The final phase of incident management is incident closure. The goal is to confirm that all necessary actions have been taken, that the incident will not happen again, and that any rushed measures that were introduced will not have a negative impact on the organization.
For all of these reasons, it’s crucial to take a moment to review everything that happened once the incident was resolved.
Check That All Planned Actions Are Completed
The first thing to do is to go back over the list of everything that was done in the previous phases.
During the investigation, you had to record all the actions you performed.
During containment and resolution, all the measures you took had to be recorded in the SIRP.
All of these actions had to be dated with the exact time.
In the SIRP, review the list of actions planned for containment and incident resolution.
Review the conclusions of the investigation and the list of actions carried out. Then, ask yourself the following:
Have all the planned actions been carried out?
In light of the investigation’s findings, did you do everything that was required? Are there any gaps in your understanding of the incident? For example, is there anything that the attacker could have done that you haven’t checked or corrected?
Confirm That It Is Safe to Return to Normal Operations
Once all of these points have been verified, can we close the incident?
Not yet! For serious incidents, we take the time to observe the affected systems before closing the incident. This allows us to:
confirm that the attacker has been removed from the system.
check that the system has returned to normal.
When the incident’s resolution involves altering the affected systems, these changes must be carefully monitored. In a complex IS, all systems are interconnected. So, even the smallest change to one system can block another! These complications are not always immediately obvious.
Review Your Legal Obligations
This phase is also an opportunity to check that all required legal obligations have been met.
If the organization is seeking compensation, it is necessary to initiate a complaint procedure. You can do this through the local police or national law enforcement agency, both of which have specialized teams.
If your organization is a digital service provider or an organization that provides essential resources such as emergency or military services, you must report the incident to the relevant state or national authority as soon as possible after it is detected.
If a data leak involves the personal details of employees or customers—or that enables them to be identified—it is classified as personal data. In this case, you are required to report the incident to the relevant regulatory body at the state or national level.
Communicate With Stakeholders
Can we close the incident now?
No, still not yet! The SOC is not the only team in the organization. You’ve covered all the impacts and areas for improvement that concern you. But other teams were also impacted by the incident or by the associated changes.
To avoid another incident and to maintain the support of the organization’s various teams, communicate with those who have been impacted.
This means you need to communicate the following information in a straightforward and comprehensible manner:
The cause of the incident, if it has been resolved
The impacts they will or have already experienced
What has been done to manage and correct the incident
How to avoid this kind of incident—or at least detect it
In particular, if the incident was caused or facilitated by poor security practices, you’ll want to make use of this information more widely in the organization. This incident provides you with a tangible example of the risks that poor practices create for the organization.
Close the Incident
Once this step has been completed, you can effectively close the incident. In practice, this means:
closing related tickets in the SIRP.
changing the incident status in the SOAR.
That’s all there is to it? The incident is closed?
Well, not quite...
Learn From the Incident
Before closing the incident, take a moment to review the way it was handled, but this time for your own benefit (the SOC). This will allow you to monitor the progress of the SOC’s capabilities and find ways to keep improving.
Ask yourself the following questions:
What worked well in the management of this incident?
What didn’t work?
What delayed the response?
What resources should have been made available sooner?
Did you have access to the data you needed?
Are there any tools that would have been useful to have? What about tools that weren’t useful?
Are there any people who weren’t involved in handling the incident (or didn’t respond quickly enough), and who should have been involved?
Were there any misunderstandings between the different teams or team members?
Have your tools allowed you to share the right information?
Try to answer these questions in the form of actions:
“Put XXX in place.”
“Give YYY access to tool ZZZ.”
etc.
In the following section, we’ll look at how to formulate, monitor, and implement these actions to continuously improve the operating procedures that you’ve followed throughout this section.
In the video below, Guillaume goes into more detail about closing cyber incidents.
Over to You!
You have recently joined the SOC of Méditronique, a medical device manufacturing company.
You have responded to a major incident on the backup system. The investigation revealed that the attacker entered the network using a password from a database of stolen passwords. They proceeded to compromise an obsolete server before compromising the backup server.
Identify three measures to consider or implement when closing the incident.
“Over to You!” Quiz Answer Key
Harden security at the VPN level. For Méditronique, this involves implementing multifactor authentication. This practice requires the use of a secret (e.g., a temporary code to validate on your phone in order to log in) for authentication, in addition to your password.
Implement a patch management process to prevent vulnerabilities on the IS. Make sure the backup team understands the cause of the incident, how it could have been avoided, and what you did to manage it.
Isolate backup servers from the rest of the IS to prevent an attacker from accessing them.
Make employees aware of the risks of reusing the same password for their work accounts.
Let’s Recap!
The final phase of incident management is incident closure. The goal is to check that all necessary actions have been implemented, that the incident will not happen again, and that none of these rushed measures will have a negative impact on the organization.
To verify these points, it is essential to keep a record in the SIRP of every action that was taken during incident management. The SIRP can then monitor all incidents and their proper management.
You also need to check whether the incident is subject to any legal requirements. For example, in most countries, there is an obligation to inform the relevant regulatory body if there has been a leak of personal data, as well as an additional obligation to inform the applicable state or national authority if the incident involves organizations providing essential services. If legal action is appropriate, it’s at this stage that you will file a complaint.
We also need to ensure good internal communication with the people who were affected by the incident and with those who will be affected by the resulting changes.
If the incident was caused or enabled by poor security practices, it is necessary to communicate internally to raise awareness on the causes of the attack.
Now that the incident is over and your post-incident review is complete, you know that there are things that can be improved:
in the detection step.
in the response step.
in the prevention step.
These three points will be the main focus of the next section!
