What are the best ways to follow up after an incident response team has been activated?

It is helpful to have a proven and approved playbook including templates that will guide response team and help ensure consistent methods for documenting the incident.

Documentation of all aspects of a security incident is essential. For example this information may aid resolution of the incident, identify what did and did not work, help prevent future similar incident(s), etc. Remember you will need to keep communication open with other staff members as well as those involved in resolving the incident. As a result, it is recommended you develop a format template that enables you to record all relevant details about the incident. As well as providing a degree of formal structure to your incident response process. So simplifying any incident post-mortem, preventative, etc., steps that are undertaken once the incident has been resolved.

Após a ativa??o de uma equipe de resposta a incidentes (CSIRT), o acompanhamento adequado é crucial para avaliar a eficácia das a??es tomadas e fortalecer a postura de seguran?a. Abaixo cito alguns tópicos para você ficar de olho. - Revis?o Pós-Incidente - Relatório Detalhado - Análise de Causa Raiz (FCA ou qualquer outra ferramenta de qualidade): - Feedback da Equipe - Aprimoramento do Plano de Resposta a Incidentes - Treinamento Adicional - Monitoramento Contínuo - Comunica??o com Stakeholders - Avalia??o de Danos a Longo Prazo - Teste de Resiliência - Exercícios de Simula??o - Avalia??o de Conformidade - Revis?o de Políticas de Seguran?a

Ao seguir essas práticas, sua empresa pode garantir que seu CSIRT seja capaz de aprender com experiências passadas, melhorar processos e estar mais bem preparada para enfrentar futuras amea?as cibernéticas.

It is imperative that the response team work closely with operational team so that they also maintain awareness of the incident as well as keep close watch on impacted CMDB items to ensure all remains stable and no further breaches are attempted.

For any major incident a post-mortem shoudl be undertaken. To help identify: - How the incident was experienced. - What steps (defined, or not) worked/ did not work - What checks are needed to ensure the full scope of the incident was identified/ resolved - What preventative and related steps can/ need to be undertaken, etc. Other major undertakings, e.g. disaster recovery trial, may also benefit from a post-mortem, to help improve the disaster recovery process, etc.

Always a good thing to do. As the security and associated legislation requirements are continually evolving. As a result, so should your approach to responding to at least certain types of incident. Remember you need to undertake trial runs of your incident response process to ensure its effectiveness and completeness of coverage. Particularly because the nature of modern security attacks means the scope of impact of the incident, may be more significant than first impressions may indicate.

Response Team and Operational Team should consider if it is necessary to conduct additional research if responsible parties have not been identified. Something to consider is a Honey Pot that may attract responsible parties to try again. This time you will have methods to identify them. Response Team should also consider if government agencies should be contacted for assistance.

Post-mortem and other incident follow ups need to consider that the impact of the incident mat be more wider scale than the initial identifying component may indicate. For example, hackers will try and damage your backups, before they 'advertise' their presence. Feedback from users. clients, about the disruption caused, how the communication process worked, etc., is also important to collect. So that you can improve all areas of your incident response processes, including its handling and level/ style (mechanism(s)) of communication used, etc.