Assessing the team and processes' effectiveness

7MB

Incident Response: Lessons Learned.pdf

PDF

Open

Lessons learned

• How soon did detection and identification happen?

• How did the initial response to the incident being identified go?

• What work was performed and by whom during each phase?

• How effective was containment and eradication?

• What areas should be improved?

• Suggestions for improvement

How soon did detection happen?

• How long after initial compromise? Days, months, years?

• Was this sufficient?

• How much of the detection responsibility is on IR?

How effective was the initial response?

• Was your team able to follow the playbook effectively?

• Was there time wasted waiting for access to information or systems?

• Did the initial notification make it to the right people at the right time?

• Was the initial notifiaction accurate with information?

What work was performed during each phase?

• Who performed what work?

• Was it sufficient for the incident?

• Was information from previous phases properly passed on and ingested?

How effective was containment and eradication?

• How long did it take?

• How many times did your team have to "redo" containment?

• After eradication monitoring, did signs of malware or compromise continue to show up?

  • How many times did you have to repeat this cycle?

• Were eradication tools effective?

  • Did you have to bring in additional or new tools?

What areas should be improved?

• Do you need better tools?

• Was staff appropriately skilled?

  • Do we need more training?

• Was communication appropriate and sufficient?

Suggestions for improvement

• Keep improvement suggestions positive

• Minimize pointing out specific individuals

  • Speak more to the overall function or role

• Allow suggestions from the entire team

  • Consider blind suggestions box or portal