Here's how you can effectively conduct a post-mortem analysis following an Information Security failure.

Here's what else to consider when conducting a post-mortem analysis following an information security failure: 1. **Immediate Response**: Contain the breach to prevent further damage. This involves isolating affected systems and halting malicious activities. 2. **Documentation**: Create a detailed timeline of events, noting when the breach was discovered, how it was identified, and key actions taken during the response. Document which systems, data, and user accounts were impacted. 3. **Team Assembly**: Assemble a diverse team of stakeholders to conduct the analysis. This team should include members from various departments such as IT security operations and legal, each bringing a unique perspective. 4

1) Immediate Response Incident Containment: First things first, make sure the breach is contained to stop any further damage. This means isolating the affected systems and halting any ongoing malicious activities. Preserve Evidence: Secure all relevant logs, system snapshots, and other crucial data for a detailed forensic analysis later. 2) Incident Documentation Timeline of Events: Create a detailed timeline of the incident. Note when the breach was discovered, how it was identified, and key actions taken during the response. Affected Systems and Data: Document which systems, data, and user accounts were impacted.

Some of the data being asked above to be gathered should have happened at the incident management stage itself. There should be no reason to Re gather all again. Remeber the focus is POST mortem.. Yes if any delta is left by all means go for it.

Here's how to effectively conduct a post-mortem analysis: Preparation and Planning: Assemble the Right Team: Form a cross-functional team with representatives from IT security, incident response, forensics (if needed), and potentially impacted business units. This ensures a comprehensive review from various perspectives. Define the Scope and Objectives: Clearly define the scope of the analysis, focusing on the specific security failure.

Incident Documentation Timeline of Events: Create a detailed timeline of the incident. Note when the breach was discovered, how it was identified, and key actions taken during the response. Affected Systems and Data: Document which systems, data, and user accounts were impacted.

"Post-mortem analysis after an InfoSec failure involves thorough examination of events, identifying root causes, and implementing corrective actions. Key steps: gather incident data, assess impact, conduct a root cause analysis, document findings, and implement remediation measures. In my experience, involving all stakeholders, including IT, management, and affected parties, fosters transparency and ensures comprehensive insights for preventing future incidents."

Forensic Analysis Root Cause Analysis: Identify how the breach happened, including vulnerabilities exploited and the methods used by the attackers. Entry Points: Determine the initial entry points and pathways used by the attackers to navigate the network. Data Exfiltration: Assess the extent of data exfiltration, including what data was accessed or stolen.

Lessons Learned Post-Mortem Meeting: Hold a post-mortem meeting with all relevant stakeholders to discuss the incident, what went well, what didn’t, and how to improve. Feedback Loop: Create a feedback loop to incorporate lessons learned into the organization’s overall security strategy.

Training and Awareness Employee Training: Conduct training sessions to educate employees on recognizing and responding to security threats. Incident Response Drills: Implement regular incident response drills to ensure the team is prepared for future incidents.

As analyst and as people closely "married" to controls and security posture we may be getting our individual bias in. Be watchful for making attributions and / or judgement that may have cognitive biases etc