Start Now

In this article

Ultimate Incident Response Template to Present Incident Response Activity to Management


November 29, 2019
Last Updated: September 9, 2024
Share on:

Incident Response Report Sections

Below is a full incident response report template, with fields you can easily fill in to report to your management about incident response activities. 

Cynet’s Managed Detection and Response (MDR) service, CyOps, manages incident response for thousands of organizations, and the template is based on our extensive experience. 

How to Use the Template

Here is how to use our template to create your incident report for management:

  • The template is built from tables you need to fill up in respect to your specific use case.
  • For prolonged investigations or incidents with many details, you can provide several reports, each covering a certain part of the incident investigation, each with its own threat and risk, containment, eradication and lessons learned.
  • When entering free text, please be as concise as possible

Tips From the Expert

In my experience, here are tips that can help you maximize the effectiveness of your incident response reports:

  1. Incorporate attack chain mapping
    Use frameworks like MITRE ATT&CK to map the incident to specific tactics, techniques, and procedures (TTPs). This allows stakeholders to understand how the attack progressed, and helps in pinpointing where defenses failed.
  2. Use visual timelines
    Provide a visual timeline of the incident from initial compromise to recovery. This helps management quickly grasp the incident’s progression and the speed of the response, and can be valuable for post-incident review.
  3. Identify specific control gaps
    Go beyond generic recommendations and identify specific control gaps that enabled the incident. For example, point out where outdated patch management processes or insufficient network segmentation contributed to the attack.
  4. Quantify the effectiveness of containment measures
    Measure and report on how effective containment measures were, such as “X% of infected systems isolated within Y minutes.” This quantification helps management evaluate the team’s performance and preparedness.
  5. Provide real-time incident insights during ongoing investigations
    For prolonged incidents, issue interim reports to management with updates on investigation progress, evolving threats, and the success of response efforts. This keeps stakeholders informed and reduces uncertainty.

Eyal Gruner is the Co-Founder and CEO of Cynet. He is also Co-Founder and former CEO of BugSec, Israel’s leading cyber consultancy, and Versafe, acquired by F5 Networks. Gruner began his career at age 15 by hacking into his bank’s ATM to show the weakness of their security and has been recognized in Google’s security Hall of Fame.

1. Threat and Risk

Specify what happened in the incident, how you detected the threat, and the potential risk.

INCIDENT INVESTIGATION
Compromise Privilege Escalation Credential Theft Lateral Movement Data  Access Data Exfiltration
Threat V
Details SaaS account was compromised Pass the Ticket – XXX server was accessed

 

THREAT DETECTION
IN-HOUSE 3RD PARTY
Security Product Alert Security Team Proactive
Details EDR raised an alert Analyst spotted anomalous outbound traffic FBI notification
POTENTIAL RISK
Free text explaining the type of incident
Example: Detected lateral movement might indicate an active malicious presence in the environment as well as other compromised assets

Looking to automate
incident response?

Cynet is the Leading All-In-One Security Platform

  • 24/7 Managed Detection and Response
  • Security Automation, Orchestration and Response (SOAR)
  • Full-Featured EDR and NGAV

Achieved 100% detection in 2023

review stars

Rated 4.8/5

review stars

2024 Leader

2. Investigation Next Steps

Indicate who is managing the incident, whether there is a dedicated budget for responding or remediating the threat, and explain the next steps in the incident investigation process.

THREAT TYPE
In-House IR Service Provider
Case Manager
DEDICATED BUDGET
Purpose Sum
INVESTIGATION DIRECTIONS
Free text in respect to the incident type

Example:

  • Check if the compromised account has accessed sensitive resources
  • Examine outbound communication from the infected endpoints
  • etc.
ESTIMATED TIMELINE

3. Containment

Discuss which part of the environment was penetrated, and what was done to contain the damage.

