richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/SANS/SANS Incident Response step 6 Lessons learned.md

2.5 KiB
Raw Permalink Blame History

Step 6: Lessons Learned

No later than two weeks from the end of the incident, the CSIRT should compile all relevant information about the incident and extract lessons that can help with future incident response activity.

The SANS lessons learned process includes:

  • Completing documentation—it is never possible to document all aspects of an incident while it is going on, and achieving comprehensive documentation is very important to identify lessons for next time.
  • **Publishing an incident report—**the report should provide play-by-play review of the entire incident, and answer the Who, What, Where, Why, and How questions.
  • Identify ways to improve CSIRT performance—extract items from the incident report that were not handled correctly and can be improved for next time.
  • Establish a benchmark for comparison—derive metrics from the incident report that you can use to guide you in future incidents.
  • Lessons learned meeting—conduct a meeting with the CSIRT team and other stakeholders to discuss the incident and cement lessons learned that can be implemented immediately.

SANS suggests this general format for the incident report:

  • When was the problem first detected and by whom
  • The scope of the incident
  • How it was contained and eradicated
  • Worked performed during recovery
  • Areas where the CIRT teams were effective
  • Areas that need improvement

A central part of the NIST incident response methodology is learning from previous incidents to improve the process.

You should ask, investigate and document the answers to the following questions:

  • What happened, and at what times?
  • How well did the incident response team deal with the incident? Were processes followed, and were they sufficient?
  • What information was needed sooner?
  • Were any wrong actions taken that caused damage or inhibited recovery?
  • What could staff do differently next time if the same incident occurred?
  • Could staff have shared information better with other organizations or other departments?
  • Have we learned ways to prevent similar incidents in the future?
  • Have we discovered new precursors or indicators of similar incidents to watch for in the future?
  • What additional tools or resources are needed to help prevent or mitigate similar incidents?

Use your findings to improve the process, adjust your incident response policy, plan, and procedures, and feed the new data into the preparation stage of your incident response process.