Skip main navigation

Developing and Learning From Your Attack: Reporting and Postmortem

After an attack, the reporting and portmortem phase is very important.
6.6
Now, reporting is going to be very important, also. So we need to figure out who we need to report to whether, it’s our immediate supervisor, our CTO, our upper management, whatnot. Now who needs to present the report? Well, there’s always going to be a chain of command so you want to make sure that the proper person is presenting the particular report to whoever needs to hear it. Now, also, you want to determine what information do they need? Now, this can be pretty important because if you’re on the tech side, you may be used to talking to other techs and people within your field on a more technical basis. However, you do need to keep in mind who you’re reporting to.
53.5
So if you’re reporting to someone that is, say, very good at management but knows little or no technology, they can basically log in and check their email. They probably aren’t going to be too interested in when you start talking about the higher details about information that, well, this attacker came over this IP. They used a VPN. They routed through this and this server. It also looks like they were using the Tor network through the onion router because we went back and we were able to use ExoneraTor in order to find out that, well, this IP has Tor address, et cetera, et cetera. That’s probably go way over their head. And also, you want to be respectful of their time.
99.9
Things are already stressful with things being down. So you want to make sure that your reports are tailored to whatever the level that person is in terms of what they’re going to understand and what they need to know. In general, it’s best to keep things on a lower basis where you’re not insulting them, for example, for what they know. However, you are keeping it short and concise. You don’t want to have a bloated report, for the most part, unless, for some reason, that person likes that type of reporting. But in general, I feel like a short, concise report is generally the best type of report.
142.3
Also, we need to figure out, do we need to present our findings to law enforcement? And if so, we need to make sure that all the proper information is there.
155
Now, in the post-mortem phase, there are some important things to go over. Did we identify how the attack or accident took place? Was this preventable? What steps do we need to take to make sure this doesn’t happen again? How was our response time and effectiveness? Now, all this is important because it’s always good to go back and look at what went right and what didn’t go right in order to be better at it next time or even, hopefully, prevent it. Moving on, how can we do better next time? If an attack took place, were we able to identify the attacker, and how it took place? And were we able to mitigate any attack? And if so, what was mitigated?
203.7
Again, what went right? Did our firewall stop them? Did our network intrusion detection system detect it? How did we find out that the attack took place? And based off of that, we kind of figure out what’s actually working in our system and what needs improvement. It’s not good to kind of point fingers. If there was a failure somewhere, again, I feel like it’s more of a learning experience that, well, we had this in place. It didn’t work the way we thought it would or it didn’t do what it was supposed to do. But at least we know now that we can’t really rely on that. We could switch it out. We could the configurations, whatnot. Again, it’s a learning experience.
255.2
And speaking of learning experience, data breaches and network attacks are obviously a bad thing. And people are going to feel a wide range of emotions. Now, it’s important to remember that we need to be calm, empathetic, and try to be patient with people. Because, again, emotions are going to be running pretty high because people can’t work, potential data is lost, and there’s financial costs behind this. There’s a lot of things going on and people are generally going to be stressed. So we need to try to be patient with people. Ultimately, this is a opportunity to learn and grow from this. Now, wrapping up, damage assessment, essentially what was the impact to us?
297.9
In the recovery phase, how we can recover, how long is it going to take, and do we need outside help? Reporting, who do we need - who do we need to offer a report to, rather? And what does a report need to contain? Again, trying to be clear and concise and essentially keeping it short. And in the post-mortem, could we have prevented this? If so, how? Was the attacker identified? Was attack method identified? What went right and what went wrong? And what can we do, ultimately, better next time?
338.4
So, again, don’t feel bad about if you got breached because 3800 is the number of publicly disclose breaches. That’s disclosed, not counting people that didn’t even report this. There’s 4.1 billion is the number of exposed records. And 54% was the increased number of reported breaches versus the first six months of 2018. Now, this is all from Norton’s Internet Security and Emerging Threats 2019 data breach report. Now, these numbers are huge. So again, if you got breached, it’s a horrible thing. But as you can tell by these numbers, there’s a lot going on and you’re not the only one that got breached. It’s probably going to happen to you at some point.
388.1
But the important thing is that we try to stop it. We try to recover from it. And we try to learn from it, moving forward. Now, with that, that concludes this course. And I want to take a moment to say thank you very much for taking this course. I’m really happy that you decided to give it a try. I hope it benefited you. I hope that you have some good things to take away and use moving forward. And ultimately, again, thank you very much and best of luck to you.

After an attack, the reporting and portmortem phase is very important.

If your network is attacked, the focus is often on the recovery plan. It is also important to improve your security based on the attack. In this video, you will learn about the reporting and postmortem processes your organization should conduct after an attack. This postmortem will include an assessment of how network users responded to the attack and recommendations on what the organization should do to prevent a repeat attack.

Reflect and share: Does your company have a policy for assessing network attacks (postmortem)? Do you think these results should be shared with the broader company?

Prepare for the Test of the Week

You have covered all the new content for this week! In the following step, you will complete a test to assess your understanding of what you have learned within this past week of the course.

Remember, you do not have to take the test until you’re ready. To help you prepare, you might wish to spend some time refreshing your understanding of the contents of the past week.

You may wish to reflect on the Learning Outcomes introduced at the beginning of the week and make sure you are comfortable that you have met the requirements of each. Take some time to review your learning to help you prepare.

This article is from the free online

Advanced Cyber Security Training: Network Security

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education