Analecta Cyber Company Blog: Holding a Lessons Learned After Recovery

2018-06-19

Holding a Lessons Learned After Recovery

holding a lessons learned after recovery - Analecta-LLC Graphic Holding a lessons learned after recovery - Analecta LLC Graphic There is a high likelihood that your first incident response and recovery experience will only be the beginning of a string of events throughout the course of your career. Each incident recovery will provide you and your incident response team valuable information that you can incorporate into your ever-developing recovery plan. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) calls on organizations to incorporate lessons learned from past events into future activities, improving recovery planning and processes.

Sustain versus improve


A good lessons learned summary provides more than just what went wrong. It identifies things that the organization should continue to keep as part of the response and recovery action. Items that contributed positively to the incident response or the re-securing of systems should be highlighted and included in your revised incident response plan. Perhaps the network baseline helped your analysts discover the incident in the first place, or certain firewall rules prevented the attack from escalating. Use this information to make sure the rest of your information systems are secured from similar types of attacks.

On the other hand, humans often learn best from a painful lesson. A breach through an unpatched vulnerability on one server should signal the need to check all other servers for the same vulnerability. You may not have even been aware of the existence of the vulnerability before the attack, such as in the case of zero-day exploits. Now that you are aware, you have the opportunity to patch devices, adjust firewall access control lists or update signatures on the intrusion detection system (IDS) / intrusion prevention system (IPS).

Important questions to answer


When the dust settles after a cybersecurity event, incident recovery teams need to ensure they have recorded all of the important details. NIST guidance suggests that the following issues be discussed as part of a lessons learned.
  • Exactly what happened, when?
  • How well did staff and management perform in dealing with the incident?
  • Were the documented procedures followed? Were they adequate?
  • What information was needed sooner?
  • Were any steps or actions taken that might have inhibited the recovery?
  • What would the staff and management do differently the next time a similar incident occurs?
  • How could information sharing with other organizations have been improved?
  • What corrective actions can prevent similar incidents in the future?
  • What precursors or indicators should be watched for in the future to detect similar incidents?
  • What additional tools or resources are needed to detect, analyze and mitigate future incidents?
From the NIST Computer Security Incident Handling Guide

holding a lessons learned after recovery - Analecta-LLC Graphic

Cyber siege →  information impact → financial fiasco 


In 2017, a data breach at the credit bureau Equifax exposed sensitive personal and financial information of 143 million Americans. An unpatched critical Apache Struts vulnerability in the Equifax website was to blame for the massive data breach. Identifying what vulnerabilities needed to be patched right away versus ones that could have been updated later could be something that Equifax identified during their lessons learned process.

Just a year before, a Panamanian law firm was the victim of an attack where cyber thieves stole 2.6 TB of financial data regarding offshore financial companies. Researchers found that multiple applications and plugins were not kept up-to-date. Also, the firm’s network was not designed with the principle of least privilege in mind, meaning once one set of credentials were compromised - attackers had an easier time gaining access to other systems on the company’s network. The subsequent leak of information, that globally became known as the Panama Papers, led to the eventual demise of the firm in March 2018. 

Technical data may not be the most significant part of a lessons learned summary. One of the most damaging aspects of a data breach can be the organization’s communication strategy and how it informs its customers of an attack. It can be damaging to a business’s reputation to be in the limelight due to a breach of its information systems, but it is far worse if the business attempts to cover up the whole incident. Uber fell victim to this sort of thinking when it was compromised in October 2016 but did not reveal to the public until November 2017. During the attack, the personal information of 57 million Uber riders and 600,000 Uber drivers had been stolen by malicious actors.

Sharing lessons learned  


Sharing the intimate details of a data breach with similar organizations within your industry may seem counterproductive, if not painful, but it is a strategy for protecting your industry as a whole. As we have advocated previously, the first priority should be securing your network. Once you have returned your networks to a pre-attack state, complete sharing the indicators of compromise with a threat intelligence sharing organization can help stop others from falling victim to the same sort of attack. Industry-specific information sharing and analysis organizations (ISAO) are on the rise. Their role is to share cyber incident, threat and vulnerability information with its members to create a more complete picture of the threat environment. Belonging to one or more of these members allows you to learn from their lessons.

Incorporating lessons learned into your response plan


Not only is it important to include those involved with the incident response when discussing lessons learned about an incident, but it helps to have knowledgeable personnel available who can facilitate cooperation and ask the tough questions. If you feel like you are missing that internal expertise and you need an effective security program – we’d love to talk with you.

We can partner with you to round out your current IT security infrastructure and to grow your understanding of security along the way. We win when our customers better understand their own security needs and are making internally-driven improvements to be more secure. With all of our services, we provide consultation and short-term expertise to eliminate risks in the present, as well as help build your knowledge and expertise for secure systems down the road. Email us at info@analecta-llc.com or visit our Cyber Security webpage.

Further Resources