Titre | Élaborer un rapport d’incident |
---|---|
ID | RA6001 |
Description | Develop the incident report |
Auteur | @atc_project |
Creation Date | 31.01.2019 |
Catégorie | General |
Étapes | RS0006: Retour d’expérience |
References | <ul><li>https://attack.mitre.org/tactics/enterprise/</li><li>https://en.wikipedia.org/wiki/Kill_chain</li></ul> |
Workflow
Develop the Incident Report using your corporate template.
It should include:
- Executive Summary with a short description of damage, actions taken, root cause, and key metrics (Time To Detect, Time To Respond, Time To Recover etc)
- Detailed timeline of adversary actions mapped to ATT&CK tactics (you can use the Kill Chain, but most probably most of the actions will be in Actions On Objective stage, which is not very representative and useful)
- Detailed timeline of actions taken by Incident Response Team
- Root Cause Analysis and Recommendations for improvements based on its conclusion
- List of specialists involved in Incident Response with their roles