Free Incident Response Management and Documentation Workbook

Oh no! I've got a potential incident unfolding now and I'm struggling keep track of everything? What do you use for incident documentation?

A friend posed this question to me a few days ago and my first thought was "I use TheHive". This response would have been about as useful as a wet fish to my friend, as at that point in time the last thing he had time to do is learn, deploy and configure a new incident management platform.

He needed something now. He needed something without a learning curve and something which would free him up to spend valuable time actually investigating a potential incident.

To help him out, I turned to the global backbone of information management... Microsoft Excel. Prior to deploying TheHive, I  built and improved upon an Excel incident management and documentation workbook for a number of years.

It doesn't have machine learning, AI or even security automation, so it probably isn't much good. Disregarding these shortfalls, I decided to dust it off, update it and share it with the community. We are all at different maturities in our information security journey and I believe this workbook provides a solid framework for documentation at all stages of an incident response.

You can download the workbook on my github. If you need to collaborate with multiple concurrent editors, it into Google Sheets well. Just make sure you have your IAM locked down...

To give you a quick overview of the workbook, it contains the following worksheets which I will walk through in the remainder of this blog post:
Dashboard
1.1 Identification
1.2 Evidence
1.3 Analysis
1.4 IOCs
2.0 Containment
2.1 Containment Monitoring
3.0 Remediation
3.1 Remediation Monitoring
4.0 Recovery
4.1 Recovery Monitoring
5.0 Lessons Learnt
6.0 Communications

Dashboard

Tracks administration information about an incident such as the incident name, date, team members and a resolution summary (so you can easily remember what happened when referring to the workbook at a later date)

1.1 Identification

The purpose of 'Identification' is to capture details of who, what, when and where the incident was identified. This worksheet should also capture any initial response steps which were conducted with or without knowledge of the Incident Response team.

1.2 Evidence

The purpose of 'Evidence' is to capture details of what, when and where evidence was collected. This worksheet should not replace comprehensive acquisition notes or chain of custody forms, but rather provide a one page view of evidence acquired throughout the incident response.

1.3 Analysis

The purpose of 'Analysis' is to capture details of analysis activities performed throughout the incident response. Example activities could include:
Review autorunsc.exe output for suspicious persistence entries.
Run psxview in volatility to identify suspicious processes

1.4 IOCs

The purpose of 'Indicators of Compromise' (IOCs) is to capture details of IOCs identified throughout the incident. These can then be used for analysis activities and reference material. IOCs can fall into three categories:
Atomic: Data which cannot be broken down in to smaller parts (in the context of the intrusion). E.g. IP Addresses, email header info, domain names, strings.
Computed: Computational values identified in the context of the incident. E.g. Hash
Behavioural: Trends identified in actions/operations of the incident. E.g. Attacks occur during the hours of 12:00am and 02:00am.

2.0 Containment

The purpose of 'Containment' is to capture details of approvals and activities performed in order to limit the spread of an incident. Containment steps should be performed only once a reasonable understanding of the incident has been obtained. An ideal containment phase should lock an attacker/malware out of the IT environment (including backdoors, lateral movement and persistence mechanisms).

2.1 Containment Monitoring

The purpose of 'Containment Monitoring' is to capture details of monitoring performed in order to confirm the effectiveness of containment activities.

3.0 Remediation

The purpose of 'Remediation' is to capture details of approvals and activities performed in order to remove threats from the incident environment. This step should be performed after containment activities. Remediation steps should be planned and executed effectively over a short time frame, in order to completely remove presence of the threat from the environment (including backdoors, lateral movement and persistence mechanisms).

3.1 Remediation Monitoring

The purpose of 'Remediation Monitoring' is to capture details of monitoring performed in order to confirm the effectiveness of remediation activities.

4.0 Recovery

The purpose of 'Recovery' is to capture details of approvals and activities performed in order restore the IT Environment to business as usual (BAU) functionality following containment and remediation steps.

4.1 Recovery Monitoring

The purpose of 'Recovery' is to capture details of monitoring performed in order to confirm the effectiveness of recovery activities.

5.0 Lessons Learnt

The purpose of 'Lessons Learnt' is to capture details of process, procedure and control improvements identified throughout the incident. New controls should also be assigned responsibility to ensure they are implemented.

6.0 Communications

The purpose of 'Communications' is to capture details of internal and external communications issued by the Information Security team and/or company

Incident Tracker

In addition to the individual incident spreadsheet, I have also created a separate incident and investigation tracker spreadsheet. This is so that you can document relevant statistics and generate graphs for reporting.