Learning from a Security Incident: A Post-Mortem Checklist

by Tim Bandos on Wednesday December 28, 2022

Our Field Guide to Incident Response series concludes with a post-incident checklist you can use to make sure you’re learning from every incident and improving your defenses against future attacks.

Never let a good incident go to waste! Once you’ve made it through the containment and neutralization phase, there are still post-incident tasks to complete to make sure that you are learning from the incident and implementing measures to prevent similar incidents from happening again. Following a checklist for this post-incident activity will help you take a structured approach to understanding key details such as how the adversary got into your environment and what the attack motivation was. More importantly, these post-mortem activities will help determine the right preventative measures to stop similar incidents from happening in the future. At the highest level, the checklist should include:

Complete an incident report: Documenting and disseminating the incident will help to improve the incident response plan and augment additional security measures to avoid such security incidents in the future.
Monitor post-incident: Closely monitor for activities post-incident since threat actors will re-appear again. We recommend a security log hawk analyzing SIEM data for any sign of indicators tripping that may have been associated with the prior incident.
Update Threat Intelligence: Update the organization’s threat intelligence feeds.
Identify preventative measures: Identify new security initiatives to prevent future incidents.
Gain cross-functional buy-in: Coordination across the organization is critical in order to implement new security initiatives.

Developing and tracking scorecards will also help you assess your incident response posture and identify new security initiatives that should be put in place. Develop scorecards to assess areas such as vulnerability assessments/remediation, SIEM event collection, continuous visibility, security configurations, etc. A scorecard that appears to have been dipped in red paint, indicating serious control gaps, will undoubtedly get the attention that it deserves. Here are some sample scorecard metrics I have used in the past:

Security Assessment

Percentage of Unpatched Vulnerabilities
Percentage of Fixed Vulnerabilities from Prior Month
Number of Network Leaks Found
Metrics on Security Tools Fully Deployed & Operational
Metrics on Security Detections/Blocks by Tool

Threat Intelligence

Percentage of High Fidelity IOCs configured for alerting
Number of alerts received from IOCs
APT campaigns discovered from IOCs configured for alerting

Incident Analysis

Percentage of Alerts triaged
Number of incident tickets opened and closed
Days from incident detection to closure
Actual average incident cycle time to target
Average Dwell Time (Initial Infection to Detection/Quarantine)

Security Operations

Percentage of Systems reporting into SIEM
Percentage of SIEM operational uptime

Management

Enhanced Security Initiatives Implemented as a result of Incidents
These include projects identified as gaps in security posture for detecting / preventing threats

In addition, keep track of all cybersecurity controls the organization has in place and continuously monitor level of compliance to each of those controls. Example controls would be:

Application Software Security
Secure Technical Configurations
Disaster Recovery
Administrator Privileges
Monitoring & Analysis of Logs
Account Monitoring & Control
Incident Response
Data Protection
Malware Protection
Continuous Vulnerability Assessments
Inventory of Authorized & Unauthorized Software
Inventory of Authorized & Unauthorized Devices
Security Awareness
Network Defense

This concludes our Field Guide to Incident Response series – I hope you learned something and are more ready for your next security incident as a result. For more incident response guidance: