Title	Develop incident report
ID	RA6001
Description	Develop the incident report
Author	@atc_project
Creation Date	2019/01/31
Category	General
Stage	RS0006: Lessons Learned
References	https://attack.mitre.org/tactics/enterprise/ https://en.wikipedia.org/wiki/Kill_chain

Workflow

Develop the Incident Report using your corporate template.

It should include:

1. Executive Summary with a short description of damage, actions taken, root cause, and key metrics (Time To Detect, Time To Respond, Time To Recover etc)
2. Detailed timeline of adversary actions mapped to ATT&CK tactics (you can use the Kill Chain, but most probably most of the actions will be in Actions On Objective stage, which is not very representative and useful)
3. Detailed timeline of actions taken by Incident Response Team
4. Root Cause Analysis and Recommendations for improvements based on its conclusion
5. List of specialists involved in Incident Response with their roles