After Action Reviews for Cyber-Attacks
September 22, 2020
After countless man hours and additional funding put in place to protect your business from cyber-attacks, there will always be residual risk of a breach. If a breach still happens after all the hard work you and your team put in, it would be easy to resign yourself to the fact that it was all for nothing. What you must focus on though is that all that hard work made it much more difficult for that breach to occur. A hacker may spend days, weeks or months attempting to breach a network, and they only have to be lucky once to call their operation a success. If they manage to do so, the best thing you and your team can do is ensure you learn from it.
After every operation in the military, both training and real-world, comes an After Action Review (AAR), and you should conduct one of your own to learn as much as you can about any cyber incident. An AAR has several parts which are key to ensuring you learn as much as possible about the incident:
- What was supposed to happen? Determine what measures were in place to prevent breaches and exactly how your team was trained to respond to them. Make a list of everything that should have happened from the moment a breach was detected, up until the moment it was contained.
- What actually happened? Using the list you made of what should have happened, compare it to what actually happened.
- Sustains. List everything about the reaction to the breach that provided positive results. This might include the technical controls that were in place that limited a breach, and the action taken by your team that contained any losses.
- Improves. Carefully analyze anything that didn’t work out as planned and include any additional actions that could be taken to help in the future.
You can tailor an AAR to your needs, but the most important thing that should come out of it should be positive change for the future. I know from experience that even the best AAR’s have a habit of getting filed away and never acted upon. When that happens, similar outcomes will continue to occur and no forward progress is made.
As well as an AAR, you should carefully analyze all the technical security controls you have in place to test their functionality. You will need to know how they performed during the breach to determine if any of them failed and will need to be updated or replaced. Because there are so many different types of attack, some basic steps to take are as follows:
- Determine exactly what devices or networks were compromised and determine if any data was lost.
- If possible, find the perpetrator(s) of the attack. This may involve bringing in a specialist which can be expensive, but there are also many useful forensic tools that can help find any evidence left behind by an attacker and exactly what they gained access to.
- Update or replace any hardware or software that was breached. Attackers are constantly working on new avenues of attack by finding new vulnerabilities. Keeping your hardware current and your software patched can prevent you from succumbing to attacks that could be prevented.
- Ensure your backup process is robust. If data was compromised you may need to restore your systems from a backup, and now would be a terrible time to discover that your process was flawed. To ensure smooth transitions and minimal downtime in the future, test the restoration from backup and make sure everything works as expected.
- Change all login credentials. This may seem trivial, but any breach of a computer system or network may provide a hacker unauthorized access in many different ways. The cheapest and easiest way to prevent easy access is to force all network credentials to be changed.
- Update your risk register. To ensure you have a complete record of the breach and your response to it, update your risk register with all the information you obtain in the AAR and all other reviews of the incident. Keeping this log is instrumental in preventing future breaches.
Whatever you do after a breach, debrief your team appropriately and adjust your training plan accordingly. A knowledgeable and motivated staff is your first and best line of defense against data breaches.