ROOT CAUSE
Weaponized Email v
Malicious website x
Stolen credentials
Insider
THREAT TYPE
Scope Actions Taken
Number of compromised endpoints 2 Take offline
Number of compromised  servers 3 Take offline
Number Compromised user accounts 5 Disable & Reset Password
Number of encrypted  endpoints Reimage
Number of encrypted servers Reimage
Current Status all discovered compromised entities are mitigated
Next Steps investigate the attack’s scope

 

4. Eradication

Specify what was done, or planned to be done, to remove the threat in the interim phase, how it will be eradicated for good, and the success rate of different types of attacks conducted as part of the incident.

Interim Eradication

INTERIM STATUS
Mass Ransomware Malware Compromised User Accounts Malicious Outbound  Traffic
Malicious Activity Type XXX endpoints encrypted XXX instances XXX accounts XXX sessions to XXX addresses
Status 54% back in production 92% removed 100% disabled and password reset 100% blocked
NEXT STEPS
Mass Ransomware Malware Compromised User Accounts Malicious Outbound  Traffic
Malicious Activity Type XXX endpoints encrypted XXX instances XXX accounts XXX sessions to XXX addresses
Status Continue reimaging

Final Eradication Plan

MALICIOUS INFRASTRUCTURE & ACTIVITY REMOVED
Mass Ransomware Malware Compromised User Accounts Malicious Outbound  Traffic
Malicious Activity Type XXX endpoints encrypted XXX instances XXX accounts XXX sessions to XXX addresses
Status 100% reimaged 100% removed 100% reset 100% blocked
ATTACK DETAILS AND SUCCESS RATE
Details Attack Success Rate
Data Theft Insert info here Insert info here
Extortion
Cryptomining
Banking Credentials Harvesting
Sabotage
Other (specify)

 

5. Recovery

Explain your plan for returning affected endpoints, servers, apps, and other organizational assets to production.

Disabled/non available Back to Production
Endpoints Insert info here
Servers
Apps
Cloud workloads
User accounts
Data

 

Looking to automate
incident response?

Cynet is the Leading All-In-One Security Platform

  • 24/7 Managed Detection and Response
  • Security Automation, Orchestration and Response (SOAR)
  • Full-Featured EDR and NGAV

Achieved 100% detection in 2023

review stars

Rated 4.8/5

review stars

2024 Leader

6. Lessons Learned

Summarize the incident – what was the impact on the organization, what were the root causes that allows the attack to happen, the final timeline of the incident, and most importantly – what went well in the incident management process and what needs to be improved next time.

OVERALL ATTACK IMPACT
Damage Details
Man hours Insert info here Insert info here
Payment to 3rd party
Data loss
Computing charges for cloud provider
Production downtime
Fines (per respective regulation)
Attack Enablers Recommendations
Lack of sufficient security technology Implement EDR\Deception\UBA\Network Analytics\XDR\other
User insecure behavior Train users on security best practices
Other (specify) Implement EDR\Deception\UBA\Network Analytics\XDR\other
FINAL ATTACK TIMELINE
Initial Compromise date Insert date here
Initial Compromise > Identification Identification > Containment Containment > Eradication Eradication > Recovery
Time to conclude Insert time here
Identification Containment Eradication Recovery
POINTS TO REPRODUCE
POINTS TO IMPROVE Challenge
Recommendation

Automated Incident Response with Cynet

Cynet provides a holistic solution for cybersecurity, including the Cynet Response Orchestration which can automate your incident response policy. Users can define automated playbooks, with pre-set or custom remediation actions for multiple attack scenarios. Cynet automated playbooks also help detect threats to ensure that you only implement a manual response when it is necessary.

Cynet Response Orchestration can address any threat that involves infected endpoints, malicious processes or files, attacker-controlled network traffic, or compromised user accounts.

Learn more about Cynet Response Orchestration.

How would you rate this article?

Let’s get started!

Ready to extend visibility, threat detection and response?

Get a Demo

Search results for: