This report is produced either pre-emptively for an imminent attack or after the action for an executed attack. Following is the template for the report which defines its building blocks and also provides context around the information contained therein. Add TLP field.
|Distribution Scope||Member Firm|
|Audience||Global CISO / Member Firm CISOs / GSOC Manager / NITSO|
|Mode of Generation||Manual|
|Distribution Channel||SharePoint / Email|
|Production Format||Document-based (PDF)|
|Data Source||Threat Intelligence Portal (Sources)|
The same format is used for issuing a Threat Advisory.
The title page defines the name of the Threat or the Attack.
Standard Table of Contents to allow for easy navigation of the report.
Add whatever the report is going to cover. Few examples below for the Attack:
- What was the date and time of the attack?
- What was the attack vector (e.g. social engineering, zero-day, phishing, etc.)?
- What users were being targeted?
- Time to resolution?
The context of the information will change as follows for an imminent Attack:
- What is the likely time of the attack?
- What is the likely attack vector (e.g. social engineering, zero-day, phishing, etc.)?
- What users are likely to be targeted?
- What assets / business units are subject to this threat?
- Mitigation tactics / strategies?
Report Control # <Insert here>
DD Month YYYY
Name (If applicable)
Name (Usually the GSOC Manager and the Threat Analyst)
The email contained a subject line of (“enter subject”) and contained a malicious attachment named (“enter attachment name”).
Threat Analysts have confirmed that none of the targeted users opened the malicious attachment. Threat Analysts have confirmed that X of the targeted users opened the malicious attachment.>>
<< Add a screen shot of the malicious email, for example. >>
<< Explain threat details, attack scenarios, targets, logic, indicators, etc. >>
Add related mitigation strategies here, e.g. patches applied, C2’s blocked, sender address blocked.
Analyst contact information