Title | Develop incident report |
---|---|
ID | RA6001 |
Description | Develop the incident report |
Author | @atc_project |
Creation Date | 2019/01/31 |
Category | General |
Stage | RS0006: Lessons Learned |
References |
Workflow
Develop the Incident Report using your corporate template.
It should include:
- Executive Summary with a short description of damage, actions taken, root cause, and key metrics (Time To Detect, Time To Respond, Time To Recover etc)
- Detailed timeline of adversary actions mapped to ATT&CK tactics (you can use the Kill Chain, but most probably most of the actions will be in Actions On Objective stage, which is not very representative and useful)
- Detailed timeline of actions taken by Incident Response Team
- Root Cause Analysis and Recommendations for improvements based on its conclusion
- List of specialists involved in Incident Response with their roles