A free incident response management and documentation Microsoft Excel workbook.
For more information, please see my blog: https://b2dfir.blogspot.com/2018/11/free-incident-response-management-and.html
If you are planning ahead for an incident and have capacity to manage an incident response management platform, I would recommend looking at TheHive Project instead.
To give you a quick overview of the workbook, it contains the following worksheets which I will walk through in the remainder of this blog post:
Dashboard
1.1 Identification
1.2 Evidence
1.3 Analysis
1.4 IOCs
2.0 Containment
2.1 Containment Monitoring
3.0 Remediation
3.1 Remediation Monitoring
4.0 Recovery
4.1 Recovery Monitoring
5.0 Lessons Learnt
6.0 Communications
Tracks administration information about an incident such as the incident name, date, team members and a resolution summary (so you can easily remember what happened when referring to the workbook at a later date)
The purpose of 'Identification' is to capture details of who, what, when and where the incident was identified. This worksheet should also capture any initial response steps which were conducted with or without knowledge of the Incident Response team.
The purpose of 'Evidence' is to capture details of what, when and where evidence was collected. This worksheet should not replace comprehensive acquisition notes or chain of custody forms, but rather provide a one page view of evidence acquired throughout the incident response.
The purpose of 'Analysis' is to capture details of analysis activities performed throughout the incident response. Example activities could include: Review autorunsc.exe output for suspicious persistence entries. Run psxview in volatility to identify suspicious processes
The purpose of 'Indicators of Compromise' (IOCs) is to capture details of IOCs identified throughout the incident. These can then be used for analysis activities and reference material. IOCs can fall into three categories: Atomic: Data which cannot be broken down in to smaller parts (in the context of the intrusion). E.g. IP Addresses, email header info, domain names, strings. Computed: Computational values identified in the context of the incident. E.g. Hash Behavioural: Trends identified in actions/operations of the incident. E.g. Attacks occur during the hours of 12:00am and 02:00am.
The purpose of 'Containment' is to capture details of approvals and activities performed in order to limit the spread of an incident. Containment steps should be performed only once a reasonable understanding of the incident has been obtained. An ideal containment phase should lock an attacker/malware out of the IT environment (including backdoors, lateral movement and persistence mechanisms).
The purpose of 'Containment Monitoring' is to capture details of monitoring performed in order to confirm the effectiveness of containment activities.
The purpose of 'Remediation' is to capture details of approvals and activities performed in order to remove threats from the incident environment. This step should be performed after containment activities. Remediation steps should be planned and executed effectively over a short time frame, in order to completely remove presence of the threat from the environment (including backdoors, lateral movement and persistence mechanisms).
The purpose of 'Remediation Monitoring' is to capture details of monitoring performed in order to confirm the effectiveness of remediation activities.
The purpose of 'Recovery' is to capture details of approvals and activities performed in order restore the IT Environment to business as usual (BAU) functionality following containment and remediation steps.
The purpose of 'Recovery' is to capture details of monitoring performed in order to confirm the effectiveness of recovery activities.
The purpose of 'Lessons Learnt' is to capture details of process, procedure and control improvements identified throughout the incident. New controls should also be assigned responsibility to ensure they are implemented.
The purpose of 'Communications' is to capture details of internal and external communications issued by the Information Security team and/or company
In addition to the individual incident spreadsheet, I have also created a separate incident and investigation tracker spreadsheet. This is so that you can document relevant statistics and generate graphs for reporting.
