Learning from a Security Incident: A Post-Mortem Checklist



Our Field Guide to Incident Response series concludes with a post-incident checklist you can use to make sure you’re learning from every incident and improving your defenses against future attacks.

Never let a good incident go to waste! Once you’ve made it through the containment and neutralization phase, there are still post-incident tasks to complete to make sure that you are learning from the incident and implementing measures to prevent similar incidents from happening again. Following a checklist for this post-incident activity will help you take a structured approach to understanding key details such as how the adversary got into your environment and what the attack motivation was. More importantly, these post-mortem activities will help determine the right preventative measures to stop similar incidents from happening in the future. At the highest level, the checklist should include:

  1. Complete an incident report: Documenting and disseminating the incident will help to improve the incident response plan and augment additional security measures to avoid such security incidents in the future.
  2. Monitor post-incident: Closely monitor for activities post-incident since threat actors will re-appear again. We recommend a security log hawk analyzing SIEM data for any sign of indicators tripping that may have been associated with the prior incident.
  3. Update Threat Intelligence: Update the organization’s threat intelligence feeds.
  4. Identify preventative measures: Identify new security initiatives to prevent future incidents.
  5. Gain cross-functional buy-in: Coordination across the organization is critical in order to implement new security initiatives.

Developing and tracking scorecards will also help you assess your incident response posture and identify new security initiatives that should be put in place. Develop scorecards to assess areas such as vulnerability assessments/remediation, SIEM event collection, continuous visibility, security configurations, etc. A scorecard that appears to have been dipped in red paint, indicating serious control gaps, will undoubtedly get the attention that it deserves. Here are some sample scorecard metrics I have used in the past:

Security Assessment

  • Percentage of Unpatched Vulnerabilities
  • Percentage of Fixed Vulnerabilities from Prior Month
  • Number of Network Leaks Found
  • Metrics on Security Tools Fully Deployed & Operational
  • Metrics on Security Detections/Blocks by Tool

Threat Intelligence

  • Percentage of High Fidelity IOCs configured for alerting
  • Number of alerts received from IOCs
  • APT campaigns discovered from IOCs configured for alerting

Incident Analysis

  • Percentage of Alerts triaged
  • Number of incident tickets opened and closed
  • Days from incident detection to closure
  • Actual average incident cycle time to target
  • Average Dwell Time (Initial Infection to Detection/Quarantine)

Security Operations

  • Percentage of Systems reporting into SIEM
  • Percentage of SIEM operational uptime

Management

  • Enhanced Security Initiatives Implemented as a result of Incidents
  • These include projects identified as gaps in security posture for detecting / preventing threats

In addition, keep track of all cybersecurity controls the organization has in place and continuously monitor level of compliance to each of those controls. Example controls would be:

  • Application Software Security
  • Secure Technical Configurations
  • Disaster Recovery
  • Administrator Privileges
  • Monitoring & Analysis of Logs
  • Account Monitoring & Control
  • Incident Response
  • Data Protection
  • Malware Protection
  • Continuous Vulnerability Assessments
  • Inventory of Authorized & Unauthorized Software
  • Inventory of Authorized & Unauthorized Devices
  • Security Awareness
  • Network Defense

This concludes our Field Guide to Incident Response series – I hope you learned something and are more ready for your next security incident as a result. For more incident response guidance, check out our latest eBook: The Incident Responder’s Field Guide – Tips from a Fortune 100 Incident Responder.

Read more in our Field Guide to Incident Response Series

  1. 5 Key Criteria for Creating an Incident Response Plan that is Practical for YOUR Organization
  2. The Do’s and Don’ts of Incident Response
  3. Building Your Incident Response Team: Key Roles and Responsibilities
  4. Creating an Incident Response Classification Framework
  5. The Five Steps of Incident Response
  6. 3 Tips to Make Incident Response More Effective
  7. Using Existing Tools to Facilitate Incident Response
  8. Learning From a Security Incident: A Post-Mortem Checklist
Tim Bandos

WHITEPAPERS

The Incident Responder's Field Guide

Tim Bandos

Tim Bandos, CISSP, CISA is senior director of cybersecurity at Digital Guardian. He has over 15 years of experience in the cybersecurity realm with a heavy focus on Internal Controls, Incident Response & Threat Intelligence.