Lessons Learned from Incidents – CompTIA Security+ SY0-401: 2.5


After an incident has occurred, it’s important to compare notes and plan for the next attack. In this video, you’ll learn how to answer the tough questions about a security incident.

<< Previous Video: Incident Mitigation and IsolationNext: Incident Reporting >>


After a security incident is over it’s a good time to sit down and examine what occurred during that incident. None of your systems are going to be perfect. So this might be an opportunity to learn what happened so that next time you can solve the problem even more efficiently. A post incident meeting is a great way to do this. And you should invite everybody who was involved during the incident. That way you’ll get the widest perspective, and understand how you can affect change across many different parts of the organization. You should also do this very quickly. The ideas and thoughts that occurred during an incident tend to fade over time. So if you can get everybody into a room very, very quickly after the incident is over it will be fresh in everyone’s mind.

One of the obvious questions to answer is what happened? And you should be able to take all of your evidence to March backwards through time to the point when the incident first occurred. You may have to gather information from many different systems, across many different logs, to be able to understand exactly what happened during the incident. Once your incident plan was put into effect how well did it work? You should be able to look back at your plans, and examine were you able to follow the plans, if you did follow the plans, did they work as well as you hoped? Knowing that information you can then determine if you should have done things perhaps a little bit differently and then you can plan to do them differently next time.

Being able to get views from many different people in the room allow you to have an even more detailed plan of attack for next time. And of course, an early warning system is very helpful. So, perhaps, there were indicators that might lead you to this particular incident in a much more rapid fashion. That way you could stop the problem before it ever became an issue in your environment. By analyzing your response of this incident, and getting a complete understanding of everything that occurred from the very beginning to the very end you can start to plan for the next incident. And hopefully, either keep it from your network completely or be able to resolve it much faster.