Security Incident Reporting
Comprehensive framework for documenting and analyzing security incidents, drawing from NIST SP 800-61 and SANS methodologies.
When to Use
- After a security incident (DDoS, breach, vulnerability exploitation)
- Creating post-mortem documentation
- Communicating with stakeholders (C-level, legal, security teams)
- Correlating attack patterns with known CVEs
- Establishing incident response metrics (MTTR, dwell time)
Related Skills
1. Incident Response Framework
NIST SP 800-61 / SANS Harmonization
| Phase | NIST | SANS | Documentation Focus |
|---|
| 1 | Preparation | Preparation | Runbooks, contacts, tools |
| 2 | Detection & Analysis | Identification | Initial detection, triage |
| 3 | Containment | Containment | Isolation actions, timeline |
| 4 | Eradication | Eradication | Root cause removal |
| 5 | Recovery | Recovery | Service restoration |
| 6 | Post-Incident | Lessons Learned | Post-mortem, improvements |
Documentation Principle
Logbuch-Prinzip: Document in real-time during the incident, then consolidate into the post-mortem report. Never create reports retrospectively from memory.
2. Severity Rating Systems
NCISS (National Cyber Incident Scoring System)
| Level | Score | Description |
|---|
| Emergency (1) | 100 | Nation-state attack, critical infrastructure |
| Severe (2) | 80-99 | Significant impact, data exfiltration |
| High (3) | 60-79 | Service disruption, potential data loss |
| Medium (4) | 40-59 | Limited impact, contained breach |
| Low (5) | 20-39 | Minor incident, no data loss |
| Baseline (6) | 0-19 | Informational, false positive |
DDoS Resiliency Score (DRS)
| Level | Description | Typical Bandwidth |
|---|
| 1-2 | Simple Floods | < 1 Gbps |
| 3-4 | Sophisticated Multi-Vector | 1-5 Gbps |
| 5-6 | Advanced (State-Actor Level) | 5-100 Gbps |
| 7 | Extreme (Hyper-Volumetric) | > 100 Gbps |
CVSS Integration
For vulnerability-based incidents, include CVSS v3.1 base score from the security-audit skill.
3. Incident Report Template
Module A: Metadata & Executive Summary
# Security Incident Report
## Metadata
| Field | Value |
|-------|-------|
| Incident ID | SIR-2026-001 |
| Classification | Confidential |
| Status | Closed / Active / Under Investigation |
| Detection Time | 2026-01-21 14:32 UTC |
| Resolution Time | 2026-01-21 15:17 UTC |
| MTTR | 45 minutes |
| Severity | High (NCISS: 65) |
| Lead Analyst | Jane Doe |
| Affected Systems | web-cluster-01, cdn-edge-eu |
## Executive Summary (max 200 words)
On [DATE], our monitoring systems detected [INCIDENT TYPE] targeting [SYSTEMS].
The attack [IMPACT DESCRIPTION]. Through [RESPONSE ACTIONS], normal operations
were restored within [TIMEFRAME]. [DATA IMPACT STATEMENT].
### Business Impact
- Service Availability: [Degraded/Offline for X minutes]
- Data Impact: [None/Potential exposure of X records]
- Financial Impact: [Estimated cost]
- Reputation Impact: [Public/Internal]
Module B: Timeline (Chronological Analysis)
## Incident Timeline
| Time (UTC) | Event | Source | Action Taken |
|------------|-------|--------|--------------|
| 14:32 | Traffic spike detected | Cloudflare Alert | On-call notified |
| 14:35 | 5x baseline traffic confirmed | Grafana | Incident declared |
| 14:38 | Geo-blocking activated | Cloudflare | EU/US traffic filtered |
| 14:42 | Attack vector identified: UDP amplification | DPI Analysis | Null-route for UDP/427 |
| 14:55 | Traffic normalized | Monitoring | Mitigation confirmed |
| 15:17 | All systems stable | Status page | Incident closed |
### Dwell Time Analysis
- Time to Detection (TTD): 0 minutes (automated)
- Time to Containment (TTC): 10 minutes
- Time to Eradication (TTE): 23 minutes
- Time to Recovery (TTR): 45 minutes
Module C: Technical Analysis & IoCs
## Technical Analysis
### Attack Vectors (MITRE ATT&CK)
- T1498: Network Denial of Service
- T1498.001: Direct Network Flood
- T1498.002: Reflection Amplification
### Indicators of Compromise (IoCs)
#### Network Artifacts
| Type | Value | Context |
|------|-------|---------|
| IP Range | 192.0.2.0/24 | Source (spoofed) |
| ASN | AS12345 | Amplification source |
| Port | UDP/427 | SLP Amplification |
| Signature | \x00\x00\x00\x00SLP | Payload pattern |
#### System Artifacts
| Type | Value | Hash (SHA256) |
|------|-------|---------------|
| Modified File | /var/www/shell.php | a1b2c3... |
| New User | backdoor_admin | N/A |
| Cron Job | /tmp/.hidden/beacon | d4e5f6... |
### Root Cause Analysis (5-Whys)
1. Why did the attack succeed? → Amplification ports were exposed
2. Why were ports exposed? → Firewall rules not updated after migration
3. Why weren't rules updated? → No automated validation in deployment
4. Why no automation? → Security review not in CI/CD pipeline
5. Why not in pipeline? → Technical debt, prioritized features
**Root Cause**: Missing security validation in deployment pipeline
4. DDoS Post-Mortem Analysis
Metrics Table
| Metric | Value | Threshold | Status |
|---|
| Peak Bandwidth | 45 Gbps | 10 Gbps | Exceeded |
| Peak Packets/sec | 12M PPS | 5M PPS | Exceeded |
| Peak Requests/sec | 850K RPS | 100K RPS | Exceeded |
| Unique Source IPs | 145,000 | N/A | Amplification |
| Attack Duration | 45 min | N/A | - |
| Geographic Spread | 89 countries | N/A | Global botnet |
Attack Vector Classification
| Vector | % of Traffic | Type | Mitigation |
|---|
| UDP Flood | 60% | Volumetric | Null-route |
| SYN Flood | 25% | Protocol | SYN cookies |
| HTTP Flood | 15% | Application | Rate limiting |
Multi-Vector Detection
Was this a smoke-screen attack?
