1 / 9

After Action Reviews for Cyber-Attacks

After countless man hours and additional funding put in place to protect your business from cyber-attacks, there will always be residual risk of a breach. If a breach still happens after all the hard work you and your team put in, it would be easy to resign yourself to the fact that it was all for nothing. What you must focus on though is that all that hard work made it much more difficult for that breach to occur. A hacker may spend days, weeks or months attempting to breach a network, and they only have to be lucky once to call their operation a success. If they manage to do so, the best thi

Download Presentation

After Action Reviews for Cyber-Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. After Action Reviews for Cyber-Attacks

  2. After countless man hours and additional funding put in place to protect your business from cyber-attacks, there will always be residual risk of a breach. If a breach still happens after all the hard work you and your team put in, it would be easy to resign yourself to the fact that it was all for nothing. What you must focus on though is that all that hard work made it much more difficult for that breach to occur. A hacker may spend days, weeks or months attempting to breach a network, and they only have to be lucky once to call their operation a success. If they manage to do so, the best thing you and your team can do is ensure you learn from it. After every operation in the military, both training and real-world, comes an After Action Review (AAR), and you should conduct one of your own to learn as much as you can about any cyber incident. An AAR has several parts which are key to ensuring you learn as much as possible about the incident:

  3. Sustains. List everything about the reaction to the breach that provided positive results. This might include the technical controls that were in place that limited a breach, and the action taken by your team that contained any losses. • Improves. Carefully analyze anything that didn’t work out as planned and include any additional actions that could be taken to help in the future. What was supposed to happen? Determine what measures were in place to prevent breaches and exactly how your team was trained to respond to them. Make a list of everything that should have happened from the moment a breach was detected, up until the moment it was contained. What actually happened? Using the list you made of what should have happened, compare it to what actually happened.

  4. You can tailor an AAR to your needs, but the most important thing that should come out of it should be positive change for the future. I know from experience that even the best AAR’s have a habit of getting filed away and never acted upon. When that happens, similar outcomes will continue to occur and no forward progress is made.

  5. Determine exactly what devices or networks were compromised and determine if any data was lost. If possible, find the perpetrator(s) of the attack. This may involve bringing in a specialist which can be expensive, but there are also many useful forensic tools that can help find any evidence left behind by an attacker and exactly what they gained access to. • Update or replace any hardware or software that was breached. Attackers are constantly working on new avenues of attack by finding new vulnerabilities. Keeping your hardware current and your software patched can prevent you from succumbing to attacks that could be prevented. • Ensure your backup process is robust. If data was compromised you may need to restore your systems from a backup, and now would be a terrible time to discover that your process was flawed. To ensure smooth transitions and minimal downtime in the future, test the restoration from backup and make sure everything works as expected.

  6. Update your risk register. To ensure you have a complete record of the breach and your response to it, update your risk register with all the information you obtain in the AAR and all other reviews of the incident. Keeping this log is instrumental in preventing future breaches. Change all login credentials. This may seem trivial, but any breach of a computer system or network may provide a hacker unauthorized access in many different ways. The cheapest and easiest way to prevent easy access is to force all network credentials to be changed.

  7. Whatever you do after a breach, debrief your team appropriately and adjust your training plan accordingly. A knowledgeable and motivated staff is your first and best line of defense against data breaches.

  8. Contact SILO Compliance Systemsinfo@silocompliance.com Complete set available atwww.silocompliance.com

More Related