All right, so we're wrapping up the lecture and presentation part of this skill path here and going to launch us right into the technical, hands-on part, which should be a lot of fun for us. But we want to follow up here and end with the follow-up and lessons learned section. And essentially, this is where you've eradicated everything, you've done your recovery, you've done your cleanup, and now we're really looking to look at ways that we can improve, and also look at ways to do things a little differently. So some things that we want to ask about is, how soon did the detection identification happen? Did it happen on time, did it happen in a decent time? How did the initial response to the incident? Being identified go, like did it go as planned? What work was performed by whom during each phase, and by whom we don't mean necessarily an individual person, but just by a team or by a group. How effective was the containment and eradication? What area should be improved on? And suggestions for improvement. Now, how soon did the detection happen? How long after initial compromise? Was it days, was it months, was it years? Did you establish root cause and all these things? Whatever you had prepared, was it sufficient? Is what you really trying to get to hear. And how much of this detects responsibility is on incident response? That's kind of a gray area, because if you think about it, your job as an IR team is to respond to incidents. The detection part is generally going to be like your security team, your ideas, team, or whoever the case may be, your SOC team, right? They're the ones that primarily are responsible for identifying or detecting that these things are happening. So that responsibility may not all be on you, but you might share in some of it, and you can probably suggest some ways to improve it, even if you're not primarily responsible for it. How effective was the initial response? Well, was your team able to follow the playbook effectively? Was their time wasted waiting for access to information or systems? And then there's the initial notification, did it make it to the right people at the right time? Was the information in that original notification accurate and usable? You want to make sure that when you do notifications, the information is pertinent and usable, okay? So you really want to know, did all these things actually happen? Now, next, what work was performed during each phase? Who performed that work? Was it sufficient for the incident? Was the information from previous phases properly formatted and passed on, and ingested in the next phase? Because if that has a lot to do with how successful and how smoothly your response process is, is how well you're taking that information that's collected in process and the previous phases, and moving it on to the next to help you make the right decisions. So you want to look at that and kind of assess how well that happen. How effective was containment and eradication? How long did it take? How many times did you have to go back and redo containment or redo eradication before you finally got it? Nobody's perfect, so if you have to do it more than one time, I don't want you to feel like you failed the organization if you have to go back and do one of these things more than once in an incident, but it shouldn't be like ten times, right? There's definitely some area there to where you will clearly know that you need improvement, okay? How many times did you have to repeat it? Were eradication tools effective? Did you have to bring in additional or new tools? And if, so how many? What percentage? You're kind of gauging your preparedness, as far as what tools you had available to you. What areas should be improved? Do you need better tools? Was the staff appropriately skilled? Sometimes you have all the right tools, but without the right skills, those tools become kind of useless. Do you need more training? Was communication appropriate and sufficient across the board when you were notifying of the breach of the incident? Was that proper when you were notifying of containment and eradication? How did that go? Was that proper? You need to measure all these things, and count up with a good metric eye, to make sure that you're constantly in a state of improvement. Now, lastly you want to put together suggestions for improvement. Keep improvement suggestions positive as possible, minimize pointing out specific individuals, try to speak more to a function or role than to an individual. Allow suggestions from the entire team, and consider like a blind suggestions box or portal, to where people can go in and make recommendations and suggestions without necessarily identifying themselves. You tend to get a little bit more honest things when you do it that way, all right? So thank you for watching this skill session, and I look forward to seeing the very next one that's coming up.
