Threat Advisory / Attack Spot Report

Wiki > Threat Advisory / Attack Spot Report

1.1              Introduction

This report is produced either pre-emptively for an imminent attack or after the action for an executed attack. Following is the template for the report which defines its building blocks and also provides context around the information contained therein. Add TLP field.

Report Classification
Distribution Scope Member Firm
Audience Global CISO / Member Firm CISOs / GSOC Manager / NITSO
Mode of Generation Manual
Distribution Channel SharePoint / Email
Production Format Document-based (PDF)
Data Schedule Periodic
Data Source Threat Intelligence Portal (Sources)

1.1.1          Threat Advisories

The same format is used for issuing a Threat Advisory.

 

1.2              Spot Report Template

1.2.1          Title Page

The title page defines the name of the Threat or the Attack.

1.2.2          Table of Contents

Standard Table of Contents to allow for easy navigation of the report.

1.2.3          Priority Information Requirements Covered

Add whatever the report is going to cover. Few examples below for the Attack:

  • What was the date and time of the attack?
  • What was the attack vector (e.g. social engineering, zero-day, phishing, etc.)?
  • What users were being targeted?
  • Time to resolution?

 

The context of the information will change as follows for an imminent Attack:

  • What is the likely time of the attack?
  • What is the likely attack vector (e.g. social engineering, zero-day, phishing, etc.)?
  • What users are likely to be targeted?
  • What assets / business units are subject to this threat?
  • Mitigation tactics / strategies?

 

1.2.4          Report/Job Control Number

Report Control # <Insert here>

 

1.2.5          Date of Report

DD Month YYYY

 

1.2.6          Lead Analyst

Name

1.2.7          Supporting Analyst

Name (If applicable)

1.2.8          Reviewed By

Name (Usually the GSOC Manager and the Threat Analyst)

 

1.2.9          Summary

<<On DDMMYYY, X (X) employees were targeted with a socially engineered (SE) email from (Email Address). Ticket # contains information related to this email incident.

 

The email contained a subject line of (“enter subject”) and contained a malicious attachment named (“enter attachment name”).

 

Threat Analysts have confirmed that none of the targeted users opened the malicious attachment. Threat Analysts have confirmed that X of the targeted users opened the malicious attachment.>>

 

1.2.10       Details

<< Add a screen shot of the malicious email, for example. >>

<< Explain threat details, attack scenarios, targets, logic, indicators, etc. >>

 

1.2.11       Mitigation Activity

Add related mitigation strategies here, e.g. patches applied, C2’s blocked, sender address blocked.

 

1.2.12       Points of Contact

Analyst contact information