Cyber Security -Incident Response Part 4: Post-Incident Activity| EN

Alican Kiraz
6 min readApr 6


Hi everyone, In the last step of our Incident Response series, I will discuss Post-Incident Activities. Throughout our IR series, we rehearsed an incident at every stage and made our preparations. In the last step, we will evaluate all our preparations, analyses, and actions during the event and design the effort to improve this process.

End of Event First Meeting: Main Retrospective

First, everyone’s opinions are taken through a retrospective environment that will be held anonymously by bringing the team responsible for IR together. The Retrospective aims to analyze a past event or process in detail, find the flaws, and brainstorm as a team. The important thing here is to consider each IR step specifically retrospectively. You can find retrospective free tools below.

Preparation Phase Sub-Retrospective

After choosing our Tool, we must first evaluate the Preparation phase. For this, the team should ask themselves such questions as;

  • Have we had a problem communicating with inventories and people?
  • Did we know about the inventory environment where the incident occurred?
  • Was there anything we could not reach from the teams during the incident?
  • Were we able to communicate with the judicial authorities?
  • How long did it take to meet up to start the event analysis?
  • Did we need an inventory/list/permission/access/tools we did not foresee?

With questions like the above, we need to identify the things we need in addition to our entire inventory in preparation. With these determinations, we will be making the necessary preparations for the other stages.

Analysis Phase Sub-Retrospective

We will have to move forward with technical questions in the analysis phase. For this, the team should ask themselves such questions as;

  • Were the features of the tools we used in the analysis sufficient?
  • Did the automation scripts we used in the analysis work correctly?
  • Were the SIEM/EDR search queries we used in the analysis sufficient?
  • Were there any search queries we needed to prepare in advance?
  • How much detection did our SIEM correlations and alarms provide?
  • How quickly did the SOC Team respond to the incident, and what information did they collect?
  • Did the IR Team keep the analysis phase long enough?
  • Are we stuck in the rabbit-hole during the analysis phase?
  • Did our required SOAR Playbooks take the right action? Missing Playbook?
  • Was the SIEM search performance adequate? Did it slow us down?
  • Did our Malware Sandboxes produce the correct results? Did it slow us down?
  • Has our Malware Analyzer prepared reports to describe the event? Have we reviewed and produced a senior management report?

We should thoroughly tinker with the analysis phase with questions like the ones above. The improvements we will make in the analysis phase are the most critical step that will lead us to the conclusion in the next incident. For this reason, everyone on the IR team should freely express their opinions. The team should be calm and impartial and able to ask and criticize each other comfortably.

Containment, Eradication and Recovery Phase Sub-Retrospective

At this stage, we need to reevaluate the decisions we make and can make during the event. For this, the team should ask themselves such questions as;

  • Did we finish the analysis phase early?
  • Was our containment decision risky in terms of business flow?
  • Has our containment decision stopped business processes?
  • Did we get information about the inventory on which we made our containment decision during the preparation phase?
  • Did we need other teams for the containment action?
  • Was the containment period short?
  • Have we done enough analysis during containment?
  • Have we had a hard time with our containment decision? Why were we challenged?
  • Are we fast moving to the eradication phase?
  • Was the eradication phase extensive?
  • Did we need other teams during the eradication?
  • Did we learn about the inventory on which we made our eradication decision during the preparation phase?
  • Was there a risk of infection after eradication? Is the infection still there?
  • Was the recovery phase inventory clean?
  • Did the business process still work again during recovery?
  • Does the recovery inventory contain the content or structure that will cause the current incident? For example, was there a problem with Image Hardening?

With such questions, we must move forward toward our final stage. And when our retrospectives in the sub-title are finished, we finally make our definitive main retrospective by all the teams in the War room, supporting the event.

End of Main Retrospective

This final meeting will meet with the IR Team, C-level relevant management teams, Legal teams, Data Protection team, Information Security Team, and Risk Team to retrospective a general incident.

Results should be evaluated separately for Sub-Retrospectives and Main-Retrospectives. As a result of Sub-Retrospectives, we must re-update the IR team Incident Response Procedures and Plan. As a result of the Main-Retrospective, we should meet with the teams at a common point and update the Policies and Procedures.

And then it’s time to end the process with Lessons Learned. After, we must carry out continuous exercises with new scenarios in line with the results obtained with Tabletop and perfect our technique.

Lessons Learned

We need to create a ToDo list for ourselves, both from the findings we obtained from the retrospective results and from the results we observed at the time of the incident and make it quickly applicable and included in our IR process.

Another important detail will be the follow-up of these ToDos and the completion of the owner assignment.

Tabletop Exercise

Our goal in tabletop exercises is to create a possible incident scenario and simulate the incident with solutions to detect this scenario. In this process, we can simulate on cybersecurity breaches if necessary. You can either proceed from MITRE ATT&CK’s TTPs or analyze the event with Locked Martin’s Cyber Kill Chain and proceed. Or you can analyze APT attacks, separate them into TTPs or Cyber Kill Chains, and simulate them. You can also use the Breach and Attack Simulation tools in this process.

You can find some free Breach and Attack Simulation tools below;

And finally, our Incident Response process article series is over. Thank you so much for reading and for your excellent feedback. See you later…



Alican Kiraz

Blue Team Lead | CSIE | CSAE | CASP+ | eCIR | CPENT | eWPTXv2 | eCDFP | eCTHPv2 | OSWP | CEH Master | Pentest+ | CySA+ | Security+ | CEHv10 | ISO27001 IA