Let’s get started!
Ready to extend visibility, threat detection and response?
Get a DemoUltimate Incident Response Template to Present Incident Response Activity to Management
November 29, 2019
Last Updated:
February 8, 2024
Share on:
Incident Response Report Sections
Below is a full incident response report template, with fields you can easily fill in to report to your management about incident response activities.
Cynet’s Managed Detection and Response (MDR) service, CyOps, manages incident response for thousands of organizations, and the template is based on our extensive experience.
How to Use the Template
Here is how to use our template to create your incident report for management:
- The template is built from tables you need to fill up in respect to your specific use case.
- For prolonged investigations or incidents with many details, you can provide several reports, each covering a certain part of the incident investigation, each with its own threat and risk, containment, eradication and lessons learned.
- When entering free text, please be as concise as possible
1. Threat and Risk
Specify what happened in the incident, how you detected the threat, and the potential risk.
| INCIDENT INVESTIGATION | ||||||
|---|---|---|---|---|---|---|
| Compromise | Privilege Escalation | Credential Theft | Lateral Movement | Data Access | Data Exfiltration | |
| Threat | V | |||||
| Details | SaaS account was compromised | Pass the Ticket – XXX server was accessed | ||||
| THREAT DETECTION | |||
|---|---|---|---|
| IN-HOUSE | 3RD PARTY | ||
| Security Product Alert | Security Team Proactive | ||
| Details | EDR raised an alert | Analyst spotted anomalous outbound traffic | FBI notification |
| POTENTIAL RISK |
|---|
| Free text explaining the type of incident Example: Detected lateral movement might indicate an active malicious presence in the environment as well as other compromised assets |
2. Investigation Next Steps
Indicate who is managing the incident, whether there is a dedicated budget for responding or remediating the threat, and explain the next steps in the incident investigation process.
| THREAT TYPE | ||
|---|---|---|
| In-House | IR Service Provider | |
| Case Manager | ||
| DEDICATED BUDGET | |
|---|---|
| Purpose | Sum |
| INVESTIGATION DIRECTIONS |
|---|
| Free text in respect to the incident type
Example:
|
| ESTIMATED TIMELINE |
|---|
3. Containment
Discuss which part of the environment was penetrated, and what was done to contain the damage.
| ROOT CAUSE | |
|---|---|
| Weaponized Email | v |
| Malicious website | x |
| Stolen credentials | |
| Insider | |
| THREAT TYPE | ||
|---|---|---|
| Scope | Actions Taken | |
| Number of compromised endpoints | 2 | Take offline |
| Number of compromised servers | 3 | Take offline |
| Number Compromised user accounts | 5 | Disable & Reset Password |
| Number of encrypted endpoints | Reimage | |
| Number of encrypted servers | Reimage | |
| Current Status | all discovered compromised entities are mitigated |
|---|---|
| Next Steps | investigate the attack’s scope |
4. Eradication
Specify what was done, or planned to be done, to remove the threat in the interim phase, how it will be eradicated for good, and the success rate of different types of attacks conducted as part of the incident.
Interim Eradication
| INTERIM STATUS | ||||
|---|---|---|---|---|
| Mass Ransomware | Malware | Compromised User Accounts | Malicious Outbound Traffic | |
| Malicious Activity Type | XXX endpoints encrypted | XXX instances | XXX accounts | XXX sessions to XXX addresses |
| Status | 54% back in production | 92% removed | 100% disabled and password reset | 100% blocked |
| NEXT STEPS | ||||
|---|---|---|---|---|
| Mass Ransomware | Malware | Compromised User Accounts | Malicious Outbound Traffic | |
| Malicious Activity Type | XXX endpoints encrypted | XXX instances | XXX accounts | XXX sessions to XXX addresses |
| Status | Continue reimaging | |||
Final Eradication Plan
| MALICIOUS INFRASTRUCTURE & ACTIVITY REMOVED | ||||
|---|---|---|---|---|
| Mass Ransomware | Malware | Compromised User Accounts | Malicious Outbound Traffic | |
| Malicious Activity Type | XXX endpoints encrypted | XXX instances | XXX accounts | XXX sessions to XXX addresses |
| Status | 100% reimaged | 100% removed | 100% reset | 100% blocked |
| ATTACK DETAILS AND SUCCESS RATE | ||
|---|---|---|
| Details | Attack Success Rate | |
| Data Theft | Insert info here | Insert info here |
| Extortion | ||
| Cryptomining | ||
| Banking Credentials Harvesting | ||
| Sabotage | ||
| Other (specify) | ||
5. Recovery
Explain your plan for returning affected endpoints, servers, apps, and other organizational assets to production.
| Disabled/non available | Back to Production | |
|---|---|---|
| Endpoints | Insert info here | |
| Servers | ||
| Apps | ||
| Cloud workloads | ||
| User accounts | ||
| Data |
6. Lessons Learned
Summarize the incident – what was the impact on the organization, what were the root causes that allows the attack to happen, the final timeline of the incident, and most importantly – what went well in the incident management process and what needs to be improved next time.
| OVERALL ATTACK IMPACT | ||
|---|---|---|
| Damage | Details | |
| Man hours | Insert info here | Insert info here |
| Payment to 3rd party | ||
| Data loss | ||
| Computing charges for cloud provider | ||
| Production downtime | ||
| Fines (per respective regulation) | ||
| Attack Enablers | Recommendations |
|---|---|
| Lack of sufficient security technology | Implement EDR\Deception\UBA\Network Analytics\XDR\other |
| User insecure behavior | Train users on security best practices |
| Other (specify) | Implement EDR\Deception\UBA\Network Analytics\XDR\other |
| FINAL ATTACK TIMELINE | ||||
|---|---|---|---|---|
| Initial Compromise date | Insert date here | |||
| Initial Compromise > Identification | Identification > Containment | Containment > Eradication | Eradication > Recovery | |
| Time to conclude | Insert time here | |||
| Identification | Containment | Eradication | Recovery | ||
|---|---|---|---|---|---|
| POINTS TO REPRODUCE | |||||
| POINTS TO IMPROVE | Challenge | ||||
| Recommendation | |||||
Automated Incident Response with Cynet
Cynet provides a holistic solution for cybersecurity, including the Cynet Response Orchestration which can automate your incident response policy. Users can define automated playbooks, with pre-set or custom remediation actions for multiple attack scenarios. Cynet automated playbooks also help detect threats to ensure that you only implement a manual response when it is necessary.
Cynet Response Orchestration can address any threat that involves infected endpoints, malicious processes or files, attacker-controlled network traffic, or compromised user accounts.
Learn more about Cynet Response Orchestration.
In this article
Share on:
