2. What is the
‘IR for management’
Presentation Template?
You are accountable for cyber security at your company.
Sooner or later you’ll experience a security incident and
conduct an IR process to detect, contain and recover.
An important part of this process is communicating it to
your management both during the response itself as
well as following its conclusion. While they not
necessarily security pros, they need to have full visibility
and knowledge into the event and its potential risk.
The ‘Incident Response (IR) for Management‘
presentation template enables you to easily deliver a
clear and concise reporting on the incident’s status,
nature and scope as well as on the overall IR process.
2
3. What is the
‘IR for management’
Presentation Template?
The template provides concise reporting tool for each
stage that includes high level status description and
business risk overview.
The template is purposely modular enabling you to
tailor it to your specific needs per the specific incident
you manage.
3
4. IDENTIFICATION
• Threat and Risk: what is the
threat type, how was it detected
and what are is the potential
risk
• Onward steps: who is the case
manager, what are the
investigation directions, budget
request and estimated timeline
CONTAINMENT
• Root cause, scope, current
status and onward steps
RECOVERY
• Listing all affected entities and
their back-to-production rate
ERADICATION
• Interim: current status and
onward steps
• Final: listing all removed threats,
estimated attack objective and
its success level
LESSONS LEARNED
• Overall damage, what enabled
the attack, refection on the
previous IR process stages
What does the Template Include?
4
5. • The template is built from tables you need to fill up in respect to your specific use case.
• You are free to split the parts into different sessions according to the incident type and severity – for example,
a long investigation might justify several containmenteradication sessions, while a short 3-day investigation
may result with one session form identification to lessons learned.
• There are few places with free text. Be as concise as possible
• This copy includes demo data to give you some reference. Of course, when you actually put it to use, make
sure that all tables are blank and demo data is removed.
• Remember this is just a template. Feel free to adjust and add or leave tables unused. You are the one who
knows best what’s right for your organization and environment
How to Use the Template?
5
6. 6
INCIDENT INVESTIGATION
Compromise Privilege Escalation Credential Theft Lateral Movement Data Access Data Exfiltration
Threat V
Details SaaS account was
compromised
Pass the Ticket XXX
server was accessed
THREAT DETECTION
IN-HOUSE 3RD PARTY
Security Product Alert Security team proactive
Details EDR raised a Analyst spotted
anomalous outbound
traffic
FBI notification
POTENTIAL RISK
Free text in respect to the incident type
Example: Detected lateral movement might indicate an active malicious
presence in the environment as well as other compromised assets
Identification – Threat and Risk
7. 7
THREAT TYPE
In-House IR Service Provider
Case Manager jjh kkl
DEDICATED BUDGET
Purpose Sum
INVESTIGATION DIRECTIONS
Free text in respect to the incident type
Example:
• Check if the compromised account has accessed sensitive resources
• Examine outbound communication from the infected endpoints
• etc
ESTIMATED TIMELINE
Identification – Onward Steps
8. 8
ROOT CAUSE
Weaponized Email v
Malicious website x
Stolen credentials
Insider
THREAT TYPE
Scope Actions Taken
Number of compromised endpoints 2 Take offline
Number of compromised servers 3 Take offline
Number Compromised user accounts 5 Disable & Reset Password
Number of encrypted endpoints Reimage
Number of encrypted servers Reimage
Current Status all discovered compromised entities are mitigated
Next Steps investigate the attack’s scope
Containment
9. 9
INTERIM STATUS
Mass Ransomware Malware Compromised User Accounts Malicious Outbound Traffic
Malicious Activity Type XXX endpoints encrypted XXX instances XXX accounts XXX sessions to XXX addresses
Status 54% back in production 92% removed 100% disabled and password
reset
100% blocked
NEXT STEPS
Mass Ransomware Malware Compromised User Accounts Malicious Outbound Traffic
Malicious Activity Type XXX endpoints encrypted XXX instances XXX accounts XXX sessions to XXX addresses
Status Continue reimaging
Eradication - Interim
10. 10
MALICIOUS INFRASTRUCTURE & ACTIVITY REMOVED
Mass Ransomware Malware Compromised User Accounts Malicious Outbound Traffic
Malicious Activity Type XXX endpoints encrypted XXX instances XXX accounts XXX sessions to XXX addresses
Status 100% reimaged 100% removed 100% reset 100% blocked
NEXT STEPS
Details Attack Success Rate
Data Theft Insert info here Insert info here
Extortion
Cryptomining
Banking Credentials Harvesting
Sabotage
Other (specify)
Eradication - Final
11. 11
Disablednon available Back to Production
Endpoints Insert info here
Servers
Apps
Cloud workloads
User accounts
Data
Recovery
12. 12
OVERALL ATTACK IMPACT
Damage Details
Man hours Insert info here Insert info here
Payment to 3rd party
Data loss
Computing charges for cloud provider
Production downtime
Fines (per respective regulation)
Attack Enablers Recommendations
Lack of sufficient security technology Implement EDRDeceptionUBANetwork AnalyticsXDRother
User insecure behavior Train users on security best practices
Other (specify) Implement EDRDeceptionUBANetwork AnalyticsXDRother
Lessons Learned
13. 13
FINAL ATTACK TIMELINE
Initial Compromise date Insert date here
Initial Compromise > Identification Identification > Containment Containment > Eradication Eradication > Recovery
Time to conclude Insert time here
Identification Containment Eradication Recovery
POINTS TO
REPRODUCE
POINTS TO
IMPROVE
Challenge
Recommendation
Lessons Learned