Documenting Steps you can follow for CYBER incidents

Some of the points you do get in Cyber Competitions include documentation. Being able to communicate what happens or keeping track of what happens while at the same time dealing with the task at hand, take some practice. Luckily when you have a great team and everyone share different responsibilities and practice communication this can be achieved.

To Keep it short and Simple I would keep a log of incidents happening with a 5Ws format and a timeline and a Summary.

Basically I just had a template I used some of my military OPS experience and come up with this stuff.

Who: <person involved or department>

What: <What kind of incident took place>

When: < Date,Time,Gruop of incident>

Where: <Location of where it happens>

Why: <What lead to this event> example : while checking processes I discover an IOC (indicator of compromised) Which was <indicator of compromised here> and decided to follow it up:

Timeline: At 050900JAN23 computer was showing high a high CPU number compared to the baseline of XXXXX and I decided to investigate:

Continue with the timeline until incident is closed.

Summary:

1 x attempt to hack by using stolen credentials

0 x Computers breached or damaged

That example above is what I basically used in competition to stay within the fight and at the same time documenting everything. Just keep the timeline going and take pics with whatever program you have to take pics. If you are headless, might as well use a phone or a camera to take pics and just keep everything on .txt file.

Each company will have a way to document stuff. I just like to keep stuff stupid and simple and used my own military experience to try to stay as organized as possible while in the fight.

Here are some steps you can follow to document incidents in cybersecurity:

1. Identify the incident: Determine that an incident has occurred and identify the affected assets, such as systems, networks, or data.
2. Gather information: Collect as much information as possible about the incident, including details about the impact, the time of the incident, and any relevant logs or other evidence.
3. Contain the incident: Take steps to prevent the incident from spreading or causing further damage, such as disconnecting affected systems from the network or shutting down services.
4. Investigate the incident: Analyze the incident to determine the root cause and identify any vulnerabilities that may have contributed to the incident.
5. Document the incident: Record all relevant details about the incident, including the time it occurred, the impact, and the steps taken to contain and investigate it.
6. Communicate the incident: Inform relevant parties about the incident, including management, stakeholders, and any customers or users who may have been affected.
7. Take corrective action: Implement steps to prevent similar incidents from occurring in the future, such as patching vulnerabilities or updating policies and procedures.
8. Review the incident: Conduct a review of the incident to identify any lessons learned and areas for improvement in the incident response process.

9. Use a standardized incident report form: Use a pre-defined form or template to ensure that all relevant information is captured consistently.
10. Keep the documentation accurate and complete: Be thorough and precise in documenting the incident, as the information may be used in legal proceedings or to demonstrate compliance with regulatory requirements.
11. Maintain confidentiality: Protect the privacy of individuals and sensitive information related to the incident.
12. Follow established procedures: Follow any established protocols or procedures for reporting and documenting incidents in your organization.
13. Review and update documentation: Regularly review and update your incident documentation process to ensure that it is effective and efficient.
14. Use a secure location for storing documentation: Store incident documentation in a secure location, such as a locked cabinet or password-protected electronic file, to prevent unauthorized access.
15. Retain documentation for a sufficient period of time: Keep incident documentation for a sufficient period of time in accordance with any legal or regulatory requirements or your organization’s policies.

16. Involve the appropriate personnel: Involve the appropriate personnel in the incident documentation process, such as IT staff, cybersecurity professionals, and legal or compliance personnel.
17. Keep documentation organized: Use a logical and organized approach to documenting the incident, such as following a chronological order or grouping information by category.
18. Use clear and concise language: Use clear and concise language when documenting the incident to ensure that the information is easily understood.
19. Include relevant details: Include relevant details in the documentation, such as the names of individuals involved, the specific actions taken, and any relevant notes or observations.
20. Use supporting materials: Use supporting materials, such as screenshots, logs, and network diagrams, to provide additional context and detail about the incident.

It’s important to remember that thorough and accurate incident documentation is critical to the effective response and management of cybersecurity incidents. By following a structured and consistent approach, you can ensure that all relevant information is captured and used to inform the response and prevent future incidents.

I hope this helps someone out there!

PEACE!!