What is one of the activities involved in the post-attack phase?

Documenting activities and results is a crucial activity in the post-attack phase. This involves compiling detailed records of the attack's nature, the vulnerabilities exploited, the methods used by the attacker, and the response taken by the security team. Accurate documentation serves several key purposes: it aids in understanding the attack in depth, assists in developing better security strategies in the future, and provides a historical record that can be referenced in case of similar incidents. This documentation can also be critical for legal investigations or compliance requirements, ensuring that all actions taken are well documented and justified.

Other activities, while potentially useful, do not fit as neatly into the post-attack analysis and response framework. Creating new security protocols and installing new software might be steps taken after assessing the situation, but they are more aligned with preemptive measures rather than direct post-attack activities. Building a new network infrastructure is typically a significant undertaking that would occur in a much broader, long-term planning capacity rather than as an immediate response to a specific attack incident. Thus, careful documentation stands out as the primary method of learning from and mitigating the impacts of an attack.