Post-Incident Activity
Premium roomUnderstand Post-Incident Activity, the last phase of the Incident Response Lifecycle.
medium
To access material, start machines and answer questions login.
The attacker has been contained, eradicated, and the environment is clean. But the work is not finished. The final phase of the incident response framework is Post-Incident Activity, the phase where the organization steps back, reflects on what happened, documents the findings, and uses everything learned to become harder to attack next time.
Learning Objectives
- Understand the purpose and importance of the Post-Incident Activity phase
- Learn what a lessons learned process involves and why it is commonly skipped
- Understand the differences between executive technical summary documents
- Learn how IOCs collected during an investigation become detection rules
- Use to reconstruct the full attack timeline and calculate dwell time
- Build detection rules from the IOCs discovered across the Nexus Financial investigation
Prerequisites
Although this room can be completed as a standalone, it is highly recommended to complete the following rooms before starting this one:
Familiarity with queries is required for the practical tasks. It is also recommended to complete the Microsoft 365 for the module before starting this room.
Module Chain
This module follows a single security incident at Nexus Financial from start to finish across four rooms:
| Room | What You Do |
|---|---|
| 1 - Preparation | Review Nexus Financial's security posture before the attack |
| 2 - Detection and Analysis | Detect the incident and analyze it in |
| 3 - Response and Recovery | Make containment decisions, confirm the attacker is gone, and identify root causes |
| 4 - Post-Incident Activity | Reconstruct the timeline of the attack and revisit what went wrong |
Note: This is Room 4 of 4 in the Incident Response module. This room brings everything together and closes the cycle.
I am ready to start!
Ready to learn Cyber Security?
The Post-Incident Activity room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in