When a cybersecurity incident occurs, it’s important to record all the details so you can remember it and prevent it from happening again. This includes information such as who was involved, who was affected by the event, when the incident occurred and why. The more detail you provide in your report, the better prepared you’ll be if such an incident occurs again in the future.

Example of a cybersecurity incident

Here are a few examples of events that could lead to a cybersecurity incident.

  • Alert received from antivirus software;
  • Increase in Internet traffic at a given period;
  • Connections for a user on leave;
  • Discovery of a missing update on a system several months old;
  • I received a strange text message on my mobile;
  • Confess to being trapped by a phishing scheme;
  • Realize you’ve clicked on a very strange link;
  • Suspicious computer behavior, such as the fan running at full speed or very reduced performance.

When to write an event report – Cybersecurity incident report?

Step two of the incident management procedure is called “Identification”, and it’s at this stage that analysts notice a suspicious element, either through an alert from an automated system, or by reading an activity report showing unusual activity. They then begin a rapid analysis of the event to determine whether or not there has been a cybersecurity incident.

Sometimes, simply reading the event logs allows us to conclude that the event is a normal, regular activity that poses no risk to the organization. In such cases, systems are modified or adjusted to ensure that these events are no longer reported as suspicious.

However, in other cases, before we see fire, we can observe smoke. These worrying elements are called “indicators of compromise”. Not all indicators have the same value. The adage “Where there’s smoke, there’s fire” tells us that when there’s smoke, it’s reasonable to assume that there’s a fire nearby.

Certain indicators of compromise give us greater confidence in the presence of an incident, or the combination of several indicators can point to one.

So when do you write an event report?

As quickly as possible, with as much detail as possible, so that systems can be adjusted, teams can be trained, and the situation at risk can be better understood.

Conflict between VERSUS cybersecurity incident report and in-depth investigation report

A cybersecurity incident report is a report that is written following an incident, such as an intrusion or breach. It includes information on the date of the incident, the type of event and how it was discovered, as well as what happened to the data.

An investigative report is a report that would be written in response to a request for information from law enforcement or with a view to legal proceedings. It answers questions such as “what happened” and “who is responsible”.

A cybersecurity incident report includes – A description of the event or attack that took place, including information on what was accessed, modified or deleted. The steps taken to try to identify what happened and prevent further damage.

An incident report is a record of events, and an investigation report is the result of research, analysis and evidence gathering.

Would you like information about incidents?

We then need to define a protocol to be followed by people likely to discover an incident, and what we need to know about writing these reports, how to communicate them and to whom?

For example, is there a form that should be used on a specific website?

Using a template can of course simplify the approach. Also which language should be used, the format or simply the types of information to be contained need to be communicated to the people likely to write these reports.

Who should write the report?

In my opinion, there are no wrong answers to this question, since an incident report can be a collaborative effort in which each individual involved in the incident records his or her actions and observations.

On the other hand, the person who starts writing the report is the one who first reports the event. This triggers the rest of the incident management process!

Essential rules for report writing

Note only facts and observed elements, not opinions.

Answer questions as clearly, precisely and completely as possible:

  • What happened?
  • Where did it happen, what systems or locations were affected?
  • Why did it happen?
  • Who was involved in or witnessed the incident?
  • When did this happen?
  • How did the incident happen?

Checklist: What a cybersecurity incident report should include.

  • Who is the author of the incident report;
  • What are its contact details – such as e-mail, telephone number, etc.?
  • Who are the people involved in the incident? This section allows you to act as a reference if there are several players involved, to group people together, their titles, contact details and roles played in managing the incident;
  • Short description of the incident;
  • Incident classification such as impact or severity level;
  • Chronology of events;
  • How the incident was detected – what are the clues or indicators of compromise;
  • Description of affected systems; are personal or confidential data affected?
  • Actions taken;
  • Documentation or evidence of the event that needs to be preserved;
  • Are there any next steps?