When handling a large-scale intrusion, incident responders often struggle with obtaining and organizing the intelligence related to the actions taken by the intruder and the targeted organization. Examining all aspects of the event and communicating with internal and external constituents is quite a challenge in such strenuous circumstances.
The following template for a Threat Intelligence and Incident Response Report aims to ease this burden. It provides a framework for capturing the key details and documenting them in a comprehensive, well-structured manner.
This template leverages several models in the cyber threat intelligence (CTI) domain, such as the Intrusion Kill Chain, Campaign Correlation, the Courses of Action Matrix and the Diamond Model. The use of these frameworks helps guide threat intelligence gathering efforts and inform incident response actions.
If you’re not familiar with this approach, read the papers Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains and The Diamond Model of Intrusion Analysis. This methodology is discussed in depth in the SANS Institute course FOR578: Cyber Threat Forensics.
Read the following explanation to understand the template’s structure and methodology, so you can start learning how to use it.
Structure of the Report
The Threat Intelligence and Incident Response Report describes the actions taken by the adversary and the incident responder in the context of a large-scale intrusion. If relevant, it also references other intrusions that might comprise the larger campaign. The template below includes the following sections:
- The Adversary’s Actions and Tactics: Making use of the Diamond Model methodology, this section asks the report author to describe the 4 key elements of the intrusion: the adversary itself, the infrastructure used as part of the attack, adversary’s capabilities and the victim. The template invites the report author to categorize these attributes according to the 7 phrases of the malicious activities that comprise the intrusion kill chain.
- Courses of Action During Incident Response: Building upon the Courses of Action Matrix, this section asks the report author to describe the activities that the organization performed when responding to the intrusion. The template presents tips related to capturing the following types actions: Discover, detect, deny, disrupt, degrade, deceive and destroy. It provides placeholders for filling in details for these actions with respect to the applicable stages of the intrusion kill chain.
- Intrusion Campaign Analysis: This section gives the report author the opportunity to document the relationship between the intrusion and other incidents that, when taken together, form a campaign. The template offers guidance for capturing the indicators and behaviors shared across the intrusions within the campaign. It leaves room for outlining the commercial, geopolitical or other factors that might have motivated the adversary’s activities.
Using the Report Template
The Threat Intelligence and Incident Response Report template is comprehensive. As the result, creating a report on its basis requires rigor and patience, though not all sections of the template are applicable to all situations.
Utilizing the template requires the report author to understand the above-mentioned threat intelligence frameworks, which include:
- The Intrusion Kill Chain framework defines 7 consecutive stages through which adversaries must progress to achieve their intrusion objectives. Interfering with any phase of the chain allows the defender to fend off the adversary.
- The Courses of Action matrix overlays the kill chain’s phases over 6 types of defensive actions that incident responders can take to break the chain. The defenders’ actions are based on the information available to them about each stage in the chain.
- The Diamond Model establishes 4 characteristics that incident responders can use to describe the intrusion. Each characteristic can be explained in terms of the kill chain’s phases to provide a comprehensive narrative of malicious actions and their effects.
The template should be used as a guide to help ensure that the incident responder:
- Addresses all relevant aspects of the intrusion;
- Is able to describe the adversary’s tactics, techniques and procedures; and
- Can explain the actiona taken to defend against the adversary when responding to the intrusion.
Download the Report Template
The template is distributed according to the Creative Commons Attribution license (CC BY 4.0), which basically allows you to use it in any way you wish, including commercial purposes, as long as you credit me for the creation of the template.
If you have experience with responding to large-scale intrusions and with producing and utilizing cyber threat intelligence, please share feedback regarding this template to help improve it.