The final blue team incident report will typically run from $7$ to $10$ pages long, double spaced with appropriate citations. Try not to exceed $10$ pages as this is also measuring your ability to synthesize data and explain it to both technical and non$-$technical audiences. You should convey how the incident occurred, what happened during the incident, what short term remediations were put into place, what long term remediations need to occur $($specifically document if additional tools or people are needed$),$ and finally whether a claim needs to be made to the cyber insurance provider or whether a breach notification needs to occur.

Assignment:

Students are working on the blue team for a financial services organization $($e$.$g$.$ Edward Jones, etc.$).$ You are being asked to prepare a report for the CIO$/$CISO on an on$-$going security incident that is being executed against your company from an Eastern European based hacking group.

Although technical, the CIO$/$CISO is not $"$in the weeds" so your deliverable should be at the strategic level with a technical section for your team $($or cyber insurance provider$)$ for subsequent review. Please feel free to make assumptions as needed as this is designed to measure your real$-$world applicability of the course content.

For this assignment, students should keep in mind that:

This is essentially a "capstone" like assessment for everything we've talked about in this course. You can essentially apply anything you've learned in this class to this assignment. You should be conducting both technical work via the tools you've learned and administrative reporting in this assignment.

Given the incident response frameworks you've researched in Week $6($e$.$g$.$ NIST, SANS, etc.$),$ complete a blue team incident response report. If the framework does not include an executive summary at the beginning, you must include one for your CIO$/$CISO$.$

Students can either re$-$create, use an existing, or assume the red team attack vector $($e$.$g$.$ phishing, lateral movement, PCAPs, etc.$),$ but you should provide some documentation on what the attack looks like from the outside entity.

Students should generate representative screen shot artifacts as applicable to supplement their reports with tools we've covered in the class on ideas to counter this attack vector.

At a minimum, the report should include:

Executive Summary $($which is essentially a summary of your detailed report below$)$

Detailed explanation on:

How the incident occurred

What happened during the incident

Short term remediations put into place

Long term remediations needed for the roadmap

What a claim needs to be made to our cyber insurance provider or whether we need to send a breach notification $($and why$)$

Screen shots $($Appendix A$)$