A major cybersecurity incident is an extremely high-pressure situation where rapid action is needed to control and mitigate the immediate effects. But once the dust has settled and the pressure has alleviated a little, what should organizations do to learn from the incident and improve their security posture for the future?
To this point I saw a great blog post on the UK National Cyber Security Center (NCSC) website entitled: If you have knowledge, let others light their candles in it. It talks about why sharing lessons learned from cyber security incidents and ‘near misses’ will help everyone to improve. It goes on to outline the importance of sharing intelligence such as how the attackers first gained entry and moved around the network, what they were trying to achieve, and how the attack finally ended. It also advises gathering details of all the cyber security actions taken to counter the attacks, including those that worked (and those that didn’t).
So, here, based on my own experience, I’ve summarized what organizations need to be thinking about in the wake of an attack.
Post incident, post-mortem
It is important to review all the data available on the attack. Analyze the attack vectors used and gain insight into why this particular incident was successful. This post-mortem activity should get under the skin of the attack to understand not only what happened, but how the incident unfolded. Examining when it happened, what the timelines were, what actions were taken and by whom. In other words, it should build incident, adversary and campaign timelines. This is critically important for the organization to learn in order to be better prepared as well as more efficient from a process standpoint. This should be a thorough investigation, analyzing tickets, looking at what was documented and when, a laser focused understanding of the series of events and how good the response was. For example, did it take the organization minutes, hours, or days to identify the attack? And while it is valuable to analyze the entire incident, it is also important to break down the individual activities within the attack.
When looking at all these processes, if you see an activity that took a long time to do, delve deeper into it and consider whether actions could have been automated and data enriched and optimized more quickly.
The importance of feedback loops
As well as analyzing the process, examine the incident from a data perspective; any information that is gleaned should be utilized in feedback loops to help preventative tools perform better.
Also, from a data standpoint, it is important to share what the team has learned with others, as this helps the industry as a whole better fight cybercrime. This data sharing also means that you will get information from other parties about other potential incidents that could help your team more adequately prepare and harden your infrastructure, so you can be as preventative as possible. Having others review your incident data also offers an outside perspective – someone who is not as close to the incident might spot something you’ve missed.
This helps to bring order to the chaotic aftermath of an incident and enables you to see how the work of others impacts and expands on your own. This will enable you to ensure that incident handlers, malware researchers, SOC analysts and investigation leads gain more control, and are able to take the right steps at the right time.
Learnings to be gained
This post-event analysis will also enable you to establish what your training needs are and any areas for improvement. For example, do you need to undertake more security or phishing awareness training across the organization? Likewise, what are the other facets of the incident that the employee base needs to know. This is also about educating them around why they’re being asked to learn these things and adopt a more security aware culture.
How could the response be improved in future? Is there intelligence pivoting required whereby you find information on this incident associated with this adversary and then explore what other tactics they typically use and whether any of those have been employed against your organization.
There’s a breadth and depth discussion here, thinking about how deep you go into this single incident and how broad are the campaigns against you – what you think is just a single incident could be a lot bigger, and this would come out during the post-incident evaluation process.
You could also consider threat hunting exercises and penetration testing to identify similar areas of risk and vulnerability across the organization.
Create a virtuous sharing circle
It is important to share. Most organizations are more enthusiastic about gathering data from others than sharing their own, but if you share, you give your peers information and create a virtuous sharing circle that adds to the preventative posture for the industry.
So, the golden question: Is there an ideal timeframe after the event within which to do this evaluation? Unfortunately, there is no single answer, it really depends on the resources you have at your disposal and the amount of activity going on. Ultimately you are looking to accelerate understanding, improve collaboration, harden your defenses and coordinate action, so ideally you should have incident review as part of your standard approach and your process routine. This means you should have your own internal SLAs for post-incident review, depending on your business. This could be a day later or a couple of weeks later, but the important point here is that whatever your response times, this has been agreed as part of the process and you adhere to it. Ultimately it needs to be timely, and different companies will define what timely means in terms of driving down mean time to detect (MTTD) and mean time to respond (MTTR).
My final word is that post-incident review also needs to be a constructive learning process and not a blame game, otherwise employees won’t come forward if they believe something doesn’t look quite right and you won’t foster that learning security culture. Today’s threats are constantly evolving and if we are to remain one step ahead of the adversaries we need to share, involve, collaborate, respond and learn.
