Threat Advisory / Attack Spot Report
1.1 Introduction
This report is produced either pre-emptively for an imminent attack or after the action for an executed attack. Following is the template for the report which defines its building blocks and also provides context around the information contained therein. Add TLP field.
Report Classification | |
Distribution Scope | Member Firm |
Audience | Global CISO / Member Firm CISOs / GSOC Manager / NITSO |
Mode of Generation | Manual |
Distribution Channel | SharePoint / Email |
Production Format | Document-based (PDF) |
Data Schedule | Periodic |
Data Source | Threat Intelligence Portal (Sources) |
1.1.1 Threat Advisories
The same format is used for issuing a Threat Advisory.
1.2 Spot Report Template
1.2.1 Title Page
The title page defines the name of the Threat or the Attack.
1.2.2 Table of Contents
Standard Table of Contents to allow for easy navigation of the report.
1.2.3 Priority Information Requirements Covered
Add whatever the report is going to cover. Few examples below for the Attack:
- What was the date and time of the attack?
- What was the attack vector (e.g. social engineering, zero-day, phishing, etc.)?
- What users were being targeted?
- Time to resolution?
The context of the information will change as follows for an imminent Attack:
- What is the likely time of the attack?
- What is the likely attack vector (e.g. social engineering, zero-day, phishing, etc.)?
- What users are likely to be targeted?
- What assets / business units are subject to this threat?
- Mitigation tactics / strategies?
1.2.4 Report/Job Control Number
Report Control # <Insert here>
1.2.5 Date of Report
DD Month YYYY
1.2.6 Lead Analyst
Name
1.2.7 Supporting Analyst
Name (If applicable)
1.2.8 Reviewed By
Name (Usually the GSOC Manager and the Threat Analyst)
1.2.9 Summary
<<On DDMMYYY, X (X) employees were targeted with a socially engineered (SE) email from (Email Address). Ticket # contains information related to this email incident.
The email contained a subject line of (“enter subject”) and contained a malicious attachment named (“enter attachment name”).
Threat Analysts have confirmed that none of the targeted users opened the malicious attachment. Threat Analysts have confirmed that X of the targeted users opened the malicious attachment.>>
1.2.10 Details
<< Add a screen shot of the malicious email, for example. >>
<< Explain threat details, attack scenarios, targets, logic, indicators, etc. >>
1.2.11 Mitigation Activity
Add related mitigation strategies here, e.g. patches applied, C2’s blocked, sender address blocked.
1.2.12 Points of Contact
Analyst contact information