Once any incident is over and done with, the team needs to focus on the lessons learned. From an incident response perspective, the focus is on answering questions such as the following:
- How did this happen?
- What can we do to prevent it from reoccurring?
- What preventive measures can be put into place?
- How can monitoring and alerting be improved?
From a network forensics perspective, the additional questions to be answered include the following:
- Which artifacts exist that can help us identify such an incident in the future?
- What are the lessons learned?
- How can we improve the investigation process?
- What IOC can be identified that can be shared with the Incident Response team to help prevent a reoccurrence of such an incident?