Incident response and the importance of lessons learned

Responding to a computer security incident can be stressful and hectic for the personnel involved and, depending on the nature and scope of the incident, some responses are more stressful than others.

Restoring services and returning to normal operations is obviously important, but the incident response process doesn’t end there. It’s fair to assume that most organizations will view the mitigation and eradication stages as priorities, but containing and stopping the incident doesn’t fully bring the response to a conclusion.

It’s important to follow through with documenting the incident and the response as well as identifying any gaps and areas for improvement to further solidify your security posture.

The stages of incident response

There’s more than one methodology concerning the stages of an incident response. One lists seven stages ending with what’s labelled as ‘Follow-Up’. Another’s broken into four stages and ends with a stage termed as ‘Post-Incident Activity’. A third also contains seven stages and ends with what is referred to as ‘Lessons Learned’. Others may contain five stages, but they will all end with a stage for identifying gaps and for documenting the overall incident and response. No matter the name, this stage should include important questions for all personnel involved as well as proper reporting. We find that some organizations may be omitting this final stage and reasons for this may include the false belief that the response is over or the need to return to other tasks.

Lessons Learned is a critical part of incident response

The Lessons Learned stage

So what questions are asked at this concluding stage? Examples can include:

• Was our organization sufficiently prepared?
• Was the incident reported or detected in a timely manner?
• Did the incident response team communicate effectively, both internally and with external partners?
• How can our organization improve our response to become more efficient to future incidents?
• Were there any gaps identified in the incident response plan or runbooks?
• Were there any technical gaps identified for the incident response team?
• What was the financial impact on our organization?
• How can we reduce the risk of experiencing further incidents?

The Lessons Learned stage is a time to question how, and why, the incident occurred and what can be done to reduce the risk of future incidents. It’s during this stage that questions should be posed on whether security tools are properly implemented and if policies and procedures are meeting the needs of the organization.

It’s at this stage that the organization’s incident response plan should be reviewed for any updates or modifications that have been identified. It’s essential this plan is updated to remain current. It’s also essential that all declared incidents are properly documented in a report. This will aid both in terms of complying with any reporting requirements as well as having a written record that may be referred to when responding to future incidents.

This report should conclude with a ‘Recommendations’ section that details areas of improvement for review by management. These recommendations can include updating existing polices, generating new policies and implementing additional security controls.

Analysing incident response is critical to continual improvement

Maintaining security as a priority

In conclusion, the Lessons Learned stage allows an organization to review information that can increase the efficiency and effectiveness of the incident response team’s overall response as well as improve the organization’s overall security. A security conscious organization is one that maintains security as a priority and is constantly exploring ways to improve. The Lessons Learned stage is a vital area that allows this to occur. Identifying gaps allows an organization to correct issues and/or strengthen its security. Being prepared may reduce the risk of an organization suffering future incidents. Again, eradicating the incident and returning to normal operations is not the end of a thorough and complete incident response.