Security team meeting

Addressing the Aftermath of a Cyberattack with an Incident Postmortem

Cyberattacks are prevalent in the modern age. In 2021, there were more than 22 billion recorded cyberattacks.

Cyber risk insurance and policies are a must for business owners to protect themselves from losses from cyber attacks. As these attacks continue, you must take critical steps to protect your company from the aftermath.

2021 Infographic

An incident postmortem is an essential step to take after a cyber attack. This can help you determine what went wrong, how much damage occurred as a result of the breach, and where you can improve.

But many continue to avoid these postmortems and bear the consequences.

Keep reading for a step-by-step guide to ensure you don't fall into this trap and minimize losses.

What's a Blameless Postmortem Process?

As the name implies, an incident postmortem process is a procedure used following a cyberattack. It takes place within your business.

The team you've designated as your security team will schedule a time to sit down and discuss various aspects of the cyberattack.

There are a few things your team should discuss and determine in the meeting to include:

  • What happened leading up to the cyberattack
  • Identifying the causes involved in the incident
  • What were the lessons learned from the breach
  • What should happen moving forward after the breach occurred
  • Timely incident resolution and response

The point of blameless postmortem processes and one of the most crucial factors of the meeting is to ensure the team makes it through the process without placing blame on anyone.

No blame should rest on the shoulders of any one employee. This is because the only person to blame is the cybercriminal that performed the attack on your business.

Your employees should never be the root cause of a breach. This is because cybercriminals are becoming more refined in how they carry out their attacks.

Performing a blameless postmortem process will ensure that no team member feels alienated. Alienating any team members could lead to further issues within the organization that can take away from the focus.

This will determine how to keep future incidents from occurring and better protect your business.

Another reason not to blame one employee is that it can lead to them withholding information in the future. Using the appropriate postmortem incident review will ensure that there is proper communication and team cohesion moving forward when it comes to company security.

Now that you understand the postmortem process, the next step is to identify the "whys" to identify the root cause of a breach.

Address the Five Whys

Before you can begin writing postmortems, there is the process of answering and identifying the five whys.

The clearer the five whys are, the easier and smoother the rest of the process will flow as your security team moves forward with its continuous improvement of the root cause analysis.

Here's more in-depth detail of the postmortem five whys process.

The Five Whys (1)

Detecting the Breach

The first step in the five whys process is to detect the breach. Your security team should monitor your business network around the clock to ensure that if a breach occurs, it's caught promptly to reduce the amount of damage inflicted on your business due to the cyberattack.

From there, the weaknesses that allowed the breach to take place in the company are then identified.

More tools will then are then implemented to strengthen your security system. And they are used to create alerts that get sent to members of your team in the future to ensure everyone's notified when issues arise and require resolution.

Security Team Response

Once your security team has detected the breach, it's time for them to move forward with responding to the breach. There should be a specific team designated to respond to incidents that take place.

If the engineer who is currently working cannot resolve the issue, the question is why. Are they not provided the tools or information needed to resolve the issue?

And if not, who is the next person in the escalation chain that does have the tools and knowledge needed to bring a resolution to the incident? In the future, understanding why the first line of defense wasn't able to resolve the problem will ensure that they are better trained in the future to handle potential problems that come up.

What Measures Do You Use for Resolution?

The next step in the process is to determine the steps needed to ensure the issue gets resolved in a timely manner and that the inflicted damage is taken care of. During this time, the security wall used for your company will become repaired.

Once done, your company will return to its daily business practices, and your security team will go back to monitoring the system and keep an eye out for future attempted breaches that could take place.

The Analysis

During this step in the five whys process, the team will perform an analysis known as the postmortem process. It can also be referred to as the root cause analysis and is crucial because your business continues to grow and evolve.

As this takes place within your business, you must continue developing and expanding your security system to support the scaling of your business.

The security model should support business complexity. This is to ensure there are no weaknesses within your security system.

Security Readiness for Future Attacks

The five whys process has concluded, and the only question left for your security team is, "are we ready and prepared to handle future cyber breaches?" The team will then reassess the plans to address any future breaches or threats to security.

By assessing readiness, they can determine any flaws in the plan and make changes as needed. This shows that the security team has learned its lesson from the previous breach and will address situations in the future.

Major Incident Postmortem Template

Download a Free Incident Postmortem Template

There is a template your team can use as a guide to complete the postmortem process. Using the template, we will provide below will ensure that you address every part of the process and don't leave out any crucial information that is pertinent in the future as a reference if something similar occurs.

