Hello. My name is David Visor and welcome to post Incident Response. We're moving here through Episode four into lessons learned, which is one of my hot point comics. So I can hopefully keep the shoot for you and not ramble.
Um, too much because I said this is
important topic for me. Very important topic. It's to skid. Skipped too much. Um,
we all know that we need to learn from our mistakes. It's everybody acknowledges that, but rarely do we even do that in our real lives. I can't tell you how many times of what somebody make this him. And I'll say it's a stupid mistake again, Again and again.
and the same through here in the incident response world Cyber security. Why do you think we keep seeing companies get hit with Ransomware? Because we are learning from our mistakes. Now you can see I'm already going on.
Karan here. Um, I don't want you to be that person.
Uh, and you need to be the change. You use kind of the colloquialism out there Be to change, be the one that asked When are we going to do the after action? When are we going to do our lessons. One, um,
you may be told to shut up. You may be able to sit in a corner.
Don't let it cost you your job. But Bt evangelist for this, um,
be the one that says we have to do this. We can't just keep making the same stupid mistakes over and over again. It's not only will frustrate you, but it will harm the company that you're working for. Set. Step up here. Be the beach. Uh, looking at it,
these include all the participants in the incident itself and also in the recovery process,
everyone. Yeah, I know that could be a huge list. And most of the time, uh, he's that I've been involved in our remote or, uh, could involve even several different
lessons learned meetings, because in one case that I can think of for myself that involved well over 75 people. So we actually had three ever meetings with around roughly 25 people coming in for your tea. Now, there were some repeat end these, but
we made sure that anybody who was involved in the incident had a boys and table during the the after action slash lessons learned just to make a short note here. I'll use those terms interchangeably after action and lesson learned. We can even include multiple incidents of the same after action
If they're shorter incidents, not major breaches, then yeah, you could actually do a couple of them all at the same time, especially if they don't include two people. But way that carefully. You don't want to lose the ball. Fact of worrying
from your incidents by trying to create a M
Too many incidents in the one beat Once the incident has been closed, the next step should be the after action,
um, again include everybody that was included in the incident process, even if they have to do it remotely and calling it The whole purpose of this step is to improve your posture, your security posture, and also to enhance or increase your response and protective capabilities.
no incident is truly closed until you have completed your after action on I know Far too many companies ignore this step, but that is true nonetheless, events why, you see cos getting reached again now format of your lessons were meeting can vary widely from
company. The company?
Ah, long of it may depend upon the personality. So your executive leaders, they may have a format that they revert and you don't want to go against that yourself. Uh,
who What your boss wants you to do. It's great that they even want todo. But the four match of the chosen that best help share knowledge. It allows everyone always to be hurt. Anyone involved in the incident should be able to speak really in these meetings.
I've seen meetings where
Lowly sock analyst tear line that we're leaving only job for heat months had one of the greatest insights ever doing incident and how to prepare against future incidents. And they were allowed to speak.
They're in the meeting to the system. Was the sea level executive or a global company. And that was fan,
whether it be positive
even negative, they should be allowed to speak without receiving any kind off back.
I think of the whole whistle blower scenario. There are pros and cons to that. But these after action reports, let him talk because you need to hear about the negatives and the positives a action in order to correct problems that have been discovered.
Now, if you delay these too long,
you're gonna lose a lot of the knowledge that was doomed and gathered in gained from the incident process itself. So don't push these back six months. Seven months, eight months.
Because people are gonna forget what they get it. They're gonna forget what they learned. The passion is gonna just dissipate. And they're going to become just in an exercise in futility for people and thus go against your purpose.
So what do you want to cover in these after actions?
Well, basically, these are easy, Right? Right. What happened? Uh, good grief over media. City manager should be doing that. Should be able to provide that whether they be a power point or whether it be the every report.
Whatever I've seen, timelines developed, never been put into a power point presented. That was fantastic review where documented procedure Small. It grabbed the incident response plan and throw it up on the table and say, let's walk through it and see if we've all expect these things to run a couple hours.
They're not gonna be short been. If you're
I see you, I will executive listening to this
by your people lunch. Provide him with coffee and doughnuts or something. I mean, help him out here.
Uh, where the procedure is adequate. And if not, have they been updated? And what? Lady up, uh, through what information should produce quicker. Um, where any steps or actions taken that hindered the response will recover. That could be technical or personal.
If you've got personality conflicts, these after actions were the place to
reveal them and address them and extent. Remember the example that I gave of the security analyst and the exchange agnan screaming at each other across a table?
Thankfully, that wasn't real world incident. But if that's allowed to fester
and rot, it will harm the entire DS. That response process. Don't let that kind of thing happen. What could you have done differently is another question could be addressed and asked after action reports document these things. The incident recorder is there s a recorder should be writing up an after action report
and the assignments for me.
You make corrections and admits and changes then that should be included in the after action report as well.
How could information sherry be improved but internally and extort.
Uh, for example, when 70 was breached, they lost all ability to communicate. Their email servers were down. Their cell phones were now they had to actually get into a closet and dig out old blackberries in order to be able to communicate with each other.
That should be identified in an after action report and then corrective measures to take
about extent. How did you operate working with your auditors or with HEPA or,
uh, somebody, the FBI? Yeah, I'm being kind of U S centric your, but that's where I live, wherever you might live. Ask yourself that external, Who are we dealing with? And how could we improve the communication process?
What new corrective for protective actions can be established a little in identifying document. How could you put a monetary? There's a whole host of things that you can cover here. One big one that I like is one additional tools for resource is could be purchased and implemented to protect against future attacks.
Then again, I already hit this, but oh, dropped it here again anyway.
Should be an open speak. Paul's honesty and clarity should be sought after in uh,
promoted from everyone involved. That's the M E way. You're ever really, truly going to be able to deal with the problems that you're facing anyway. Well, are they formal or informal again? That depends on your internal
corporate environment and thought processes. Some after actions have included their party providers, and they may be more formal because of that. But if their internal that could be informal, Onda allow for more freedom of speech and thought. Now you have third party providers involved. Remember your privacy issues, so
you may have to be careful what you talk about once you don't.
Uh, what time for incident? Some people like they include this in there after action, so I'll leave that up to you. But I didn't want you to know that it's available so that you can help create timeline and then manage future incidents. Some other items to include review existing policies and procedures for gaps.
Did you actually identify the cause? Uh,
and any remediation steps taken should be covered. I wasn't leftovers of a previous incident. If so, why wasn't dealt with?
Thank you very much. That was a quick overview. After action lessons work if you have any questions, comments, ideas, they're the maddening animal, Davey. 135 separate. Talk to you soon.