Module 12: Post-Mortem Reporting

The Post-mortem Report

Post-Mortem Reporting Basics

Essential elements:

Overview
Timeline of Events
Impact and Damage Assessment
Root Cause Analysis
Lessons Learned and Recommendations

Metrics and KPIs in Post-Mortem Reporting

KPIs are Key Performance Indicators. There are four main areas where these metrics provide value:

Guided Learning
Performance Improvement
Resource Allocation
Compliance and Reporting

Distinguishing Between Blame and Accountability

Blame. Being blamed is to be found at fault, to be culpable for an incident occurring. It's the act of censuring someone, holding them responsible for a negative act.
Accountability. To be accountable means to have authority to make decisions, to be able to justify those decisions, and to be answerable for the performance of something.

Accountability is often documented in a RASCI chart:

Process

SOC Mgr

SOC Level 1

SOC Level 2

CSIRT

Alert Monitoring

Investigations

Impact Assessment

Incident Response

Post-Mortem Report Template

Overview (Table)/Executive Summary

Field

Description

Incident ID

Unique identifier for the incident

Date of Incident

Specify when the incident occurred

Report Prepared By

Name of the individual/team preparing the report

Criticality Level

Define the severity of the incident (e.g., High, Medium, Low)

Summary Narrative

A brief narrative summarizing the key points about the incident, including what happened, the response, and any follow-up action plans

Timeline Table

Field

Description

Date

The date when a particular event occurred

Time

The time at which the event occurred

Critical Moments

Brief descriptions of the event

Actions/Responses

Detailed account of the actions or responses initiated at the event

Impact Assessment Table

Field

Description

Affected Systems/Services

Enumerate the systems, platforms, or services compromised by the incident.

Duration of Outage

Detail the time that the system/service was unavailable or compromised.

Business Impact

Articulate the implications on business operations, user experience, and potential Service Level Agreement (SLA) breaches.

Potential Data Impact

Assess the likelihood of unauthorized data access, leaks, or breaches. Include the type of data potentially compromised (personal data, financial information, etc.).

Financial Impact

Quantify the immediate costs related to incident response, recovery, and potential longer-term expenses (such as lawsuits, fines, or lost business).

Reputational Impact

Gauge the potential damage to the company's public image and trustworthiness in the market. Highlight efforts needed for public relations campaigns and rebuilding user trust.

Root Cause Table

Field

Description

Initial Point of Compromise

Detail the first breach or event that indicated a security compromise.

Root Cause of the Initial Compromise

Results of the root cause analysis.

Identified Subsequent Compromises

Explore how the initial breach led to further security incidents or vulnerabilities.

Methods Used

Detail the tactics, techniques, and procedures used by the adversaries.

Lessons Learned Table

Field

Description

Positive Takeaways

Highlight what went well during the incident

Areas for Improvement

Discuss what could have been done better

Action Table Plan

Field

Description

Short-Term Actions

Actions to be taken immediately to address the issues

Long-Term Actions

Actions that are to be included in future plans and budgets to reduce vulnerability, enhance capability, and improve resilience

Root Cause Analysis

Cause Mapping for Root Cause Analysis

Five Whys Table

Why

Question

Finding

What was the immediate cause?

An employee clicked on a suspicious link within a phishing email.

Why did the employee click the link?

The employee hadn't undergone cyber security training, lacking the knowledge to recognize the threat.

Why hadn't the employee been trained?

Cyber security training was available but optional, creating knowledge gaps.

Why did the employee not opt for the training?

Some employees view the optional training as burdensome and chose to bypass it.

Why did we not make training mandatory?

We don't think investing in cyber training is justified.

Initial and Subsequent Points of Compromise

Document initial foothold gained as well as any further compromises.

Impact and Damage Assessment

Connecting Technology to Business

Updating our Initial Impact Assessment

Updating the lab's initial impact assessment.

Lessons Learned

Incident Response Lessons Learned

Identify any lessons that can enhance our security posture against potential future threats.

Identifying Capability Improvements

Ask the hard questions to figure out how to do better next time.

Bringing It Together

Lab Scenario Post-Mortem Report

Walkthrough of the lab's post-mortem report.

