When handling a large-scale intrusion, incident responders often struggle with obtaining and organizing the intelligence related to the actions taken by the intruder and the targeted organization. Examining all aspects of the event and communicating with internal and external constituents is quite a challenge in such strenuous circumstances. The following template for a Threat Intelligence and Incident Response Report aims to ease this burden. It provides a framework for capturing the key details and documenting them in a comprehensive, well-structured manner. This template leverages several models in the cyber threat intelligence (CTI) domain, such as the Intrusion Kill Chain, Campaign Correlation, the Courses of Action Matrix and the Diamond Model. The use of these frameworks helps guide threat intelligence gathering efforts and inform incident response actions. If you’re not familiar with this approach, read the papers and. ![]() This methodology is discussed in depth in the SANS Institute course. Read the following explanation to understand the template’s structure and methodology, so you can start learning how to use it. Structure of the Report The Threat Intelligence and Incident Response Report describes the actions taken by the adversary and the incident responder in the context of a large-scale intrusion. If relevant, it also references other intrusions that might comprise the larger campaign. The template below includes the following sections: • The Adversary’s Actions and Tactics: Making use of the Diamond Model methodology, this section asks the report author to describe the 4 key elements of the intrusion: the adversary itself, the infrastructure used as part of the attack, adversary’s capabilities and the victim. The template invites the report author to categorize these attributes according to the 7 phrases of the malicious activities that comprise the intrusion kill chain. • Courses of Action During Incident Response: Building upon the Courses of Action Matrix, this section asks the report author to describe the activities that the organization performed when responding to the intrusion. The template presents tips related to capturing the following types actions: Discover, detect, deny, disrupt, degrade, deceive and destroy. It provides placeholders for filling in details for these actions with respect to the applicable stages of the intrusion kill chain. • Intrusion Campaign Analysis: This section gives the report author the opportunity to document the relationship between the intrusion and other incidents that, when taken together, form a campaign. The template offers guidance for capturing the indicators and behaviors shared across the intrusions within the campaign. Department of Justice Office of Justice Programs National Institute of Justice Special APR. 04 REPORT Forensic Examination of Digital Evidence. Report of Digital Forensic Analysis in: Paul D. Stroz Friedberg did not find any of the Purported Emails in native file format, that is to say, as files in an email format. Stroz Friedberg did identify the Microsoft Word documents into which Mr. Ceglia claims to have copied-and-pasted the. ![]() It leaves room for outlining the commercial, geopolitical or other factors that might have motivated the adversary’s activities. Using the Report Template The Threat Intelligence and Incident Response Report template is comprehensive. As the result, creating a report on its basis requires rigor and patience, though not all sections of the template are applicable to all situations. Utilizing the template requires the report author to understand the above-mentioned threat intelligence frameworks, which include: • The Intrusion Kill Chain framework defines 7 consecutive stages through which adversaries must progress to achieve their intrusion objectives. Interfering with any phase of the chain helps the defender to fend off the adversary. • The Courses of Action matrix overlays the kill chain’s phases over 6 types of defensive actions that incident responders can take to break the chain. The defenders’ actions are based on the information available to them about each stage in the chain. • The Diamond Model establishes 4 characteristics that incident responders can use to describe the intrusion. Each characteristic can be explained in terms of the kill chain’s phases to provide a comprehensive narrative of malicious actions and their effects. The template should be used as a guide to help ensure that the incident responder: • Addresses all relevant aspects of the intrusion; • Is able to describe the adversary’s tactics, techniques and procedures; and • Can explain the actions taken to defend against the adversary when responding to the intrusion. Download the Report Template You can download the editable. You can also or in the. The template is distributed according to the (CC BY 4.0), which basically allows you to use it in any way you wish, including commercial purposes, as long as you credit me for the creation of the template. About the Author Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds innovative endpoint defense solutions as VP of Products. He also trains incident response and digital forensics professionals. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
March 2018
Categories |