One of the things we do in the Incident Recovery phase is to determine the root cause of the incident and to identify appropriate remediation steps. This typically follows the Root Cause Analysis workflow which many of you are aware of. Once the remediation is done, it is important to document the “lessons learnt”.
Why is it important?
Lessons learnt are an important aspect of a CSIRT organization. “A stationary object gathers more moss”. This is the philosophy of a CSIRT organization – Continuous evolution and improvement. This is typically a 15 to 30 minute exercise every CSIRT member who handled the incident should go through. In this exercise, the following key items should be discussed:
- What process, technology or people worked?
- What did not work? Why?
- Response and Resolution effectiveness? Why?
- Any recurring issues or themes?
Once answers for all these questions have been penned down and discussed, a detailed action plan needs to be devised on how to improve the CSIRT function. The Action plan can be categorized under two major groups:
- Control Improvements – This section should describe any changes or improvements that should be put in place to better detect future incidents of this type and/or prevent similar incidents. Some of the examples are
- Policy Changes, typically related to organization wide policies related to user, IT systems etc.
- Monitoring System changes, typically these are configuration changes that will be made in SIEM, perimeter or endpoint defences to improve better detection and efficient reporting
- Architectural Changes, typically are long term major changes in the way the systems are built.
- Process Improvements – This section should describe any improvements that could be made to the actual response process itself. Some of the examples are:
- Improving the Incident handling cheat sheet with additional details
- Improving the communications plan to get speedier response
- Escalation matrix improvements
- Process automation
- Staff training and awareness
Rinse and Repeat!!!
As you can see from above, the goal is not to do this exercise as a one time activity. Instead this is a repetitive process. However, this may not be possible for every single incident that is detected and worked by the CSIRT. Hence, this is where practicality dictates that this process should be done in a way that is scalable. Keeping that in mind, below is a recommended approach for doing this:
- Perform “Lessons Learnt” exercise for all Major and High Severity incidents
- Perform “Lessons Learnt” exercise for all repeat incident category (refer to Incident Classification for more details)
- Perform “Lessons Learnt” exercise on a monthly or quarterly basis for CSIRT processes.
Lessons learnt are an important part of continued learning and quest for functional perfection. CSIRT is no different and it should also be improved on a regular basis. These improvements should be aimed at efficiently detecting and responding to cyber incidents in a timely fashion.
With this post, the CSIRT Series comes to a conclusion. Please feel free to post your comments on the section below.