Presentation Template:

‘Incident Response (IR) Reporting for management’

1
What is the ‘IR for management’ Presentation
Template
You are accountable for cyber security at your company.
Sooner or later you’ll experience a security incident and conduct an IR process to detect, contain
and recover.

An important part of this process is communicating it to your management both during the
response itself as well as following its conclusion. While they not necessarily security pros, they
need to have full visibility and knowledge into the event and its potential risk.

The ‘Incident Response (IR) for Management‘ presentation template enables you to easily deliver a
clear and concise reporting on the incident’s status, nature and scope as well as on the overall IR
process.

2
What is the ‘Incident Response (IR) for management’
Presentation Template

The template provides concise reporting tool for each stage that includes high
level status description and business risk overview.
The template is purposely modular enabling you to tailor it to your specific
needs per the specific incident you manage.

3
What does the Template Include?

IDENTIFICATION CONTAINMENT RECOVERY

• Threat and Risk: what is the • Root cause, scope, current • Listing all affected entities and
threat type, how was it status and onward steps their back-to-production rate
detected and what are is the
potential risk
• Onward steps: who is the case ERADICATION LESSONS LEARNED
manager, what are the
• Interim: current status and • Overall damage, what enabled
investigation directions, budget
onward steps the attack, refection on the
request and estimated timeline
previous IR process stages
• Final: listing all removed
threats, estimated attack
objective and its success level

4
How to Use the Template
• The template is built from tables you need to fill up in respect to your specific use case.

• You are free to split the parts into different sessions according to the incident type and severity
– for example, a long investigation might justify several containment\eradication sessions, while
a short 3-day investigation may result with one session form identification to lessons learned.

• There are few places with free text. Be as concise as possible

• This copy includes demo data to give you some reference. Of course, when you actually put it to
use, make sure that all tables are blank and demo data is removed.

• Remember this is just a template. Feel free to adjust and add or leave tables unused. You are
the one who knows best what’s right for your organization and environment

5
Identification – Threat and Risk
INCIDENT INVESTIGATION

Compromise Privilege Escalation Credential Theft Lateral Movement Data Access Data Exfiltration

Threat V

Details SaaS account was Pass the Ticket \XXX

compromised server was accessed

THREAT DETECTION POTENTIAL RISK

IN-HOUSE 3RD PARTY Free text in respect to the incident type

Example: Detected lateral movement might indicate an active malicious
Security Product Alert Security team proactive presence in the environment as well as other compromised assets

Details EDR raised a Analyst spotted FBI notification

anomalous outbound
traffic

6
Identification – Onward Steps
THREAT TYPE DEDICATED BUDGET

In-House IR Service Provider Purpose Sum

Case Manager jjh kkl

INVESTIGATION DIRECTIONS

Free text in respect to the incident type

Example:
• Check if the compromised account has accessed sensitive resources
• Examine outbound communication from the infected endpoints
• etc

ESTIMATED TIMELINE

7
Containment
ROOT CAUSE THREAT TYPE

Weaponized Email v Scope Actions Taken

Malicious website x Number of compromised endpoints 2 Take offline

Stolen credentials Number of compromised servers 3 Take offline

Insider Number Compromised user accounts 5 Disable & Reset Password

Number of encrypted endpoints Reimage

Number of encrypted servers Reimage

Current Status all discovered compromised entities are mitigated

Next Steps investigate the attack’s scope

8
Eradication - Interim
INTERIM STATUS

Mass Ransomware Malware Compromised User Accounts Malicious Outbound Traffic

Malicious Activity Type XXX endpoints encrypted XXX instances XXX accounts XXX sessions to XXX addresses

Status 54% back in production 92% removed 100% disabled and password 100% blocked
reset

NEXT STEPS

Mass Ransomware Malware Compromised User Accounts Malicious Outbound Traffic

Malicious Activity Type XXX endpoints encrypted XXX instances XXX accounts XXX sessions to XXX addresses

Status Continue reimaging

9
Eradication - Final
MALICIOUS INFRASTRUCTURE & ACTIVITY REMOVED

Mass Ransomware Malware Compromised User Accounts Malicious Outbound Traffic

Malicious Activity Type XXX endpoints encrypted XXX instances XXX accounts XXX sessions to XXX addresses

Status 100% reimaged 100% removed 100% reset 100% blocked

NEXT STEPS

Details Attack Success Rate

Data Theft Insert info here Insert info here

Extortion

Cryptomining

Banking Credentials Harvesting

Sabotage

Other (specify)

10
Recovery
Disabled\non available Back to Production

Endpoints Insert info here

Servers

Apps

Cloud workloads

User accounts

Data

11
Lessons Learned
OVERALL ATTACK IMPACT

Damage Details

Man hours Insert info here Insert info here

Payment to 3rd party

Data loss

Computing charges for cloud provider

Production downtime

Fines (per respective regulation)

Attack Enablers Recommendations

Lack of sufficient security technology Implement EDR\Deception\UBA\Network Analytics\XDR\other

User insecure behavior Train users on security best practices

Other (specify) Implement EDR\Deception\UBA\Network Analytics\XDR\other

12
Lessons Learned
FINAL ATTACK TIMELINE

Initial Compromise date Insert date here

Initial Compromise > Identification Identification > Containment Containment > Eradication Eradication > Recovery

Time to conclude Insert time here

Identification Containment Eradication Recovery

POINTS TO
REPRODUCE

Challenge

POINTS TO
IMPROVE
Recommendation

13