What Went WellPermalink

  • While reflecting on the response to the incident it is important to concentrate on how it went well.
  • Staff should be appraised for responding to the incident
  • This helps combat imposter syndrome and burnout.

What can be improvedPermalink

  • Identifying weaknesses in the response can help the team perform better against a future incident
  • This is not just what went wrong but why. Did everyone have the resources they needed?
  • Did the tools or equipment have any limitations?
  • Does the budget for incident response or forensics need increasing?

Importance of DocumentationPermalink

  • Incident response case notes can be recorded with a tool, this needs to be kept updated so it contains everything it needs to
  • Incident response plan should be kept updated for new threats or tools
  • Reviewing run-books for the type of incident can help improve future responses by providing better guidance
  • Policies should be updated to stop new incidents

Incident Response MetricsPermalink

  • Metrics are numerical values for quantitative assessment.
  • Can highlight where your team has responded efficiently or effectively

Impact MetricsPermalink

  • Service level Agreement - an agreement with the customer to determine expectations with uptimes. Usually in percentage
  • Service level objective - determines the specific metic being measures in a SLA
  • Escalation rate - measure how often alerts in your SIEM are being assigned to the correct member

Time based metricsPermalink

  • Mean Time to detect - average time for the security team to take notice an incident has occurred.
  • Mean time to response - the mean time to repair , resolve or recover from the incident.
  • Incident over time - average incidents over a length of time
  • Remediation time. - how long it takes for the situation to be remediated.

Incident type metricsPermalink

  • Cumulative number of incidents - total number of incidents based on their type ( put into categories)
  • Alerts created per incident - how many alerts were created for one incident
  • Cost per incident - the cost a incident cost the company

Reporting FormatPermalink

  • Executive Summary
  • Incident Timeline
  • Incident Investigation
  • Appendix

Executive SummaryPermalink

  • High-level overview of the incident
  • Non technical
  • Clearly states business impact
  • Should be one page and focus on areas like: business risk, financial cost, damage occurred, damage prevented.
  • Highlight the work of the security team and how they prevented more damage and cost from happening.
  • The cost of running a security team is less than the incident.

Incident TimelinePermalink

  • The timeline will provide the date, time and short description of all key events
  • Order of actions taken or discovered.
  • Use either local timezone or universal time coordinated.

Incident InvestigationPermalink

  • Main bulk of the report
  • Step by step documentation of actions that were conducted
  • All stages of the incident response lifecycle should be considered and reported on.

AppendixPermalink

  • Used as storage for the report
  • Will include images, graphs and tables, IP address list. Anything that takes up alot of space

Report templatePermalink

  • One template will not work for everyone
  • https://www.paloaltonetworks.com/resources/whitepapers/incident-response-reporting-template

Reporting ConsiderationsPermalink

AudiencePermalink

  • Think about what audience will be reading each section
  • Executive summary - short, sweet, talk about the incident at a whole
  • Rest of report - technical, alot of detail is included.

Incident InvestigationPermalink

  • Really detailed
  • Any points need backing up with evidence
  • Make a point then provide evidence
  • Also important to include the MITRE ATT&CK tactic which was used

Screenshot and captionsPermalink

  • Use screenshots to provide evidence
  • Take as many screenshots as you can
  • All images should be captioned with a summary about one or two sentences