Attack Spot Report

Wiki > Attack Spot Report

This report is produced either pre-emptively for an imminent attack or for an executed attack after the incident has taken place. Following is the template for the report which defines its building blocks and also provides contextual information elements.

Title Page

The title page defines the name of the Threat or the Attack.

Table of Contents

Standard Table of Contents to allow for easy navigation of the report.

Priority Information Requirements Covered

Add whatever the report is going to cover. Few examples below for the Attack:
■ What was the date and time of the attack?
■ What was the attack vector (e.g. social engineering, zero-day, phishing, etc.)?
■ What users were being targeted?
■ Time to the resolution?

The context of the information will change as follows for an imminent Attack:
■ What is the likely time of the attack?
■ What is the likely attack vector (e.g. social engineering, zero-day, phishing, etc.)?
■ What users are likely to be targeted?
■ What assets/business units are subject to this threat?
■ Mitigation tactics / strategies?

Report/Job Control Number

Report Control #

Date of Report

YYYYMMDD format is used to avoid any ambiguity across regions.

Lead Analyst

Name

Supporting Analyst

Name (If applicable)

Reviewed By

Name (Usually the GSOC Manager and the Threat Analyst)

Summary

<<On YYYYMMDD, X (X) employees were targeted with a socially engineered (SE) email from (Email Address). Ticket # contains information related to this email incident.

The email contained a subject line of (“enter subject”) and contained a malicious attachment named (“enter attachment name”).

Threat Analysts have confirmed that none of the targeted users opened the malicious attachment. Threat Analysts have confirmed that X of the targeted users opened the malicious attachment.>>

Details

<< Add a screenshot of the malicious email, for example. >>

<< Explain threat details, attack scenarios, targets, logic, indicators, etc. >>

Mitigation Activity

Add related mitigation strategies here, e.g. patches applied, C2’s blocked, sender address blocked.

Points of Contact

Analyst contact information