For example, if other incidents occur, you can pull one of the past postmortem templates and use it as a learning opportunity for your security team. Keep in mind that what we're providing is an example, you can tweak or adjust it to fit your company's needs. 

Title of the Incident and Date

The title you include in the template report should be clear and concise while at the same time remaining short. For example, the title could be a description of the service that failed or the area breached during the cyberattack.

The title should also include the people or sector of your business that was directly affected by the breach that has taken place. You should also include the date of the incident.

Keep in mind that it's the date the actual incident took place and not the date where your team took action, notifying the incident or responding to the incident that has taken place.

Owner of the Process

While your entire security team will understand and review the postmortem process, one person should lead the meeting and is the person to ensure it happens in the correct order. In this section, you need to identify the leader of the process and the role they play in the daily security process of your team.

This should be someone who can ensure the business stays on task and that no one takes the blame during the analysis of the cybersecurity breach.

Review Team for the Analysis

Next, you need to identify each member of the team that you will involve in the review process. A security team comprises several team members, but that doesn't mean they will all need to take part in the postmortem process.

For example, if people are responsible for different regions, you would need to include everyone that is responsible for security in the northern region.

After the report is complete, the leader of the meeting can provide it to the security teams that oversee the other regions as a training tool to help them do their jobs better. Team members involved in the incident should be present during the meeting.

Report Tags

These tags are what you will use to identify the breach.

Think of them as keywords used as descriptors for the event and can be used in the future when other searches need to occur.

Event Summary

At some point in the report, you will need to provide a summary of the event that took place. This should be a brief version of the event because later in the report, you will address what took place in detail using a series of questions.

For someone reviewing the document, it will give them a clear overview of what happened and how it happened.

Supporting Evidence

This is the section where you will provide copies of all the evidence collected pertaining to the breach that has taken place. This can be a data report you've collected or an illustration of the event.

It's also helpful to illustrate the impact of the event on your clients and other internal functions of the business.

Impact on Customers

When a cyberattack occurs, it doesn't just affect your company. In large part, the customers are the ones that are affected negatively, and this is where you should notate that.

Discuss how clients were impacted and the number of clients that had their data stolen during the incident. Customer impact is essential to the report analysis.

Analysis of Incident Response

There are several questions you need to ask during this phase in the incident response report to ensure things are handled in a timely manner. Some questions or factors addressed include:

  • The time it took to detect the event
  • Whether the event was detected in this specific time period
  • How was the event detected, and who detected it?
  • Are there ways that the time it took to detect be improved by security?

These are just a few of the questions that can be asked and answered during this time. All information in this area needs to be transparent because others will use it in the future to help with possible breaches.

The report will help to improve company processes further.

Post Incident Reports

Again, this is another area where a series of questions will need to be asked and answered during the meeting for concise reporting. These include:

  • Identifying the contributing causes of the event
  • Which factors were diagnosed?
  • Were there any changes that triggered the event?
  • If the change was notated as "manual," what was the responding plan?
  • Is there a test that could have lessened or prevented the incident effects?

Much like the section above, these are a few questions your security can use to guide the meeting and determine a better plan to prevent it from happening again. All the questions won't always pertain to the incident, but the more questions you answer, the better off your team will be.

It will also ensure they respond quicker and better in the future.

Incident Timeline

From the time the incident occurs to the resolution of the incident, there should be a detailed report of everything. This not only includes essential points within the timeline, but also a description of each and the time zone of the events that took place.

If there are any pieces of evidence that pertain to the incident, ensure you link them for anyone viewing the report to click on.

Contributing Factors

The factors that have contributed to the breach were listed above, but now it's time to dive deeper into them. What was the problem, and how did the problem occur?

This is where the blame can begin but should be avoided. For example, instead of stopping at someone forgetting to launch the security wall, discuss why there wasn't a safeguard that would launch the security wall in case of human error.

Also, note other actions that contributed to these factors without placing blame on anyone.

Lessons Learned

What has your team learned from the event that has taken place? After notating what has been learned, they should detail the plan they used and anything unexpected that took place leading up to the event.

The lessons your team has learned should also correlate to the action items notated.

Actionable Items

There should be a list of action items that need to take place after you've created this report. For example, an evaluation of the shorter team response time.

Or an evaluation of the security wall and reimplementation of network security. These are things your team should be doing after the meeting has concluded.

Incident Postmortem Process: Step by Step Guide

Now that we've walked you through the five whys, detailed the postmortem process, and more, it's time to get into the steps of the process. Each of the steps is detailed below and will ensure your team understands what is expected of them during this time.

