Writing Incident Report – Project Brief

What is an Incident report?

During an incident, the incident responder makes a lot of notes and records the actions that he/she has taken. Evidence is gathered from computer systems and kept in a forensically sound
manner. The notes, observations, and evidence collected during the incident are used to conduct a root cause analysis. Information security professionals perform root cause analysis to patch up vulnerabilities and harden systems further. Finally, the team performs its own after-action review, which lays out and critiques the chain of events so that the team may improve its procedures, tools, and approaches, as well as make any necessary changes to the incident response plan.

What is documented?

• Who: This is the simplest detail to recall. To put it another way, who was involved in the process? John Peter, for example, was one of the people engaged.

• When: Keep track of when the imaging started and when it finished. The imaging procedure, for example, began at 19:26 UTC on August 16, 2021, and concluded at 20:45 UTC on the same day. Because timing is so important, make sure you use a standard time zone and specify it in the report.
• Where: A specific place, such as an office, should be specified.
• What: The action taken, such as collecting memory or firewall logs, or imaging a hard disc.

• Why: Having an explanation for the action aids in comprehending why the activity was carried out.
• How: It is necessary to give a description of how an activity is carried out. Additionally, playbooks or standard operating procedures should be provided if an incident response team uses them as part of their strategy. Any deviation from the regular operating procedures should be documented in the same way.

Executive Summary

The executive summary is a 1–2-page report intended for senior management that outlines the incident’s high-level bullet points. A brief summary of the occurrences, if possible, a root cause, and remedial advice are frequently adequate for this list.

Incident Report
This is a thorough report that is seen by a number of people within the company. This report
contains the findings of the inquiry, a complete root cause analysis, and extensive suggestions
for avoiding a recurrence of the incident.

Forensic Report
The forensics report is the most thorough report produced. When a forensic investigation of log
files, recorded memory, or disc images is performed, this report is created. Because these reports are frequently examined by other forensic specialists, they can be rather technical.

Because outputs from tools and parts of evidence, such as log files, are frequently included, these reports might be extensive.

Project Overview

You are working as an Incident Responder with the security team at Maersk. On 27th June,
2017, the security team detected the NotPetya ransomware attack across the assets of the
Organization. You were the Incident Responder who initiated the response against the breach.

Post completion of the response and investigation, on 8th July 2017, the CISO at Maersk has
asked you to provide an Incident Report on the breach.
You can use the following sources to learn more about the attack and explore other sources on
the internet to get more details as required for the Incident Report.

1. https://charliepownall.com/maersk-notpetya-cyberattack-timeline/

2. https://portswigger.net/daily-swig/when-the-screens-went-black-how-notpetya-taught-maersk-to-rely-on-resilience-not-luck-to-mitigate-future-cyber-attacks

3. https://www.slideshare.net/cpownall/maersk-notpetya-crisis-response-case-study

4. https://www.eccouncil.org/wp-content/uploads/2021/04/NotPetyaUPDATED.pdf

5. https://investor.maersk.com/news-releases/news-release-details/cyber-attack-update

6. https://www.industrialcybersecuritypulse.com/threats-vulnerabilities/throwback-attack-how-notpetya-accidentally-took-down-global-shipping-giant-maersk/

7. https://www.kordia.co.nz/news-and-views/the-maersk-cyber-attack#:~:text=More%20than%20200%2C000%20computers%20across,where%20patches%20weren’t%20installed.

Project Grading

The project requires you to perform a research using the internet and gain insight on:

• Type of incident

• Incident Timeline (specifically for Maersk)

• Incident Impact (specifically for Maersk)

Once you have these details, use the incident report template (provided below) to submit the

Incident report.

The project comprises of a total of 40 points.

Project Submission:

On the basis of your research, provide the following Information. Please select the checkboxes

as applicable. Please keep in mind that you are writing the incident report on 8th July 2017.

Cyber Incident Report-

Name of the Incident Responder:

Date:

Incident Priority (Incident Classification)

Check any one of the classifications- High, Medium or Low. (5 Points)

? High ? Medium ? Low

Additional information: (Mention the reason for the classification)

Incident Type

Check all that apply. (5 Points)

? Compromised System

? Compromised User Credentials (e.g., lost

password)

? Network Attack (e.g. DDoS)

? Malware (e.g. Trojan, worm, ransomware)

? Reconnaissance (e.g. scanning, sniffing)

? Lost Equipment/Theft

? Physical Break-in

? Social Engineering (e.g. Phishing)

? Law enforcement request

? Policy Violation

? Unknown/Other

Additional information: (Mention the nature of the attack, enumerating the exploitation method in brief)

Incident Timeline

Please provide as much detail as possible. (8 Points)

1. Date and time when the incident was discovered

2. Date and time when the incident was reported

[email protected] A4YTHD1KUQ

This file is meant for personal use by [email protected] only. Sharing or publishing the contents in part or full is liable for legal action.

3. Date and time when the incident occurred

Additional timeline information

Incident Scope

Please provide as much detail as possible. (8 Points)

1. Estimated quantity of systems affected

2. Estimated number of locations affected

3. Third parties involved (vendors, contractors, partners)

4. Attack source (e.g. IP addresses, port)

Additional scoping information:

Systems affected by the incident

Please provide as much detail as possible. (8 Points)

1. Type of system affected (e.g. PC, Laptop, server, mobile endpoints)

2. Operating System of the affected System (e.g. Android, Windows, MacOS)

3. Vulnerability exploited

Additional information (Provide details of the way in which the vulnerability was exploited)

Incident Handling Log

Please provide as much detail as possible. (6 Points)

1. Status of Incident Recovery

2. Action taken/planned for remediation

Additional remediation details for the future:

[email protected] A4YTHD1KUQ

This file is meant for personal use by [email protected] only. Sharing or publishing the contents in part or full is liable for legal action.

Please use the Submission Template document uploaded on Olympus for submission.

Project Support:

Q&A forum for offline support: Discussion board.