What Should a Cybersecurity Report Contain?

What should a cyber security incident report contain?

In the next issue I will refer to a subject, which is becoming a real problem in companies today.

I would like to go deeper into the minimum elements that a cybersecurity incident report should contain, which can be shared with the directory, technical teams, suppliers, partners, auditors and even the community.

First we must understand that information has different states (availability, integrity, confidentiality including non-reputation), and different levels of criticality (critical, high, medium, low) during the course of an incident, so we must be meticulous to share it in the best possible way.

Also that among the thousands of different types of incidents, there are different information that we can obtain quickly and some that require investigation, ergo not all the reports contain the same fields, since it depends on the attack, different IOCs will be added, so I will try to standardize a minimum basis, based on the good practices of the world of CERTs (Computer Emergency Response Team).

Therefore it is key at the moment of sharing information to label it so that it has the appropriate safeguards. An ideal model would look like this:

Traffic Light Protocol (TLP)

Traffic Light Protocol (TLP) is a scheme created to encourage better exchange of sensitive (but unclassified) information in the field of information security. Through this scheme, in an agile and simple way, the author of information can indicate to what extent the information can circulate beyond the immediate recipient, and the latter must consult the original author when the information needs to be distributed to third parties.

TLP:RED

This should be used when information is limited to specific individuals, and could impact privacy, reputation, or operations if misused. Recipients should not share information designated as TLP:RED with any third party outside the scope of where it was originally posted.

TLP:AMBER

This should be used when information requires limited distribution, but poses a risk to privacy, reputation, or operations if shared outside the organization.Recipients may share TLP:AMBER information only with members of their own organization who need to know it, and with customers, suppliers or partners who need to know it to protect themselves or prevent harm. The sender can specify additional restrictions for sharing this information.

TLP:GREEN

When the information is useful to all participating organizations, as well as to others in the community or industry. Recipients may share TLP:GREEN information with affiliated organizations or members of the same industry, but never through public channels.

TLP:WHITE

This should be used when the information does not pose any risk of misuse, within the rules and procedures established for its public dissemination. TLP:WHITE information can be distributed without any restrictions, subject to copyright controls¹.

Then, already knowing the report we will develop, will have an associated TLP, which rightly means with whom it will be shared.

I present you some ideas of the minimum components that should have a report that is shared, and that is what summons us:

• Executive Summary

{An excerpt from the event intended to be read and understood simply}

• Technical Summary

{Permit yourself to write the chronology, and the relevant events that happened }

• IOC (Indicator of compromise)

{In this area you must add the compromise indicators obtained from the malware samples or others}

• IP (Internet Protocol)

{In this area you must add the indicators of commitment at the level of IP}

• Domains

{In this zone you must add the commitment indicators at the level of Domains and Subdomains}

• Email

{In this area you must add the commitment indicators to mailboxes only}

• HASH MD5

{In this zone you must add the commitment indicators at MD5 level } How to get it in Linux? md5sum file1.txt

• HASH SHA-256

{In this zone you must add the commitment indicators at MD5 level } How to get it in Linux? sha256sum file1.txt

• IOA (Indicator of attack)

{All information collected based on the Cyber Kill Chain}

• Impact

{Impact associated with the incident?}

• Risk

{Business risks associated with the incident?}

• Actions taken / Recommendations

{What was done, or what should be done, depending on whether it's a preventive report or }

• Sources

{Where did you get the information?}

• Versioning

{Document changes are vital ,detail who modified the document, when and what change}

Conclusion

Communication and documentation is key to incident management, as it allows timely sharing of information. Information must be tagged according to the TLP to prevent leaks or important information from ending up in the wrong hands.

An incident report must contain the minimum components seen today, in order to be usable, and this is what we are looking for in the CSIRTs in different parts of the world, where we all collaborate to make the Internet safer.

---

References:

1. Source Incibe: https://www.incibe-cert.es/tlp