RA6001: Develop Incident Report

Summary

ID	RA6001
Brief Description	Develop the incident report
Author	@atc_project
Creation Date	2019/01/31
References	https://attack.mitre.org/tactics/enterprise/ https://en.wikipedia.org/wiki/Kill_chain
Response Stage	Lessons Learned

Description

Develop the Incident Report using your corporate template.

It should include:

1. Executive Summary with a short description of damage, actions taken, root cause, and key metrics (Time To Detect, Time To Respond, Time To Recover etc)
2. Detailed timeline of adversary actions mapped to ATT&CK tactics (you can use the Kill Chain, but most probably most of the actions will be in Actions On Objective stage, which is not very representative and useful)
3. Detailed timeline of actions taken by Incident Response Team
4. Root Cause Analysis and Recommendations for improvements based on its conclusion
5. List of specialists involved in Incident Response with their roles