├── Volumetric attack started: 14:32
├── Application-layer probing detected: 14:38
├── Login brute-force attempts: 14:40-14:45
└── Conclusion: Coordinated multi-vector attack
5. CVE Correlation for DDoS
Map attack signatures to known vulnerabilities for threat intelligence.
Amplification Vector CVE Table
| Attack Type | Port | Amplification Factor | CVE | Description |
|---|
| NTP Monlist | UDP/123 | 556x | CVE-2013-5211 | NTP mode 7 monlist |
| Memcached | UDP/11211 | 51,000x | CVE-2018-1000115 | UDP reflection |
| CLDAP | UDP/389 | 70x | CVE-2020-9490 | LDAP reflection |
| SLP | UDP/427 | 2,200x | CVE-2023-29552 | Service Location Protocol |
| DNS | UDP/53 | 54x | Various | Open resolver abuse |
| SSDP | UDP/1900 | 30x | Various | UPnP reflection |
| Chargen | UDP/19 | 358x | CVE-1999-0103 | Character generator |
Analysis Example
## CVE Correlation Analysis
Traffic analysis shows 40% of UDP flood originated from port 427.
Deep Packet Inspection confirmed payloads typical for CVE-2023-29552.
**Conclusion**: Botnet leveraging unpatched VMware ESXi instances as
SLP reflectors. Recommend:
1. Verify our infrastructure is not acting as reflector
2. Block UDP/427 at edge
3. Report to upstream provider
6. Impact Assessment Matrix
Operational Impact
| Category | Level | Description |
|---|
| Availability | Critical | Complete outage for 15 minutes |
| Performance | High | 50% degradation for 30 minutes |
| Collateral | Medium | API gateway affected |
Financial Impact
| Category | Estimated Cost |
|---|
| Lost Revenue | $15,000 |
| Scrubbing Overage | $2,500 |
| Incident Response | $5,000 (8 person-hours) |
| Total | $22,500 |
Reputation Impact
| Channel | Severity | Action Required |
|---|
| Social Media | Medium | Prepared statement |
| B2B Partners | Low | Direct notification |
| Press | None | No external coverage |
7. Blameless Post-Mortem
Principles
- Focus on systems, not individuals: "Why did the process allow X?" not "Who did X?"
- Assume good intentions: Everyone acted with the best information available
- Learn, don't punish: Goal is improvement, not blame
- Share openly: Publish internally for organizational learning
Post-Mortem Template
## Post-Mortem: [Incident Title]
### What Happened
[Factual description of the incident]
### What Went Well
- Detection was automated (0 min TTD)
- On-call responded within SLA
- Communication was clear
### What Went Wrong
- Firewall rules were outdated
- No alerting for UDP traffic spikes
- Runbook was incomplete
### Action Items
| ID | Action | Owner | Due Date | Status |
|----|--------|-------|----------|--------|
| 1 | Add security validation to CI/CD | @devops | 2026-02-01 | Open |
| 2 | Update runbook with DDoS procedures | @security | 2026-01-28 | Open |
| 3 | Implement UDP traffic alerting | @sre | 2026-02-05 | Open |
### Lessons Learned
- Automated security gates prevent configuration drift
- Regular runbook reviews are essential
- Multi-vector attacks require layered defense
8. Report Distribution
Classification Levels
| Level | Audience | Content |
|---|
| Executive | C-Level, Board | Summary, business impact, remediation status |
| Technical | Security Team, SOC | Full IoCs, TTPs, forensic details |
| Legal | Legal, Compliance | Data impact, regulatory implications |
| Public | Customers, Press | Sanitized summary, no technical details |
Retention Requirements
| Document Type | Retention | Storage |
|---|
| Full Incident Report | 7 years | Encrypted archive |
| IoC Data | 2 years | Threat Intelligence Platform |
| Logs & Evidence | 1 year | Immutable storage |
9. Checklists
Pre-Incident Preparation
During Incident
Post-Incident
References
Credits & Attribution
This skill draws from the "Handbuch für Advanced Security Incident Reporting" methodology,
incorporating elements of NIST SP 800-61, SANS frameworks, and industry best practices.
Developed by webconsulting.at for the Claude skill collection.