CyberThreatIntelligenceandIncidentResponseReport.pdfVIP

Cyber Threat Intelligence and Incident Response Report This template leverages several models in the cyber threat intelligence domain (such as the Intrusion Kill Chain, Campaign Correlation, the Courses of Action Matrix and the Diamond Model) to structure data, guide threat intel gathering efforts and inform incident response actions. If you’re not familiar with this approach, read the following papers: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains and The Diamond Model of Intrusion Analysis. Thisframework is discussed in depth in the SANS Institute course FOR578: Cyber Threat Forensics. Incident Name Report Author Report Date Revision Dates and Notes Executive Summary Describe in up to three paragraphs your key observations and takeaways related to the intrusion. Explain the adversary’s tactics, techniques and procedures. Outline the most significant courses of action taken to defend against the adversary when responding to the intrusion. The remainder of the report should substantiate this summary. The Adversary’s Actions and Tactics Summarize in one paragraph the adversary’s actions and tactics, as well as the effects that the intrusion had on the victims. This section of the report overlays the intrusion kill chain’s phases over the diamond model vertices to capture the core characteristics of the malicious activities. Description of the Adversary Describe observations and indicators that may be related to the perpetrators of the intrusion. If possible, highlight the attributes of the adversary operator and the adversary’s potential customer. Outline potential motivations and identifying elements. Categorize your insights according to the corresponding phase of the intrusion kill chain, as structured in the following table. Page 1 of 9 Reconnaissance Weapon