[Template] Incident Response for Management Presentation

Security incidents occur. It’s not a matter of “if,” but of
“when.” That’s why you implemented security products and procedures
to optimize the incident response (IR) process.

However, many security pros who are doing an excellent job in
handling incidents find effectively communicating the ongoing
process with their management a much more challenging task.

Feels familiar?

In many organizations, leadership is not security savvy, and
they aren’t interested in the details regarding all the bits and
bytes in which the security pro masters.

Luckily, there is a template that security leads can use when
presenting to management. It’s called the IR Reporting for Management
template^[1], providing CISOs and
CIOs with a clear and intuitive tool to report both the ongoing IR
process and its conclusion.

The IR Reporting for Management template enables CISOs and CIOs
to communicate with the two key points that management cares
about—assurance that the incident is under control and a clear
understanding of implications and root cause.

Control is a key aspect of IR processes, in the sense that at
any given moment, there is full transparency of what is addressed,
what is known and needs to be remediated, and what further
investigation is needed to unveil parts of the attack that are yet
unknown.

Management doesn’t think in terms of trojans, exploits, and
lateral movement, but rather they think in terms of business
productivity — downtime, man-hours, loss of sensitive data.

Mapping a high-level description of the attack route to damage
that is caused is paramount to get the management’s understanding
and involvement – especially if the IR process requires additional
spending.

The IR Reporting for Management template follows the SANSNIST IR
framework and will help you walk your management through the
following stages:

Identification

Attacker presence is detected beyond doubt. Follow the template
to answer key questions:

• Was the detection made in-house or by a third-party?
• How mature is the attack (in terms of its progress along the
  kill chain)?
• What is the estimated risk?
• Will the following steps be taken with internal resources or is
  there a need to engage a service provider?

Containment

First aid to stop the immediate bleeding before any further
investigation, the attack root cause, the number of entities taken
offline (endpoints, servers, user accounts), current status, and
onward steps.

Eradication

Full cleanup of all malicious infrastructure and activities, a
complete report on the attack’s route and assumed objectives,
overall business impact (man-hours, lost data, regulatory
implications, and others per the varying context).

Recovery

Recovery rate in terms of endpoints, servers, applications,
cloud workloads, and data.

Lessons Learned

How did that attack happen? Was it a lack of adequate security
technology in place, insecure workforce practices, or something
else? And how can we mend these issues? Provide a reflection on the
previous stages across the IR process timeline, searching for what
to preserve and what to improve.

Naturally, there is no one-size-fits-all in a security incident.
For example, there might be cases in which the identification and
containment will take place almost instantly together, while in
other events, the containment might take longer, requiring several
presentations on its interim status. That’s why this template is
modular and can be easily adjustable to any variant.

Communication with management is not a nice-to-have but a
critical part of the IR process itself. The definitive IR Reporting
to Management template helps security team leads make their efforts
and results crystal clear to their management.

Download the Definitive IR Reporting to
Management template here.^[2]