Incident Response

The Cynet 360 platform is the world’s fastest IR tool and includes automated attack detection and remediation

Learn More

Incident Response Template: Presenting Incident Response Activity to Management

Incident response is a critical, highly sensitive activity in any organization. When security incidents happen, especially if they turn into major breaches involving damage to the organization and its clients, management needs to get involved. Senior managers will want to understand the impact of the incident and react to it.

As a leader, or member, of an incident response team, you’ll need a way to easily communicate the details of a security incident to management, taking into consideration that they are not security professionals.

This page provides a useful template with tables you can copy and paste into your reports or presentations to management, that will help them understand what happened in an incident, how your team responded, what remains to be done, and lessons learned.

When a major security incident occurs in your organization, you will be required to report to management about what happened during the incident, how the threat was mitigated and key systems recovered, and what are the lessons learned for next time.

It is important to communicate about the incident to your management both during the response, and after its conclusion. This will give them full visibility and knowledge into the event and its potential risk.

In this page, we provide a template you can use to clearly report to management about a major security incident, how it was handled, next steps and lessons learned.

Also be sure to check out our guide to incident response planning, and our list of incident response plan templates created by leading organizations.

How to Use the Template

Here is how to use our template to create your incident report for management:

  • The template is built from tables you need to fill up in respect to your specific use case.
  • For prolonged investigations or incidents with many details, you can provide several reports, each covering a certain part of the incident investigation, each with its own threat and risk, containment, eradication and lessons learned.
  • When entering free text, please be as concise as possible
  • Make sure you remove any placeholder text before presenting the template.

1. Threat and Risk

Specify what happened in the incident, how you detected the threat, and the potential risk.

INCIDENT INVESTIGATION
CompromisePrivilege EscalationCredential TheftLateral MovementData  AccessData Exfiltration
ThreatV
DetailsSaaS account was compromisedPass the Ticket – XXX server was accessed
THREAT DETECTION
IN-HOUSE3RD PARTY
Security Product AlertSecurity team proactive
DetailsEDR raised an alertAnalyst spotted anomalous outbound trafficFBI notification
POTENTIAL RISK
Free text explaining the type of incident
Example: Detected lateral movement might indicate an active malicious presence in the environment as well as other compromised assets

2. Investigation Next Steps

Indicate who is managing the incident, whether there is a dedicated budget for responding or remediating the threat, and explain the next steps in the incident investigation process.

THREAT TYPE
In-HouseIR Service Provider
Case Manager
DEDICATED BUDGET
PurposeSum
INVESTIGATION DIRECTIONS
Free text in respect to the incident type

Example:

  • Check if the compromised account has accessed sensitive resources
  • Examine outbound communication from the infected endpoints
  • etc.
ESTIMATED TIMELINE

3. Containment

Discuss which part of the environment was penetrated, and what was done to contain the damage.

ROOT CAUSE
Weaponized Emailv
Malicious websitex
Stolen credentials
Insider
THREAT TYPE
ScopeActions Taken
Number of compromised endpoints2Take offline
Number of compromised  servers3Take offline
Number Compromised user accounts5Disable & Reset Password
Number of encrypted  endpointsReimage
Number of encrypted serversReimage
Current Statusall discovered compromised entities are mitigated
Next Stepsinvestigate the attack’s scope

4. Eradication

Specify what was done, or planned to be done, to remove the threat in the interim phase, how it will be eradicated for good, and the success rate of different types of attacks conducted as part of the incident.

Interim Eradication

INTERIM STATUS
Mass RansomwareMalwareCompromised User AccountsMalicious Outbound  Traffic
Malicious Activity TypeXXX endpoints encryptedXXX instancesXXX accountsXXX sessions to XXX addresses
Status54% back in production92% removed100% disabled and password reset100% blocked
NEXT STEPS
Mass RansomwareMalwareCompromised User AccountsMalicious Outbound  Traffic
Malicious Activity TypeXXX endpoints encryptedXXX instancesXXX accountsXXX sessions to XXX addresses
StatusContinue reimaging

Final Eradication Plan

MALICIOUS INFRASTRUCTURE & ACTIVITY REMOVED
Mass RansomwareMalwareCompromised User AccountsMalicious Outbound  Traffic
Malicious Activity TypeXXX endpoints encryptedXXX instancesXXX accountsXXX sessions to XXX addresses
Status100% reimaged100% removed100% reset100% blocked
ATTACK DETAILS AND SUCCESS RATE
DetailsAttack Success Rate
Data TheftInsert info hereInsert info here
Extortion
Cryptomining
Banking Credentials Harvesting
Sabotage
Other (specify)

5. Recovery

Explain your plan for returning affected endpoints, servers, apps, and other organizational assets to production.

Disabled/non availableBack to Production
EndpointsInsert info here
Servers
Apps
Cloud workloads
User accounts
Data

6. Lessons Learned

Summarize the incident – what was the impact on the organization, what were the root causes that allows the attack to happen, the final timeline of the incident, and most importantly – what went well in the incident management process and what needs to be improved next time.

OVERALL ATTACK IMPACT
DamageDetails
Man hoursInsert info hereInsert info here
Payment to 3rd party
Data loss
Computing charges for cloud provider
Production downtime
Fines (per respective regulation)
Attack EnablersRecommendations
Lack of sufficient security technologyImplement EDR\Deception\UBA\Network Analytics\XDR\other
User insecure behaviorTrain users on security best practices
Other (specify)Implement EDR\Deception\UBA\Network Analytics\XDR\other
FINAL ATTACK TIMELINE
Initial Compromise dateInsert date here
Initial Compromise > IdentificationIdentification > ContainmentContainment > EradicationEradication > Recovery
Time to concludeInsert time here
IdentificationContainmentEradicationRecovery
POINTS TO REPRODUCE
POINTS TO IMPROVEChallenge
Recommendation

Automated Incident Response with Cynet

Cynet provides a holistic solution for cybersecurity, including the Cynet Response Orchestration which can automate your incident response policy. Users can define automated playbooks, with pre-set or custom remediation actions for multiple attack scenarios. Cynet automated playbooks also help detect threats to ensure that you only implement a manual response when it is necessary.

Cynet Response Orchestration can address any threat that involves infected endpoints, malicious processes or files, attacker-controlled network traffic, or compromised user accounts.

Learn more about Cynet Response Orchestration.

Dive In

Ebook Free Download

Securing Your Organization’s Network on a Shoestring

How to protect your resource-constrained organization’s endpoints, networks, files and users without going bankrupt or losing sleep.

DOWNLOAD NOW
Ebook Free Download

Securing Your Organization’s Network on a Shoestring

How to protect your resource-constrained organization’s endpoints, networks, files and users without going bankrupt or losing sleep.

DOWNLOAD NOW
SOLUTION BRIEF

Automated Threat Discovery & Mitigation

Secure your all organizational assets with a single platform. Cynet 360 protects across all threat vectors, across all attack stages.

DOWNLOAD NOW
SOLUTION BRIEF

Automated Threat Discovery & Mitigation

Secure your all organizational assets with a single platform. Cynet 360 protects across all threat vectors, across all attack stages.

DOWNLOAD NOW
FREE TRIAL

Deploy Cynet in Minutes and Try it for 14 Days

Try Cynet’s easy-to-launch prevention, detection and response platform across your entire organization - free for 14 days!

START YOUR TRIAL