Post incident activity
We will cover post incident activity in the following sections.
Lessons-learned sessions
Once you have usefully closed out an incident, it is important that you conduct a lessons-learned session to determine the following:
- Where improvements need to be made in the process:
- Do new procedures need to be created?
- Do new alerts, signatures, and/or search parameters need to be added to automation tools?
- Were the plans followed? Did we run around, scream, and shout?
- Is training required?
Conducting a thorough lessons-learned session, with tasks to perform updates, will help to instill confidence that your incident response program is competent and that you are willing to address shortcomings and improve your own processes.
Once you have discovered actions, you must ensure that you complete those activities. Ensure that you develop tasks or projects as necessary to mitigate any of your discovered shortcomings in your incident response process.
Incident response plan testing
Like business...
