According to theCyberOps Technologies (CBRFIR) 300-215 study guide, during thepost-incident activity phase, it is critical to analyze lessons learned and update processes to ensure quicker and more efficient response in the future. Specifically:
* Introducing a priority rating for incident response workloads(A) helps address the issue of team members being occupied with other tasks and unable to prioritize abnormal system activity. This ensures incidents are handled based on severity, not just workload.
* Creating an executive team delegation plan(D) addresses the issue of delays due to unavailability of management for approvals. It ensures alternative decision-makers are available for swift action.
These strategies are based on the NIST SP 800-61 Rev. 2 recommendations and are highlighted in the Cisco guide's post-incident activity phase (page 418), which emphasizeslessons learnedand how to reduce detection and response times for future incidents.
Reference:CyberOps Technologies (CBRFIR) 300-215 study guide, Chapter: Dealing with Incident Response, Post-Incident Activity, page 418.