It will also ensure they don't miss anything moving forward that could be detrimental to your company's process and future protection.

1. Initial Response

The first step in the process is to do your homework on the event to ensure the proper response is taken. When you're doing the homework, this is to ensure you've got a better understanding of what took place and that you're able to explain the issue correctly to your security team during the meeting.

For example, if a phishing attack caused the breach, your team will need to be briefed on what phishing attacks look like. As well as signs that people can look out for in the future to avoid future attacks.

However, if there was a more significant issue that occurred within the system, this needs to be clear to your team. The exact issue that took place should be clear.

Otherwise, it can become challenging for your team to address the postmortem analysis that will take place during your meeting.

2. Identifying the Scope of the Attack

When you're identifying the scope of the cybersecurity attack, this is when you focus on how the breach happened. During this phase, you need to focus on the factors that led to it happening.

Again, this is when the process can take a turn if people in the meeting are focusing on a specific employee that may have contributed to the attack. For it to remain entirely blameless, focus on the problem caused by the cybercriminal.

Understanding the scope of the attack and what happened makes it easier for your team to understand it and move forward by learning from the issue.

3. Analysis of the Impact

It's time to analyze the impact it's had on everyone involved. In most cases, the people impacted would be your company and your clients. For example, how do you plan to remedy the situation if client information was stolen?

Is there a plan in place to ensure this doesn't happen again and that there is no further negative impact from the theft damage?

If possible, you should collect evidence of every client that was impacted. You should also detail any clients that reached out to you because they've noted the breach and the time in which the client noticed there was something that was wrong.

4. Lessons Learned

Security breaches are going to continue to happen no matter what business you're in. This means it's essential that your company learns a lesson to reduce the risk of it happening in the future and the amount of damage that occurs.

As technology becomes more advanced, so does the refinement of cyberattacks and how cybercriminals go about conducting them. Each incident your company has should be noted, and the lesson learned should also be documented.

Once the lessons are learned, a company-wide email or memo should be sent with the training needed for other departments. This is to ensure that all sectors of your business are covered.

These lessons can be used to improve plans for the future. It can also be used to help you determine other software or more robust methods that should be used to protect your company.

5. Planning for the Future

After the above information, you need to work with your team to plan for the future. In any stage of business, you have to plan, which means assessing risks and potential threats that could present themselves in the future.

Planning for the future could mean brainstorming and other distinct planning methods. These ways can further educate employees about potential cyberattacks and how to identify them.

It also means having a timely plan that your team will use when a cyberattack occurs on a larger scale.

For example, if the impact of the breach could be mitigated due to a timelier response creating a plan and response that allows members of the team to take action quicker would be the better plan of action. Future planning will strengthen your organization and the security measures it uses.

Incident Postmortem: Addressing Cyberattacks During the Aftermath

After a cyberattack hits your business, how your team responds is most important. During the aftermath, you'll complete an incident postmortem, and we've detailed what that means and the information to include in the analysis.

If you're searching for a solution for these issues, contact BitLyft Cybersecurity. Let us help you shine a light on cybercrime and eliminate it.

Download a Free Incident Postmortem Template


Jason Miller

Jason Miller, Founder and CEO of BitLyft Cybersecurity, has dedicated his 20-year IT career, including co-founding SaaS pioneer Reviora, to removing cybersecurity barriers for mid-sized enterprises. Establishing BitLyft in 2016, Jason set out to unburden security teams with innovative, approachable, and affordable solutions, a vision which has made BitLyft a respected managed detection and response provider. Outside his cybersecurity pursuits, Jason is an avid tree farmer and outdoor enthusiast, planting nearly 300 trees on his ten-acre plot and finding joy in hiking, hunting, and driving his white Tesla Model 3. His diverse passions mirror the balanced blend of expertise, dedication, and joy he brings to BitLyft.

More Reading

blue world map with hexagons
What Is A Security Incident Response Plan?
Do you know how you would respond to a cyber security incident? If not, it may be time to consider a Security Incident Response Plan.
unlock padlock in code with words danger and attack
What is an Example of a Security Incident
We live in a digital world, and more and more aspects of our lives are becoming dependent on cyber technology. Shopping and commerce. Personal connection and correspondence. But as we place more and...
IT team creating an incident response plan
How to Develop, Refine, and Execute an Incident Response Plan
Did you know that there is a cybersecurity attack every 39 seconds worldwide? And if you're not prepared, an attack on your business could cost you in terms of time, money, and customers. Simply put,...