When a military mission is completed, commanders create what’s commonly known as an “after-action review” to assess what happened versus what was intended to happen. These reviews are designed to determine what went right and what needs improvement before the next mission.
Such reviews are critical in the armed forces, and they also are key tools that IT and business leaders can use to evaluate how organizations performed in response to ransomware attacks and other cybersecurity incidents. These assessments can help organizations determine how attacks occurred, what the response was like, and how to improve cybersecurity efforts and post-incident communications, according to industry experts.
The need for such reports is as critical as ever. According to IBM’s X-Force Threat Intelligence Index 2023, ransomware was the second-most common action malicious actors took in 2022, covering 17 percent of attacks (behind only the use of malware backdoors at 21 percent).
And according to a 2023 Cybersecurity Ventures report, “by 2031, ransomware attacks are expected to occur every 2 seconds” and carry a global cost of about $265 billion. “You want to be able to look at what the root cause was and try to get to lessons learned in terms of continuous improvement,” says Rob Clyde, an ISACA board director.
Creating a Post-Incident Ransomware Review
It’s crucial for business and IT leaders to hold multiple post-incident review meetings to discuss what happened during a ransomware attack, says Jon France, CISO of (ISC)², a nonprofit cybersecurity association. Leaders can use these meetings not only to determine how an attack occurred and what broke down in terms of cybersecurity but also look at what went right so that good behaviors and best practices can be reinforced.
The most important part of these reviews is to get to the truth of what happened. Without that, organizations won’t know how to improve, says Lisa Plaggemier, executive director of the National Cybersecurity Alliance. She says it’s important for post-incident reviews to include individuals within an organization who were on the front lines when an attack occurred, because they will have the most details about what went on.
Having “people who were in the room when it happened, so to speak, I think is really, really important,” she says, because it’s a “very bottom-up process” to generate a report about the incident. Those perspectives can help organizations determine the root causes of breaches and how to prevent such attacks in the future, she says.
Key Elements of a Post-Incident Report
Post-incident reviews should help organizations find out what happened and who was involved or impacted. This includes an organization’s customers or key stakeholders as well as those who were involved internally in a response, Clyde says.
It also is crucial to figure out when the attack occurred, as that is key to tracing its cause. “Many times, on attacks, you find out that the root cause happened well before the ransomware was actually planted,” Clyde says.
Mari DeGrazia, a certified instructor with the SANS Institute and a digital forensics and incident response professional, says that the meetings and any subsequent report should identify all indicators of compromise, as well as the tools, techniques and procedures that were uncovered during the investigation of the incident.
“It also should identify any weaknesses or vulnerabilities that may have been compromised, which could include not only systems but people and processes,” she says.
A post-incident review also should identify any weaknesses or vulnerabilities that may have been compromised, which could include not only systems but people and processes."
Mari DeGrazia Certified Instructor, SANS Institute
The post-incident report should include a review of existing polices, and various procedures also should be conducted to ensure they are sufficient, DeGrazia says: “For example, would a more aggressive patching cycle prevent an exploit from being executed?”
Post-incident reviews also should identify where there may be any single point of failure that hampered the investigation or remediation of the incident and add redundancy, according to DeGrazia.
“We commonly see that one person has access to X or the ability to do Y, but they are on vacation,” she says. Organizations also should identify, decommission and remove systems that are no longer needed. The report also should detail how the organization “plans to prevent attacks in the future by monitoring various threat feeds and sources,” DeGrazia says, and should “consider future meetings to stay on top of the changing landscape of threats and discuss progress on action items resulting from the after-action report.”
Ultimately, the report should “provide clear guidance on what happened, how it could have been prevented, and how to detect and respond to similar future attacks,” DeGrazia says.
How to Incorporate Lessons Learned from a Post-Incident Report
Following the creation of a post-incident report, there are several steps organizations can take to ensure the findings get put to good use, experts say.
Plaggemier says that following the creation of the report, it’s important to communicate to the organization’s board the key facts of the incident as well as “what you’ve done about it and steps you’ve taken to make sure a similar incident won’t happen again.”
You want to be able to look at what the root cause was and try to get to lessons learned in terms of continuous improvement.”
Rob Clyde Board Director, ISACA
It also is important to communicate the findings widely throughout an organization, France says, because staff are “not just going to get it by osmosis,” and spreading the information “has good utility in raising awareness.”
Business and IT leaders should strive to be as transparent as possible about what happened, these experts advise. “And being open and transparent about what actually happened is important because it lets you then move forward in a way that you can actually start implementing the recommendations,” he says. “If people don’t actually feel like they trust your explanation of what really happened, the recommendations are not going to have any weight.”