Skip to content

How you can learn from a cyberattack: Post-incident checklist

post incident checklist

Tempting as it might be to forget all about the cyberattack nightmare you’ve just survived — don’t.

Not only are there several post-incident tasks you’ll need to be conscientious about, there is a great deal you and your employees can learn from the experience so that you don’t have to endure anything like it again.

Once you’ve eradicated the threat, remediated your IT environment, and recovered and restored data, systems, and operations — then taken a long, deep breath — you’re ready to deal with a post-incident checklist that should include:

Completing an incident report

This will help you improve your incident response plan and playbooks because you can use it to spot areas where you need to make changes and/or add cybersecurity capabilities.

Conducting a post-mortem analysis of the incident

If you don’t have the expertise in-house, seek a cybersecurity expert to help analyze where your vulnerabilities exposed your enterprise to attack — and then conduct a review of your incident response plan with an eye to updating it.

Monitoring your environment closely after the incident

Boost your monitoring and log as much information as possible across your environment to improve visibility. Also adopt automation technologies and processes that can analyze and filter logs so you can more quickly identify high-priority events requiring manual review.

Identifying appropriate preventive measures

Every cyberattack can teach you something. Expect to:

Change users’ passwords, because it’s impossible to be 100% certain that you’re free of compromised credentials.

Continue paying special attention to applications, systems, and networks impacted by the incident as well as all user activity to make sure you’ve rooted out anything malicious.

Cyberattackers often leverage legitimate access methods (e.g., VPNs) to stick around and figure out ways to exfiltrate your data, so check the active sessions of all users — not merely those affected by the incident — and review remote access permissions to ensure that your only active network connections are the ones you want to be active.

Updating your threat intelligence

The more threat data you have, the more you can prevent attacks.

Developing scorecards

Using scorecards to track key cybersecurity metrics — such as security assessments, threat intelligence, incident analysis, security operations, and management — will help you see where you’re vulnerable.

Using the incident to gain organizational buy-in and improve employee cybersecurity training

A cybersecurity incident can inspire new cybersecurity initiatives, but these require cross-functional coordination.

Incidents also provide opportunities to improve employee training and cybersecurity awareness, hygiene, and best practices — often offering examples of what not to do.

And remember: you can contact a trustworthy, experienced cybersecurity expert for immediate help if your enterprise comes under cyberattack.

Until next time, 

Tim

Tim Burke
Meet the Author

Tim Burke is the President and CEO of Quest. He has been at the helm for over 30 years.