Writing Incident Report – Project Brief

What is an Incident report?

During an incident, the incident responder makes a lot of notes and records the actions that

he/she has taken. Evidence is gathered from computer systems and kept in a forensically sound

manner. The notes, observations, and evidence collected during the incident are used to

conduct a root cause analysis. Information security professionals perform root cause analysis to

patch up vulnerabilities and harden systems further. Finally, the team performs its own after-

action review, which lays out and critiques the chain of events so that the team may improve its

procedures, tools, and approaches, as well as make any necessary changes to the incident

response plan.

What is documented?

• Who: This is the simplest detail to recall. To put it another way, who was involved in the

process? John Peter, for example, was one of the people engaged.

• When: Keep track of when the imaging started and when it finished. The imaging

procedure, for example, began at 19:26 UTC on August 16, 2021, and concluded at

20:45 UTC on the same day. Because timing is so important, make sure you use a

standard time zone and specify it in the report.

• Where: A specific place, such as an office, should be specified.

• What: The action taken, such as collecting memory or firewall logs, or imaging a hard

disc.

• Why: Having an explanation for the action aids in comprehending why the activity was

carried out.

• How: It is necessary to give a description of how an activity is carried out. Additionally,

playbooks or standard operating procedures should be provided if an incident response

team uses them as part of their strategy. Any deviation from the regular operating

procedures should be documented in the same way.

Executive Summary

The executive summary is a 1–2-page report intended for senior management that outlines the

incident's high-level bullet points. A brief summary of the occurrences, if possible, a root cause,

and remedial advice are frequently adequate for this list.

Incident Report

This is a thorough report that is seen by a number of people within the company. This report

contains the findings of the inquiry, a complete root cause analysis, and extensive suggestions

for avoiding a recurrence of the incident.

Forensic Report

The forensics report is the most thorough report produced. When a forensic investigation of log

files, recorded memory, or disc images is performed, this report is created. Because these

reports are frequently examined by other forensic specialists, they can be rather technical.

[email protected]

This file is meant for personal use by [email protected] only.Sharing or publishing the contents in part or full is liable for legal action.

Because outputs from tools and parts of evidence, such as log files, are frequently included,

these reports might be extensive.

Project Overview

You are working as an Incident Responder with the security team at Maersk. On 27th June,

2017, the security team detected the NotPetya ransomware attack across the assets of the

Organization. You were the Incident Responder who initiated the response against the breach.

Post completion of the response and investigation, on 8th July 2017, the CISO at Maersk has

asked you to provide an Incident Report on the breach.

You can use the following sources to learn more about the attack and explore other sources on

the internet to get more details as required for the Incident Report.

1. https://charliepownall.com/maersk-notpetya-cyberattack-timeline/

2. https://portswigger.net/daily-swig/when-the-screens-went-black-how-notpetya-taught-

maersk-to-rely-on-resilience-not-luck-to-mitigate-future-cyber-attacks

3. https://www.slideshare.net/cpownall/maersk-notpetya-crisis-response-case-study

4. https://www.eccouncil.org/wp-content/uploads/2021/04/NotPetyaUPDATED.pdf

5. https://investor.maersk.com/news-releases/news-release-details/cyber-attack-update

6. https://www.industrialcybersecuritypulse.com/threats-vulnerabilities/throwback-attack-

how-notpetya-accidentally-took-down-global-shipping-giant-maersk/

7. https://www.kordia.co.nz/news-and-views/the-maersk-cyber-

attack#:~:text=More%20than%20200%2C000%20computers%20across,where%20patc

hes%20weren’t%20installed.

Project Grading

The project requires you to perform a research using the internet and gain insight on:

• Type of incident

• Incident Timeline (specifically for Maersk)

• Incident Impact (specifically for Maersk)

Once you have these details, use the incident report template (provided below) to submit the

Incident report.

The project comprises of a total of 40 points.

[email protected]

This file is meant for personal use by [email protected] only.Sharing or publishing the contents in part or full is liable for legal action.

Project Submission:

On the basis of your research, provide the following Information. Please select the checkboxes

as applicable. Please keep in mind that you are writing the incident report on 8th July 2017.

Cyber Incident Report- <Organization Name>

Name of the Incident Responder:

Date:

Incident Priority (Incident Classification)

Check any one of the classifications- High, Medium or Low. (5 Points)

☐ High ☐ Medium ☐ Low

Additional information: (Mention the reason for the classification)

Incident Type

Check all that apply. (5 Points)

☐ Compromised System

☐ Compromised User Credentials (e.g., lost

password)

☐ Network Attack (e.g. DDoS)

☐ Malware (e.g. Trojan, worm, ransomware)

☐ Reconnaissance (e.g. scanning, sniffing)

☐ Lost Equipment/Theft

☐ Physical Break-in

☐ Social Engineering (e.g. Phishing)

☐ Law enforcement request

☐ Policy Violation

☐ Unknown/Other

Additional information: (Mention the nature of the attack, enumerating the exploitation method in brief)

Incident Timeline

Please provide as much detail as possible. (8 Points)

1. Date and time when the incident was discovered

2. Date and time when the incident was reported

[email protected]

This file is meant for personal use by [email protected] only.Sharing or publishing the contents in part or full is liable for legal action.

3. Date and time when the incident occurred

Additional timeline information

Incident Scope

Please provide as much detail as possible. (8 Points)

1. Estimated quantity of systems affected

2. Estimated number of locations affected

3. Third parties involved (vendors, contractors, partners)

4. Attack source (e.g. IP addresses, port)

Additional scoping information:

Systems affected by the incident

Please provide as much detail as possible. (8 Points)

1. Type of system affected (e.g. PC, Laptop, server, mobile endpoints)

2. Operating System of the affected System (e.g. Android, Windows, MacOS)

3. Vulnerability exploited

Additional information (Provide details of the way in which the vulnerability was exploited)

Incident Handling Log

Please provide as much detail as possible. (6 Points)

1. Status of Incident Recovery

2. Action taken/planned for remediation

Additional remediation details for the future:

[email protected]

This file is meant for personal use by [email protected] only.Sharing or publishing the contents in part or full is liable for legal action.

Please use the Submission Template document uploaded on Olympus for submission.

Project Support:

Q&A forum for offline support: Discussion board.

You can also post your queries on the discussion forums available on Olympus.

[email protected]

This file is meant for personal use by [email protected] only.Sharing or publishing the contents in part or full is liable for legal action.