Lesson 6.2 Conducting a debriefing
for this lesson. The objective is to understand how to conduct a debriefing after a cyber incident and who should participate.
Now, this may sound like something silly to put in this course, but a debriefing is extremely important to the entire higher life cycle.
This is where you learn some of the most critical information
after an incident has been remediated and things were getting back to normal.
And I want to walk through how to do this correctly, who should be involved in what you should be doing in these? I have facilitated a number of these in my past, and I can certainly give you some hopefully good advice on how to conduct these meetings.
First, consider who should lead the meeting. Should it be the CERT lead, maybe the cyst. So
perhaps you have another person in the organization that's just a really good facilitator, but has nothing to do with I T or Cyber
or an outside consultant. There's pros and cons to all of these. One thing I would say is I would be a little bit hesitant to have the CERT lead
or even the CIS Oh, run this meeting.
They are generally emotionally invested in the incident response. They may personally have been involved and have their own opinions as to how things have happened. They may dominate the conversation. They might not let certain people talk if they don't agree with their opinions.
So in general, I like to steer away from having anyone in the cybersecurity organization and probably the I T organization involved in actually facilitating this debrief.
Now, if you have somebody in the organization that's just a really skilled facilitator that's removed completely, that might be okay. It might be actually really good, but you also have to look at where they involved as a victim or in any way whatsoever in the cyber incident. Do they have Cem
baggage with cybersecurity? Are they mad at
lost productivity because of the incident? So that may or may not be a good idea,
but it's probably the best. If you don't have anybody else you can bring in from the outside and then finally bringing in somebody who is knowledgeable in this or a skilled consultant that can come in and facilitate this kind of a meeting. It doesn't have to be in person. It can certainly be done virtually.
But this is something that you might consider doing because people may feel a little bit more comfortable. The consultant does not have any type of dog in the fight and may be able to guide the conversation and ask some good questions that others might not ask because they're afraid of any
chain of command or rank or political pressures that might be present.
The topics that we would want to discuss in a debriefing are as follows
How and exactly when was the incident first detected? So we want to build our timeline, and we want to figure out from ground zero
How do you detect it? When was it detected? Who detected it?
And then we want to find out. Was the incident properly triaged and categorized? So if the incident was originally said to be a false positive,
that would be really good information to know and then deep dive why that happened? Or maybe the team immediately recognize this is a problem, since it based on the flow chart that we were working on earlier in this course to the right team, and it was investigated and handled appropriately
in the room. I always like to go around the room and say, I'd like everybody to introduce themselves and tell me what your role was in this incident and that can be helpful just for the facilitator to know, but also as a reminder to everyone in the room about what role they played.
Then let's talk about the incident response plan.
Did it work? Hopefully have one, because you've gone through this course. What should be changed? Undoubtedly, there's going to be things in the playbook in the i R plan in a checklist that was overlooked. It's not applicable anymore or whatever you want to get these things out on the table to.
Also, we're all the right notifications made.
Most leaders don't like surprises, and if somebody wasn't notified, that should have been a guarantee You will know about that. So this is a good time to say, you know, we forgot to notify director so and so or we should have notified the chief of staff before going straight to the CEO.
Whatever the case might be just again, this is a good question to ask.
Now, this could be an interesting and a long discussion. But what would we do differently? And you really want to make sure you're getting input from everyone? And this is where the skilled facilitator part comes in. The facilitator should be looking for individuals that are just quietly head down, not wanting to talk,
and also for the people that are talking constantly
and try and get everyone to be engaged and participate.
What could we do as a team to improve? So this isn't what could John or Sally do to improve? This is as a team, what could we do to be better at this next time?
And then what resource is could we have used? But we didn't have?
This is a great thing to have, especially if you have a consultant that can help you
strategize on the results of this debriefing. And this might fit nicely into a pitch to senior leadership later that says we've done an after action report. We had a consultant come in and help us, and we've determine that it had we had a SIM tool or had we had this tool,
it would have either eliminated or prevented this altogether, or it would have cut down the time to detect the incident significantly
and be able to show some of the evidence is to why you're making that claim
and then also what went well and that's a really good thing. To especially end on
is all right, great everybody. We've talked about how we could improve as a team. Some of the things didn't go so well, some of the gaps that we've identified. But now let's talk about what went well and how people start giving each other kudos. While John did a great job, he was perfect at forensics. He got those IOC's over to
Ruth right away. Ruth was able to scan the rest of our network, and she identified five other additional hosts and just start walking through those and make sure that those were all being documented as well.
All right, quiz question for this lesson. What are some reasons to have an outside consultant facilitate a cyber incident Debrief?
A. They can act as an independent third party and not be concerned about office politics or rank.
Be outside consultants are inexpensive, so it makes sense to hire one for this work,
or C outside consultants rarely understand incident response so they won't interfere with the discussion.
The right answer here is a They can act as an independent third party and not be concerned about office politics or rank
to summarize this lesson. We talked about how to conduct a debriefing after a cyber incident and who should participate in that debrief.