Page296

Lessons Learned

Unfortunately, the lessons learned phase (also known as post-incident activity, reporting, or post mortem) is the one most likely to be neglected in immature incident management programs. This fact is unfortunate because the lessons learned phase, if done right, is the phase that has the greatest potential to effect a positive change in security posture. The goal of the lessons learned phase is to provide a final report on the incident, which will be delivered to management.

Important considerations for this phase are detailing ways in which the identification could have occurred sooner; the response could have been quicker or more effective, organizational shortcomings that might have contributed to the incident, and potential areas for improvement. Though after significant security incidents security personnel might have greater attention of the management, now is not the time to exploit this focus unduly. If a basic operational change would have significantly increased the organization’s ability to detect, contain, eradicate, or recover from the incident, then the final report should detail this fact whether it is a technical or administrative measure.

Feedback from this phase feeds directly into continued preparation, where the lessons learned are applied to improve preparation for handling future incidents.

Root-Cause Analysis

To effectively manage security incidents, root-cause analysis must be performed. Root-cause analysis attempts to determine the underlying weakness or vulnerability that allowed the incident to be realized. Without successful root-cause analysis, the victim organization could recover systems in a way that still includes the particular weaknesses exploited by the adversary causing the incident. In addition to potentially recovering systems with exploitable flaws, another possibility includes reconstituting systems from backups or snapshots that have already been compromised.