In the first part of this series, we explored the importance of lessons learned. In this post, we’ll focus on what organizations need to effectively implement this process and continue with the example of a burglary in my childhood home to illustrate the design of a lessons learned document.
The Importance of a Policy
In order for this process to be incorporated at the organizational level, we must create a policy or simply add a specific lessons learned section to the incident response policy or procedure.
Andrew Baze, in the document Improving Incident Response Through Simplified Lessons Learned Data Capture, provides guidance on how to implement this policy. The key is to define that the incident response team must capture lessons learned for each high- and critical-severity incident.
Andrew emphasizes the use of the word “shall” instead of “should” and the ways to collect lessons, which could be via email or a formal meeting.
The Ingredients for Capturing Lessons Learned
Before convening the lessons learned session, we need to have several elements in place to ensure an effective process:
Incident Report:
The document detailing what happened, including the timeline of events, affected systems, accounts, and processes, as well as the actions taken in response to the incident. This document will also help define who should participate in the session.Notes and Communications:
All notes taken during and after the incident, including both internal and external communications.People Who Should Attend the Session:
We need to create a list of individuals who must attend the session. This may include technical staff (security, help desk, IT personnel) and non-technical staff (legal, business or area leaders, communications, human resources, and even vendors if required).Base Document:
The base document acts as both the agenda and the framework for the lessons learned session. It should be prepared in advance and distributed to participants for review. The document should include at least the following elements:Session Objectives:
Helps clarify what is expected to be achieved during the lessons learned session.Detailed Agenda:
A breakdown of the topics to be discussed, assigning specific time slots to each point to ensure all important issues are covered.Reflection Questions or Topics:
Questions or topics that participants should consider before the session, in order to encourage a more focused and in-depth discussion. On page 38 of the NIST SP 800-61 document, we can find some suggested questions to use as a guide.
Rebekah Brown and Scott J. Roberts, in the second edition of their book Intelligence-Driven Incident Response, state that in the lessons learned phase, the team’s performance should be assessed during each stage of the incident response process by answering the following key questions:
What happened?
What did we do well?
What could we have done better?
What would we do differently in a future incident?
This book also includes a set of questions for each phase of the incident response cycle. Below, we’ll use that approach to create the base template and analyze the childhood incident. For now, we will not answer the questions — we will simply present them in the template.
Base Template for the Lessons Learned Session
Session Objective:
Incident Details
Incident Timeline:
Incident Impact:
Participants:
| Nombre | Rol |
Discussion Points
Preparation
How could we have avoided the incident altogether?
What practices or tools could have improved the entire process?
Identification
What tools could have made threat identification easier?
What threat research would have helped?
Containment
What containment measures were effective?
Which ones weren’t?
Would other containment measures have been useful if they were easier to implement?
Eradication
What eradication mechanisms worked well?
What could have been done better?
Recovery
What delayed recovery? (Hint: focus on communication, as it’s one of the hardest parts of recovery.)
Implementation Plan
| Actividad | Responsable | Fecha de validación |
This template is designed to be adaptable for different types of incidents and organizations. You can download the template we use for security incidents at the following link.
In the next post, we’ll use the incident and template to simulate a lessons learned session based on the theft example.
Regards
Source: Career Hacking Village YouTube