Module 12: Post-Mortem Reporting
The Post-mortem Report
Post-Mortem Reporting Basics
Essential elements:
Overview
Timeline of Events
Impact and Damage Assessment
Root Cause Analysis
Lessons Learned and Recommendations
Metrics and KPIs in Post-Mortem Reporting
KPIs are Key Performance Indicators. There are four main areas where these metrics provide value:
Guided Learning
Performance Improvement
Resource Allocation
Compliance and Reporting
Distinguishing Between Blame and Accountability
Blame. Being blamed is to be found at fault, to be culpable for an incident occurring. It's the act of censuring someone, holding them responsible for a negative act.
Accountability. To be accountable means to have authority to make decisions, to be able to justify those decisions, and to be answerable for the performance of something.
Accountability is often documented in a RASCI chart:
Alert Monitoring
A
R
I
Investigations
A
R
C
Impact Assessment
A
R
Incident Response
A
R
R
Post-Mortem Report Template
Overview (Table)/Executive Summary
Incident ID
Unique identifier for the incident
Date of Incident
Specify when the incident occurred
Report Prepared By
Name of the individual/team preparing the report
Criticality Level
Define the severity of the incident (e.g., High, Medium, Low)
Summary Narrative
A brief narrative summarizing the key points about the incident, including what happened, the response, and any follow-up action plans
Timeline Table
Date
The date when a particular event occurred
Time
The time at which the event occurred
Critical Moments
Brief descriptions of the event
Actions/Responses
Detailed account of the actions or responses initiated at the event
Impact Assessment Table
Affected Systems/Services
Enumerate the systems, platforms, or services compromised by the incident.
Duration of Outage
Detail the time that the system/service was unavailable or compromised.
Business Impact
Articulate the implications on business operations, user experience, and potential Service Level Agreement (SLA) breaches.
Potential Data Impact
Assess the likelihood of unauthorized data access, leaks, or breaches. Include the type of data potentially compromised (personal data, financial information, etc.).
Financial Impact
Quantify the immediate costs related to incident response, recovery, and potential longer-term expenses (such as lawsuits, fines, or lost business).
Reputational Impact
Gauge the potential damage to the company's public image and trustworthiness in the market. Highlight efforts needed for public relations campaigns and rebuilding user trust.
Root Cause Table
Initial Point of Compromise
Detail the first breach or event that indicated a security compromise.
Root Cause of the Initial Compromise
Results of the root cause analysis.
Identified Subsequent Compromises
Explore how the initial breach led to further security incidents or vulnerabilities.
Methods Used
Detail the tactics, techniques, and procedures used by the adversaries.
Lessons Learned Table
Positive Takeaways
Highlight what went well during the incident
Areas for Improvement
Discuss what could have been done better
Action Table Plan
Short-Term Actions
Actions to be taken immediately to address the issues
Long-Term Actions
Actions that are to be included in future plans and budgets to reduce vulnerability, enhance capability, and improve resilience
Root Cause Analysis
Cause Mapping for Root Cause Analysis
Five Whys Table
1
What was the immediate cause?
An employee clicked on a suspicious link within a phishing email.
2
Why did the employee click the link?
The employee hadn't undergone cyber security training, lacking the knowledge to recognize the threat.
3
Why hadn't the employee been trained?
Cyber security training was available but optional, creating knowledge gaps.
4
Why did the employee not opt for the training?
Some employees view the optional training as burdensome and chose to bypass it.
5
Why did we not make training mandatory?
We don't think investing in cyber training is justified.
Initial and Subsequent Points of Compromise
Document initial foothold gained as well as any further compromises.
Impact and Damage Assessment
Connecting Technology to Business
Updating our Initial Impact Assessment
Updating the lab's initial impact assessment.
Lessons Learned
Incident Response Lessons Learned
Identify any lessons that can enhance our security posture against potential future threats.
Identifying Capability Improvements
Ask the hard questions to figure out how to do better next time.
Bringing It Together
Lab Scenario Post-Mortem Report
Walkthrough of the lab's post-mortem report.
Last updated