Navigating by the rearview Navigating by the rearview Navigating by the rearview

​The worst has happened. You've experienced a cyberattack and have come out the other side. The incident has been contained and addressed, but it's taken a toll on your resources and revenue. And as much as you want to move on, there's plenty of work still to do.

One of the most important aspects of the incident response (IR) lifecycle is post-incident activity. From root cause analysis and in-depth retrospection to charting a roadmap for remediation, post-incident activity, done right, helps to ensure not only organizational resilience but also that the experience of the incident will lead to improvements in the state of your cyber security program.

The root of the problem
First up is root cause analysis, which is meant to develop a full understanding of how and why an incident took place. For example, how did a phishing email reach an employee's inbox? Why wasn't it caught by the email filter? Why did the employee click on it? Was there not enough training or awareness?

This analysis should include a review of what cyber security technologies worked, what failed, and what was nonexistent, ideally tracing the attacker's footprints through the organization to what we call "patient zero." It's important to determine whether and how the attackers gained enhanced privileges, such as administrative access. Also, how they moved throughout your network, and if they were able to install software and then find, and exfiltrate, data.

Often, when we conduct these analyses, we map the movement using a MITRE ATT&CK framework, "a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations." When applied to existing cyber controls and technologies, this helps to determine gaps and inform the eventual remediation roadmap.

Next, it's critical that you conduct an in-depth retrospection of the incident and ask specific questions:

• Were the stakeholders not engaged in time?
• Was there a breakdown in communication or a misalignment on next steps as discussed versus how they were actually taken?
• Were any of the steps not followed? If not, why not?
• Were any instances of the IR plan or procedure not working?

There's also one very important question that's often overlooked: What went well? It's critical that you highlight this both for the sake of comprehensive reporting and to preserve organizational morale.

An incident log can be very impactful for an effective retrospective and is also often overlooked. Ideally, there would've been a dedicated scribe tracking and logging activity during the incident. Having the information readily available for analysis helps provide a clear path forward, including to revisions of your incident response plan where appropriate, such as practicing for potential future incidents.

On the road again
A remediation roadmap is a comprehensive representation of the steps needed to strengthen your cyber security posture. It can vary depending on the type of attack or controls already in place. You'll want to categorize the items into buckets for people, process and technology, and each item would have a more detailed project description including priority level and budget assigned. Items should also be loosely grouped into short-term preventive measures, medium-term monitoring and low-level response, and large-scale projects that remediate normally longstanding issues, such as network and segmentation, active directory and identity issues, incomplete asset inventories, inadequate endpoint monitoring and protection and data management.

Specific areas that are probably the most important to review and remediate both before and after a breach include:

• Patch management and continuous vulnerability assessment. This requires an organization to have a complete asset management program and prioritize what assets and information are important to protect, which I know can be a challenge for some.
• Privileged-user Access Management (PAM). Should a hacker or adversary breach your environment, gaining advanced privileges such as admin access is usually key to carrying out their attack. Having a robust PAM solution and program prevents hackers from escalating those privileges and can in some cases assist with compliance.
• Network segmentation. Many companies have flat networks that have grown up over time and allow an attacker to easily move from one repository or application to another. Segmenting this kind of network into security zones with groups or assets or data in each can slow down the speed of an attack, increase overall data security and allow for easier monitoring and alerting of nefarious behavior. Segmentation can also often reduce the damage from a successful attack—or prevent it from getting through at all.
• Data loss program. Data is one of your key assets, and its theft, unavailability, or integrity can be catastrophic. A full program includes not only cataloging and classifying your data for security and retention but also securing all endpoints, such as laptop and desktop computers, mobile phones and data repositories. If possible, also be sure to turn on full auditing and logging, using user behavior analytics that look for anomalies, such as huge data dumps or wholesale unauthorized encryption.

Ultimately, if there's one thing no organization today can afford following a cyber incident, it's failure to complete post-incident activities. Leave no stone unturned, and no facet uncut. After all, you've already paid for the incident. Why not get the greatest possible value of it?