Incident Report Issue: 1.0 Issue Date: September 12, 2017

Transcription

1 Incident Report Issue: 1.0 Issue Date: September 12, 2017

2 Copyright 2017 Independent Electricity System Operator. Some Rights Reserved. The following work is licensed under the Creative Commons Attribution 4.0 International License. Under the terms of this license, you are permitted to: Share copy and redistribute the material in any medium or format Adapt remix, transform, and build upon the material for any purpose, even commercially. The IESO as licensor cannot revoke these freedoms as long as you follow the following license terms: Attribution You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. To view a copy of this license, visit Date: mm/dd/yyyy 1 of 4

3 1. Incident Information L1 (MSSP) Incident # HP Service Manager Incident# Incident Name Incident Severity Incident Category Impact Detecting System Department Impacted Handlers Involved 2. Incident Summary The incident summary should provide a high level summary of the incident that is in language that is accessible at the executive level. 3. Incident Timeline The incident summary should provide a detailed timeline of events, commencing with the time of the initial alert and all subsequent actions taken by the Security Operations Centre, and all involved parties should be detailed in the incident timeline, including actions that were ineffective or otherwise did not contribute to the successful resolution of the incident, but were undertaken as part of the incident response effort. 4. Proximal Cause The proximal cause should detail any events that were of close proximity to the incident, or immediately responsible for causing the incident. 5. Root Cause The root cause should clearly outline any event(s) that have been confirmed to have caused the incident, in addition to identifying the key controls that failed to detect and prevent the compromise throughout the attack lifecycle. Date: mm/dd/yyyy 2 of 4

4 6. Contributory Cause The contributory cause should outline any additional events that may have contributed to the incident, but are not considered the root cause. 7. Identified Issues and Action Items 7.1. Identified Issue # Description A description of the issue identified with the response scenario should be clearly stated here in one to three sentences Action Items Description Responsible Priority Target Employee Completion Clear action items assigned to specific individuals should be called out to ensure this issue is not repeated in the future. YYYY-MM-DD 7.2. Identified Issue # Description Example: The networking team was unable to successfully quarantine the infected hosts and move them to an isolated VLAN for further investigation by the SOC Action Items Description Responsible Priority Target Employee Completion Example: Networking team to create a dedicated isolated VLAN that can only be accessed by the SOC for remote evidence collection and analysis. John P (Network Engineering) YYYY-MM-DD Example: Security Operations team to test access to the isolated VLAN using their analysis machine and ensure their remote collection tools can be executed safely and effectively. Rico C (Security Operations) 8. Techniques, Tactics, Procedures & Intelligence Record any new attacker TTPs identified during this incident that can be leveraged for future detection or by the threat intelligence team to monitor and profile attackers who have successfully interacted with the Northwell environment. Date: mm/dd/yyyy 3 of 4

5 Domain Name Protocol/Port URL Path IP Addresses Associated Protocols/Ports Filename File Size (bytes) MD5 Other 9. Lessons Learned A succinct summary of the lessons learned during the incident response should be clearly stated here. Date: mm/dd/yyyy 4 of 4

6 10. Participants Name Role Provided Input Attended Meeting <Security Director Name> <Security Manager Name> <Security Analyst Name> <Security Analyst Name> Director, Security Operations Security Operations Program Lead IR Specialist IR Analyst 11. Review and Approval Name Role Date YYYY-MM-DD <Security Director Name> Director, Security Operations Date: mm/dd/yyyy 5 of 4