Online Courses
Cyber Incident Response
Online Courses
Cyber Incident Response
  • Cyber Incident Response
  • Incident Response Fundamentals
    • Introduction to Incident Response
    • Why is incident response needed?
    • Incident Response Phases
    • Business Continuity and Disaster Recovery roles
    • Building an IR playbook
    • Building and IR team
    • Quiz
  • Stages of Incident Response
    • Incident definitions and severity criteria
    • Identifying threats and vulnerabilities
    • Incident Response assets inventory and identification
    • Incident identification
      • Incident Response classification levels
      • Communication/notification of an incident
      • Identification tools and techniques
    • Incident containment
      • Determining status of infected/affected computing resources
      • Containment actions
      • Containment tools and techniques
    • Incident investigation
      • Investigation data sources
      • The role of Digital Forensics
    • Incident eradication
      • Cleanup and verification
      • Notification
      • Eradication tools and techniques
    • Incident recovery
      • Service and System restoration
      • Certification and validation of Business Continuity
      • Recovery and restoration tools and techniques
  • Follow Up / Lessons Learned
    • Assessing the team and processes' effectiveness
    • Implementing improvements
    • Feedback from other teams in the organization
    • Quiz
  • Understanding the Incident Response process and tools quiz
Powered by GitBook
On this page
  • Lessons learned
  • How soon did detection happen?
  • How effective was the initial response?
  • What work was performed during each phase?
  • How effective was containment and eradication?
  • What areas should be improved?
  • Suggestions for improvement
  1. Follow Up / Lessons Learned

Assessing the team and processes' effectiveness

PreviousRecovery and restoration tools and techniquesNextImplementing improvements

Last updated 8 months ago

Lessons learned

  • How soon did detection and identification happen?

  • How did the initial response to the incident being identified go?

  • What work was performed and by whom during each phase?

  • How effective was containment and eradication?

  • What areas should be improved?

  • Suggestions for improvement

How soon did detection happen?

  • How long after initial compromise? Days, months, years?

  • Was this sufficient?

  • How much of the detection responsibility is on IR?

How effective was the initial response?

  • Was your team able to follow the playbook effectively?

  • Was there time wasted waiting for access to information or systems?

  • Did the initial notification make it to the right people at the right time?

  • Was the initial notifiaction accurate with information?

What work was performed during each phase?

  • Who performed what work?

  • Was it sufficient for the incident?

  • Was information from previous phases properly passed on and ingested?

How effective was containment and eradication?

  • How long did it take?

  • How many times did your team have to "redo" containment?

  • After eradication monitoring, did signs of malware or compromise continue to show up?

    • How many times did you have to repeat this cycle?

  • Were eradication tools effective?

    • Did you have to bring in additional or new tools?

What areas should be improved?

  • Do you need better tools?

  • Was staff appropriately skilled?

    • Do we need more training?

  • Was communication appropriate and sufficient?

Suggestions for improvement

  • Keep improvement suggestions positive

  • Minimize pointing out specific individuals

    • Speak more to the overall function or role

  • Allow suggestions from the entire team

    • Consider blind suggestions box or portal

7MB
Incident Response: Lessons Learned.pdf
pdf