Six Questions to Ask in a Post-Mortem Review After a Cyber Incident

The CrowdStrike outage has left many companies grappling with immediate and long-term impacts on their operations. The outage underscored the importance of having robust contingency plans, oversight of critical third parties, and mechanisms to evaluate not only the business operational effects but also the financial damages of such an event. As companies emerge from the outage and turn their attention to post-mortem reviews, they must address a wide range of questions to reduce the risk of recurrence. 

1.    How did this happen?

• According to CrowdStrike, a security content configuration update contained an undetected error and was released to companies as part of the dynamic protection mechanism within the Falcon platform.
• Content updates do not follow a predefined schedule but are released frequently to provide companies with protections against new and emerging cyber threats

2.    How do we perform a comprehensive post-mortem review?

• Assemble a cross-functional team involved with recovery and restoration efforts.
• Use different techniques to drill down on the root cause of the outage and identify contributing factors that may have exacerbated the situation.
• Gain consensus on key lessons learned, gaps, and improvement opportunities.
• Develop an action plan to close identified gaps and implement mitigations to reduce the likelihood of recurrence.
• Bolster contingency plans and recovery strategies to account for key lessons learned and new threats.

3.    How do we prevent this from happening again?

• Enhance the oversight of software provider updates and test them in a controlled environment before deploying across production.
• Review the inventory of critical software providers with auto update configurations and assess whether changes are required.

4.    How should this affect oversight of third-party software providers?

• Increase the rigor of third-party reviews for service providers connected to the availability of computer systems and digital assets.
• Broaden the scope of third-party reviews to ensure critical software providers adhere to industry-accepted software development practices for new products, upgrades, and dynamic releases like content updates.
• Enhance visibility into service level agreements and measure third-party performance with regularity.

5.    How do we protect ourselves from bad actors attempting to exploit the situation?

• Increase internal awareness levels to phishing campaigns using malicious domain names.
• Participate in threat intelligence sharing networks to stay up to date on newly identified malicious domains and other emerging threats.
• Increase threat hunting to include new queries and known indicators of compromises related to the outage.

6.    How do we measure the business operational impact and/or financial damages of the outage?

• Using damages analysis, BDO’s Insurance Claims Recovery team can help establish ways to track the financial impacts of the interruption and assist with insurance claim valuation.