Lessons Learned

We have to reconcile with the idea that we won’t really know for certain if we’ve fully eradicated an adversary from our environment. For really advanced adversaries, the reality is that it’s a game of cat and mouse, and that our only comfort is our confidence that our process from Preparation to Identification and Scoping to Containment and Threat Intel Creation to Eradication and Recovery has been done diligently.

The findings that we have will serve as input to further improve this process, and hopefully, we’d easily detect them in near real-time if ever they come back in our environment and they show the same IOAs and IOCs.

Learning Objectives:

In this room, we will be wrapping up the lessons that we, as incident responders, have learned from all the prior parts of the Incident Response process which were discussed in the previous rooms of this module.

Specific emphasis is given on how these lessons can be consumed by the organization through the creation of technical and executive summaries. The room also touches upon how all of these immediately and directly impact the organization’s continuous monitoring capability through the threat intelligence created over the course of the IR process.

Room Prerequisites:

• Preparation | Live IR Module
• Identification and Scoping | Live IR Module
• Containment and Threat Intelligence Creation | Live IR Module
• Eradication, Remediation, Recovery | Live IR Module