Title Develop incident report
ID RA6001
Description Develop the incident report
Author @atc_project
Creation Date 2019/01/31
Category General
Stage RS0006: Lessons Learned


Develop the Incident Report using your corporate template.

It should include:

  1. Executive Summary with a short description of damage, actions taken, root cause, and key metrics (Time To Detect, Time To Respond, Time To Recover etc)
  2. Detailed timeline of adversary actions mapped to ATT&CK tactics (you can use the Kill Chain, but most probably most of the actions will be in Actions On Objective stage, which is not very representative and useful)
  3. Detailed timeline of actions taken by Incident Response Team
  4. Root Cause Analysis and Recommendations for improvements based on its conclusion
  5. List of specialists involved in Incident Response with their roles