Incident Response Services Template - Cisco Security
•
2 j'aime•11,238 vues
When responding to a security incident, communication is perhaps one of the most important, and yet, most overlooked aspects. This Cisco Security Incident Response Services Template has been used and refined for a number of years now in both Fortune 100 companies as well as with all of our Cisco Security Incident Response Services customers. Learn more about incident response communications here: https://blogs.cisco.com/security/incident-response-fundamentals-communication
![Note: Updated information is shaded in GREEN, and completed actions are struck through.
Date/Time Incident Reported: 2017-09-06
Update Date & Time: 2017-10-16 10:30 EST
Next Update: 2017-10-20 09:00 EST
CSIRS Team Members:
Sean Mason, Director of Incident Response
Jimmy Choo, Senior Incident Response Analyst
Kanye West, Senior Incident Response Analyst
CSIRS Team Contact Email: Email alias
Latest Update
[List key elements leadership needs to know to stay informed and make business decision]
Current Impact
[Identify impact to the business]
Areas of Concern
Challenge Impact Resolved
Example: Delay in receiving
documentation for IP scopes and
network architecture
Knowledge of the network will be reduced
Example: DNS Logging is not available
from InfoBlox
Traffic going out to malicious websites is not
being immediately identified and blocked
Action Items
Action Status Owner Requested Completed
Initiate Scoping Call Complete J. Choo 2017-10-13 2017-10-13
Network Access Complete J. Choo 2017-10-13 2017-10-14
Collect DNS logs Incomplete K. West 2017-10-13
Provide memory images of impacted
hosts
In Progress K. West 2017-10-13
Provide disk images of impacted hosts Complete K. West 2017-10-13 2017-10-17](https://image.slidesharecdn.com/ciscosecurityincidentresponseservicestemplate-170922110702/85/Incident-Response-Services-Template-Cisco-Security-1-320.jpg)
![Provide IP ranges and network diagrams In Progress Network
Team
2017-10-13
Analyze disk images Not Started J. Choo, K.
West
Block remote IP on perimeter devices Complete Firewall
Team
2017-10-14 2017-10-18
Provide IPs/Hosts/IOCs identified in
analysis
Ongoing J. Choo, K.
West
2017-10-18
Intelligence Summary
[Latest information on threat intelligence related to the incident]
Current Recommendations
[Documented discoveries and recommendations]
Previous Incident Summaries
[Additional information from previous updates]
Appendix
Incidents are a fluid situation and we cannot always definitely state findings with 100% confidence. As
such, throughout the report, CSIRS may utilize phrases and terms such as the below which are based on
years of experience and knowledge, and are used as a guide to understand our level of confidence in our
speculation.
Phrase Estimated Confidence %
Low Confidence / Possible / Unlikely <35%
Moderate Confidence / Possible / Likely 35%-69%
High Confidence / Highly Probably / Highly Likely >70%](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Incident Response Services Template - Cisco Security
Similaire à Incident Response Services Template - Cisco Security (20)
Plus de Cisco Security
Plus de Cisco Security (20)
Dernier
Dernier (20)
Incident Response Services Template - Cisco Security
- 1. Note: Updated information is shaded in GREEN, and completed actions are struck through. Date/Time Incident Reported: 2017-09-06 Update Date & Time: 2017-10-16 10:30 EST Next Update: 2017-10-20 09:00 EST CSIRS Team Members: Sean Mason, Director of Incident Response Jimmy Choo, Senior Incident Response Analyst Kanye West, Senior Incident Response Analyst CSIRS Team Contact Email: Email alias Latest Update [List key elements leadership needs to know to stay informed and make business decision] Current Impact [Identify impact to the business] Areas of Concern Challenge Impact Resolved Example: Delay in receiving documentation for IP scopes and network architecture Knowledge of the network will be reduced Example: DNS Logging is not available from InfoBlox Traffic going out to malicious websites is not being immediately identified and blocked Action Items Action Status Owner Requested Completed Initiate Scoping Call Complete J. Choo 2017-10-13 2017-10-13 Network Access Complete J. Choo 2017-10-13 2017-10-14 Collect DNS logs Incomplete K. West 2017-10-13 Provide memory images of impacted hosts In Progress K. West 2017-10-13 Provide disk images of impacted hosts Complete K. West 2017-10-13 2017-10-17
- 2. Provide IP ranges and network diagrams In Progress Network Team 2017-10-13 Analyze disk images Not Started J. Choo, K. West Block remote IP on perimeter devices Complete Firewall Team 2017-10-14 2017-10-18 Provide IPs/Hosts/IOCs identified in analysis Ongoing J. Choo, K. West 2017-10-18 Intelligence Summary [Latest information on threat intelligence related to the incident] Current Recommendations [Documented discoveries and recommendations] Previous Incident Summaries [Additional information from previous updates] Appendix Incidents are a fluid situation and we cannot always definitely state findings with 100% confidence. As such, throughout the report, CSIRS may utilize phrases and terms such as the below which are based on years of experience and knowledge, and are used as a guide to understand our level of confidence in our speculation. Phrase Estimated Confidence % Low Confidence / Possible / Unlikely <35% Moderate Confidence / Possible / Likely 35%-69% High Confidence / Highly Probably / Highly Likely >70%