Getty Images/iStockphoto
How to write a useful cybersecurity incident report
Reacting to a cybersecurity event is just half the battle. An incident report can help companies understand why the attack occurred and how to avoid future security issues.
A cybersecurity incident report is an essential document that helps executives, managers and stakeholders understand what happened during a cybersecurity event.
A typical report outlines what occurred, provides an analysis of the incident and defines steps to prevent future events. At minimum, the report should answer who, what, where, when and why. The CISO or security operations center (SOC) team determines how detailed the report should be.
Let's examine what goes into a report and how to write one. The accompanying template can be used as a starting point to create your organization's own report.
Key components of an incident report
As with any kind of technology disruption -- or even a help desk inquiry that escalates into something more serious -- once a cybersecurity incident has been addressed and consequences mitigated, it is time to prepare a report that answers the following questions:
| Questions to answer in report | Details to include |
| What actually happened? | Provide a clear description of the event, e.g., a ransomware attack. |
| When did the event happen (time of day, date)? | Provide the exact date and time the attack was detected. |
| Who was involved in responding to the event? | List the SOC team members who were directly involved in responding to the attack, identifying the malware and quarantining it, and neutralizing it. |
| What was the initial response? | Describe how the malware was identified and triaged to prevent it from causing further damage. |
| What was the initial assessment? | Provide an initial description of the event, based on data from the above systems and other security monitoring systems. |
| What technology assets were impacted? | List the technology assets, e.g., servers, storage, end-user devices, network devices and network services, affected. |
| What happened to the impacted assets? | Describe what happened to the affected assets, e.g., corrupted data, damaged systems and assets locked by ransomware. |
| How was the organization affected? | Describe how the organization's ability to perform its operations was impacted, e.g., data corruption, systems locked with a ransom note; and inability to handle customer inquiries or manufacture products. |
| Why did the attack happen? | Information from security systems post-event might shed light on how and where system vulnerabilities were exploited. |
| What steps were used to address and mitigate the attack? | Describe how the attack was confined, quarantined, sandboxed and analyzed by security tools so that an appropriate mitigation could be identified and launched. |
| What were the results of the actions taken? | Describe if the primary mitigation steps worked successfully, and if they did not, what alternate steps had to be taken and the results. |
| How was the organization able to bounce back and return to normal? | Describe how quickly the company was able to adapt to the event and return to normal operations, and if not, what alternate recovery measures were put into effect. |
| How could the event have been prevented? | Using data from the security systems and breach and attack simulation and/or penetration tests, provide an analysis of how the event could have been anticipated and prevented. |
| What can be done to prevent future occurrences? | Using data from the above resources, define steps that can reduce the likelihood of future occurrences. Risk, threat and vulnerability assessments are also advisable. |
| What other lessons were learned from the experience? | Describe any additional circumstances that might have helped identify the risks earlier, establish stronger prevention measures, update security platforms and increase employee awareness of the risks. |
While it's helpful to have the data available needed to write a cybersecurity incident report, it's more important to keep a successful attack from occurring. Consider the following activities:
- Identify the data, systems and networks most at risk to ensure they can be protected.
- Manage asset inventories to ensure no rogue devices are connected.
- Regularly update security systems through patching and other updates.
- Perform vulnerability tests using breach and attack simulation (BAS) systems and penetration testing.
- Have the SOC team attend regular training on cybersecurity techniques and technologies.
- Test cyberattack procedures regularly to ensure teams know their roles.
How to write a cybersecurity incident report
Numerous report structures and frameworks have been developed over the years by organizations, such as the SANS Institute and NIST. IT departments might also have their own formats for writing post-event reports, including cybersecurity. Conducting a basic search will turn up dozens of templates. Some security platforms include their own report-writing functions.
How to use the cybersecurity incident report template
This template maps to the steps established in the table. It is designed to accommodate additional data, such as data provided by security platforms, and any other granularities the CISO might require.
Using the above table as an example -- and as a backdrop the process of creating an audit report -- follow these steps to prepare a cybersecurity incident report:
- Review the event with employees directly involved to gather initial information and unique insights based on their expertise.
- Gather all relevant data from security platforms, including pre-event monitoring data, BAS reports, initial detection and analysis, how/where the event was contained, how the event was diagnosed and processes launched to secure the event and neutralize it.
- Discuss the event from a business perspective with business unit leaders affected by the attack, senior company management and senior IT leadership.
- Discuss the data gathered, plus assumptions presented by SOC team members and the author's personal perspectives, with the CISO, if possible, to ensure the report is consistent with company good practices.
- Select a report format, whether it's an internal company model, a third-party template or a system-based report generating tool.
- Prepare a draft report, keeping it as accurate and detailed as needed. Do not include opinions.
- Submit the draft report to the CISO, CIO and others for comment.
- Update the report with comments, edit and finalize it. Submit it through the proper channels.
- If the report contains recommendations for improving security measures or other activities, consider entering a proposed timeframe for remediation of the issues identified and schedule a follow-up meeting to ensure recommended actions have been performed.
- Submit a follow-up report to management as appropriate.
Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.
