and properly handled.
Takeaways and Action Items
Develop or Enhance Incident Response Documentation: Use the incident as a learning experience to solidify Incident Response Plans (IRP) and any supporting documentation. You may learn that additional playbooks, communication requirements or resources were identified during the incident. Making sure that all lessons learned are incorporated into future plans will aid in building a more efficient incident response capability. Additionally, you may have uncovered that recovery and restoration plans of critical systems need to be adjusted or created.
Collaboration and Sharing of Information: Sharing the lessons learned for your organizations experience is a great way strengthen the cybersecurity community as a whole. In sharing your experiences, you may also be introduced to what other organizations have encountered, to help further improve your own defenses.
Training and Awareness: The lessons learned throughout the incident create an opportunity for improved training and awareness. This could mean informing the organization about threats that were encountered and how to be on the lookout for them, or even more specialized training for incident response team members to build confidence if another incident were to occur.
Conclusion
The Post-Incident Activity phase of NIST 800-61 is often overlooked but is important for organizations looking to build a resilient cybersecurity posture and improve incident response capabilities. Utilizing the lessons learned through the first three phases detailed in NIST 800-161, you can be confident that your organization is on a path to solidifying defenses against future threats.
Click here to read part one, part two, and part three.
For more information on how K logix can enhance your Incident Response program, please contact info@klogixsecurity.com.
Subscribe
Stay up to date with cyber security trends and more