PreviousModule 11: Incident Eradication and Recovery NextModule 13: Incident Response Challenge Labs

Last updated 6 months ago

Module 12: Post-Mortem Reporting

The Post-mortem Report

Post-Mortem Reporting Basics

Essential elements:

Overview
Timeline of Events
Impact and Damage Assessment
Root Cause Analysis
Lessons Learned and Recommendations

Metrics and KPIs in Post-Mortem Reporting

KPIs are Key Performance Indicators. There are four main areas where these metrics provide value:

Guided Learning
Performance Improvement
Resource Allocation
Compliance and Reporting

Distinguishing Between Blame and Accountability

Blame. Being blamed is to be found at fault, to be culpable for an incident occurring. It's the act of censuring someone, holding them responsible for a negative act.
Accountability. To be accountable means to have authority to make decisions, to be able to justify those decisions, and to be answerable for the performance of something.

Accountability is often documented in a RASCI chart:

Process

SOC Mgr

SOC Level 1

SOC Level 2

CSIRT

Alert Monitoring

Investigations

Impact Assessment

Incident Response

Post-Mortem Report Template

Overview (Table)/Executive Summary

Field

Description

Incident ID

Unique identifier for the incident

Date of Incident

Specify when the incident occurred

Report Prepared By

Name of the individual/team preparing the report

Criticality Level

Define the severity of the incident (e.g., High, Medium, Low)

Summary Narrative

A brief narrative summarizing the key points about the incident, including what happened, the response, and any follow-up action plans

Timeline Table

Field

Description

Date

The date when a particular event occurred

Time

The time at which the event occurred

Critical Moments

Brief descriptions of the event

Actions/Responses

Detailed account of the actions or responses initiated at the event

Impact Assessment Table

Field

Description

Affected Systems/Services

Enumerate the systems, platforms, or services compromised by the incident.

Duration of Outage

Detail the time that the system/service was unavailable or compromised.

Business Impact

Articulate the implications on business operations, user experience, and potential Service Level Agreement (SLA) breaches.

Potential Data Impact

Assess the likelihood of unauthorized data access, leaks, or breaches. Include the type of data potentially compromised (personal data, financial information, etc.).

Financial Impact

Quantify the immediate costs related to incident response, recovery, and potential longer-term expenses (such as lawsuits, fines, or lost business).

Reputational Impact

Gauge the potential damage to the company's public image and trustworthiness in the market. Highlight efforts needed for public relations campaigns and rebuilding user trust.

Root Cause Table

Field

Description

Initial Point of Compromise

Detail the first breach or event that indicated a security compromise.

Root Cause of the Initial Compromise

Results of the root cause analysis.

Identified Subsequent Compromises

Explore how the initial breach led to further security incidents or vulnerabilities.

Methods Used

Detail the tactics, techniques, and procedures used by the adversaries.

Lessons Learned Table

Field

Description

Positive Takeaways

Highlight what went well during the incident

Areas for Improvement

Discuss what could have been done better

Action Table Plan

Field

Description

Short-Term Actions

Actions to be taken immediately to address the issues

Long-Term Actions

Actions that are to be included in future plans and budgets to reduce vulnerability, enhance capability, and improve resilience

Root Cause Analysis

Cause Mapping for Root Cause Analysis

Five Whys Table

Why

Question

Finding

What was the immediate cause?

An employee clicked on a suspicious link within a phishing email.

Why did the employee click the link?

The employee hadn't undergone cyber security training, lacking the knowledge to recognize the threat.

Why hadn't the employee been trained?

Cyber security training was available but optional, creating knowledge gaps.

Why did the employee not opt for the training?

Some employees view the optional training as burdensome and chose to bypass it.

Why did we not make training mandatory?

We don't think investing in cyber training is justified.

Initial and Subsequent Points of Compromise

Document initial foothold gained as well as any further compromises.

Impact and Damage Assessment

Connecting Technology to Business

Updating our Initial Impact Assessment

Updating the lab's initial impact assessment.

Lessons Learned

Incident Response Lessons Learned

Identify any lessons that can enhance our security posture against potential future threats.

Identifying Capability Improvements

Ask the hard questions to figure out how to do better next time.

Bringing It Together

Lab Scenario Post-Mortem Report

Walkthrough of the lab's post-mortem report.

PreviousModule 11: Incident Eradication and Recovery NextModule 13: Incident Response Challenge Labs

Last updated 6 months ago