You’ve had an incident. You’ve managed the fall-out, contained the outbreak and restored normal service. Now is the time to sit down with your incident response teams, your operational teams and other stakeholders and work out how to prevent a recurrence.
During an incident wash-up meeting, you should go over all evidence gathered during the incident, details of actions taken and the reasons why decisions were made given the information available at the time.
Never underestimate the importance of a full incident debrief. Always pay attention to the feedback you get from your incident response team, and your operational staff. The incident debrief is a golden opportunity to identify root causes of incidents, iron out problems in your response processes and ensure that next time, the response will be more efficient.
An incident debrief should not be rushed; it may be appropriate to have multiple debriefs, incorporating feedback from different operational units and teams at different times. It is often helpful to ask a number of questions during a debrief to guide discussions:
- How sure are we that we know all relevant information about the incident?
- Did we definitively determine the source of the incident?
- Do we know why we were under attack?
- Do we know for certain that no other systems were affected?
- Do we know that the incident has been completely eradicated, or do we have doubts?
The answers to the questions above may help you decide whether you need to implement extended monitoring or other compensating controls in your environment to detect recurrence of the incident.
- What was the root cause of the incident?
- Was the cause a flaw in an operational process?
- Was the cause a weakness in policy?
- Was the cause a deficiency in technology?
- Was the cause a problem with staff education or staff procedures?
- What controls can we put in place to stop this happening again?
The answers to the questions above may help you make improvements in people, process and technology in order to prevent a repeat of the incident.
- How well was the operation of the incident response handled?
- Did the incident response team know what to expect?
- Was documentation for systems, data and the incident response plan adequate for the activities being conducted?
- Were the responders suitably empowered to act?
- Were the right resources available to responders?
- Were the right information sources available to access?
- Was access easy to arrange, or were there problems getting access to systems or assets that were needed?
The answers to these questions should feed back into your internal incident response documentation and your practice runs. Be sure to address anything which impeded your incident responders in their activities as soon as you can.
In addition to the hard questions above, don’t neglect to review how your incident response teams handled the emotional aspect of the incident. In many cases, handling an incident is a long, stressful and emotionally-demanding process. The more supported your responders are during an incident, the better they will perform. Understanding how to support them is invaluable.
In conclusion, incident response is a dynamic process, with situational awareness the key at every stage. Proper planning, good staff training and being sure to learn your lessons will help to ensure that you are making the best use of resources at all times, and that your response is as slick and seamless as it needs to be.
And always remember: if you fail to prepare, you prepare to fail.