Michelle wants to determine why attackers were able to take her organization’s web server cluster offline after an incident occurred. What process should she and her team follow to determine this?

Root cause analysis is a process used to determine the underlying cause of an issue such as why attackers were able to successfully take down Michelle’s web server cluster. Threat hunting is used to proactively look for threats using a variety of techniques, including OSINT and leveraging indicators of compromise. Lessons learned processes look for take-aways from events and incidents to allow organizations to improve their processes and procedures. Recovery is part of the incident response process but focuses on restoring the organization to normal operation.