Post-mortem

Post-mortem (also “incident post-mortem” or “lessons learned review”) is a retrospective analysis process conducted after a security incident to identify root causes, evaluate response effectiveness, document lessons learned, and develop recommendations to improve security processes and prevent similar incidents in the future. This process is fundamental in incident response and continuous improvement, allowing organizations to learn from incidents, strengthen their defenses, and enhance their security posture through systematic analysis and actionable recommendations.

What is a Post-mortem?

A post-mortem is a structured process that:

  • Retrospectively analyzes security incidents
  • Identifies root causes and contributing factors
  • Evaluates the effectiveness of incident response
  • Documents lessons learned and best practices

Post-mortem Objectives

Root Cause Identification

  • Analysis of factors that contributed to the incident
  • Vulnerability identification exploited
  • Security control failure evaluation
  • Responsibility and process determination

Response Evaluation

  • Response effectiveness analysis
  • Strengths and weaknesses identification
  • Response and containment time evaluation
  • Communication and coordination analysis

Continuous Improvement

  • Specific recommendations development
  • Improvement opportunities identification
  • Process and procedure updates
  • Similar incident prevention

Post-mortem Types

1. Technical Post-mortem

  • Technical aspect analysis of the incident
  • Vulnerability and exploitation evaluation
  • Tools and technologies analysis used
  • Technical improvement recommendations

2. Process Post-mortem

  • Incident response process analysis
  • Procedure and protocol evaluation
  • Communication and coordination analysis
  • Process improvement recommendations

3. Organizational Post-mortem

  • Organizational aspect analysis of the incident
  • Role and responsibility evaluation
  • Security culture analysis
  • Organizational improvement recommendations

Post-mortem Process

1. Preparation

  • Analysis team selection
  • Relevant information gathering
  • Tools and resources preparation
  • Analysis session scheduling

2. Information Gathering

  • System logs and events analysis
  • Interviews with involved personnel
  • Incident documentation review
  • Forensic evidence analysis

3. Root Cause Analysis

  • Contributing factor identification
  • Exploited vulnerability analysis
  • Control failure evaluation
  • Responsibility determination

4. Response Evaluation

  • Detection and response time analysis
  • Containment effectiveness evaluation
  • Communication and coordination analysis
  • Strengths and weaknesses identification

5. Recommendation Development

  • Improvement opportunity identification
  • Specific recommendations development
  • Improvement action prioritization
  • Responsibility and deadline assignment

6. Documentation and Follow-up

  • Detailed report creation
  • Findings communication to stakeholders
  • Recommended improvement implementation
  • Improvement progress tracking

Post-mortem Methodologies

5 Whys Methodology

  • Ask “Why?” five times consecutively
  • Underlying root cause identification
  • Contributing factor systematic analysis
  • Fundamental solution development

Fishbone (Ishikawa) Methodology

  • Cause category analysis (people, processes, technology, environment)
  • Contributing factor identification in each category
  • Cause relationship visualization
  • Comprehensive solution development

FMEA (Failure Mode and Effects Analysis) Methodology

  • Potential failure mode analysis
  • Effect and consequence evaluation
  • Preventive control identification
  • Mitigation plan development

Post-mortem Tools

Analysis Tools

  • MindMeister: Mind map creation
  • Lucidchart: Flow and process diagrams
  • Miro: Real-time visual collaboration
  • Draw.io: Technical and process diagrams

Documentation Tools

  • Confluence: Collaborative documentation
  • Notion: Knowledge management
  • Google Docs: Shared documentation
  • Microsoft Teams: Collaboration and communication

Tracking Tools

  • Jira: Task management and tracking
  • Trello: Project management
  • Asana: Action tracking
  • Monday.com: Workflow management

Post-mortem Benefits

Process Improvement

  • Improvement opportunity identification
  • Response process optimization
  • Best practice development
  • Similar incident prevention

Organizational Learning

  • Lessons learned documentation
  • Knowledge sharing between teams
  • Personnel capability improvement
  • Continuous improvement culture development

Compliance and Auditing

  • Improvement process documentation
  • Due diligence demonstration
  • Regulatory requirement compliance
  • Security audit support

Post-mortem Challenges

Human Factors

  • Criticism and analysis resistance
  • Blame and personal responsibility
  • Cognitive bias in analysis
  • Time and resource pressure

Technical Complexity

  • System and technology diversity
  • Information volume to analyze
  • Complex interdependencies between systems
  • Specialized expertise requirement

Resources and Time

  • Dedicated personnel requirement
  • Significant time for analysis
  • Tool and training costs
  • Normal operations pressure

Best Practices

Adequate Preparation

  • Appropriate analysis team selection
  • Complete information gathering
  • Tools and resources preparation
  • Clear objective establishment

Professional Execution

  • Learning and improvement focus
  • Avoid blame and personal responsibility
  • Objective and fact-based analysis
  • Active participation of all involved

Follow-up and Improvement

  • Developed recommendation implementation
  • Improvement progress tracking
  • Change effectiveness measurement
  • Continuous process updates