Back to Details

security-incident-reporting

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Incident Reporting

安全事件报告撰写

Comprehensive framework for documenting and analyzing security incidents, drawing from NIST SP 800-61 and SANS methodologies.
基于NIST SP 800-61和SANS方法论的安全事件记录与分析综合框架。

When to Use

适用场景

  • After a security incident (DDoS, breach, vulnerability exploitation)
  • Creating post-mortem documentation
  • Communicating with stakeholders (C-level, legal, security teams)
  • Correlating attack patterns with known CVEs
  • Establishing incident response metrics (MTTR, dwell time)
  • 发生安全事件后(如DDoS攻击、数据泄露、漏洞利用)
  • 撰写事后复盘文档
  • 与利益相关方沟通(高管、法务、安全团队)
  • 将攻击模式与已知CVE关联
  • 建立事件响应指标(MTTR、潜伏时间)

Related Skills

相关技能

  • security-audit - Pre-incident vulnerability assessment
  • typo3-security - TYPO3 hardening
  • SKILL-TYPO3.md - TYPO3-specific incident reporting
  • security-audit - 事前漏洞评估
  • typo3-security - TYPO3系统加固
  • SKILL-TYPO3.md - 针对TYPO3的事件报告撰写

1. Incident Response Framework

1. 事件响应框架

NIST SP 800-61 / SANS Harmonization

NIST SP 800-61与SANS框架对齐

PhaseNISTSANSDocumentation Focus
1PreparationPreparationRunbooks, contacts, tools
2Detection & AnalysisIdentificationInitial detection, triage
3ContainmentContainmentIsolation actions, timeline
4EradicationEradicationRoot cause removal
5RecoveryRecoveryService restoration
6Post-IncidentLessons LearnedPost-mortem, improvements
阶段NISTSANS文档重点
1PreparationPreparation运行手册、联系人、工具
2Detection & AnalysisIdentification初始检测、分类筛选
3ContainmentContainment隔离操作、时间线
4EradicationEradication根因消除
5RecoveryRecovery服务恢复
6Post-IncidentLessons Learned事后复盘、改进措施

Documentation Principle

文档记录原则

Logbuch-Prinzip: Document in real-time during the incident, then consolidate into the post-mortem report. Never create reports retrospectively from memory.
实时记录原则:事件发生期间实时记录,之后整理成事后复盘报告。切勿仅凭记忆回溯撰写报告。

2. Severity Rating Systems

2. 严重程度评级系统

NCISS (National Cyber Incident Scoring System)

NCISS(国家网络事件评分系统)

LevelScoreDescription
Emergency (1)100Nation-state attack, critical infrastructure
Severe (2)80-99Significant impact, data exfiltration
High (3)60-79Service disruption, potential data loss
Medium (4)40-59Limited impact, contained breach
Low (5)20-39Minor incident, no data loss
Baseline (6)0-19Informational, false positive
级别分数描述
紧急(1)100国家级攻击、关键基础设施受影响
严重(2)80-99重大影响、数据泄露
高(3)60-79服务中断、潜在数据丢失
中(4)40-59有限影响、已遏制的泄露
低(5)20-39轻微事件、无数据丢失
基线(6)0-19信息性事件、误报

DDoS Resiliency Score (DRS)

DDoS弹性评分(DRS)

LevelDescriptionTypical Bandwidth
1-2Simple Floods< 1 Gbps
3-4Sophisticated Multi-Vector1-5 Gbps
5-6Advanced (State-Actor Level)5-100 Gbps
7Extreme (Hyper-Volumetric)> 100 Gbps
级别描述典型带宽
1-2简单洪水攻击< 1 Gbps
3-4复杂多向量攻击1-5 Gbps
5-6高级(国家级攻击者水平)5-100 Gbps
7极端(超大流量)> 100 Gbps

CVSS Integration

CVSS集成

For vulnerability-based incidents, include CVSS v3.1 base score from the security-audit skill.
针对基于漏洞的事件,需包含来自security-audit技能的CVSS v3.1基础评分。

3. Incident Report Template

3. 事件报告模板

Module A: Metadata & Executive Summary

模块A:元数据与执行摘要

markdown
undefined
markdown
undefined

Security Incident Report

Security Incident Report

Metadata

Metadata

FieldValue
Incident IDSIR-2026-001
ClassificationConfidential
StatusClosed / Active / Under Investigation
Detection Time2026-01-21 14:32 UTC
Resolution Time2026-01-21 15:17 UTC
MTTR45 minutes
SeverityHigh (NCISS: 65)
Lead AnalystJane Doe
Affected Systemsweb-cluster-01, cdn-edge-eu
FieldValue
Incident IDSIR-2026-001
ClassificationConfidential
StatusClosed / Active / Under Investigation
Detection Time2026-01-21 14:32 UTC
Resolution Time2026-01-21 15:17 UTC
MTTR45 minutes
SeverityHigh (NCISS: 65)
Lead AnalystJane Doe
Affected Systemsweb-cluster-01, cdn-edge-eu

Executive Summary (max 200 words)

Executive Summary (max 200 words)

On [DATE], our monitoring systems detected [INCIDENT TYPE] targeting [SYSTEMS]. The attack [IMPACT DESCRIPTION]. Through [RESPONSE ACTIONS], normal operations were restored within [TIMEFRAME]. [DATA IMPACT STATEMENT].
On [DATE], our monitoring systems detected [INCIDENT TYPE] targeting [SYSTEMS]. The attack [IMPACT DESCRIPTION]. Through [RESPONSE ACTIONS], normal operations were restored within [TIMEFRAME]. [DATA IMPACT STATEMENT].

Business Impact

Business Impact

  • Service Availability: [Degraded/Offline for X minutes]
  • Data Impact: [None/Potential exposure of X records]
  • Financial Impact: [Estimated cost]
  • Reputation Impact: [Public/Internal]
undefined
  • Service Availability: [Degraded/Offline for X minutes]
  • Data Impact: [None/Potential exposure of X records]
  • Financial Impact: [Estimated cost]
  • Reputation Impact: [Public/Internal]
undefined

Module B: Timeline (Chronological Analysis)

模块B:时间线(时序分析)

markdown
undefined
markdown
undefined

Incident Timeline

Incident Timeline

Time (UTC)EventSourceAction Taken
14:32Traffic spike detectedCloudflare AlertOn-call notified
14:355x baseline traffic confirmedGrafanaIncident declared
14:38Geo-blocking activatedCloudflareEU/US traffic filtered
14:42Attack vector identified: UDP amplificationDPI AnalysisNull-route for UDP/427
14:55Traffic normalizedMonitoringMitigation confirmed
15:17All systems stableStatus pageIncident closed
Time (UTC)EventSourceAction Taken
14:32Traffic spike detectedCloudflare AlertOn-call notified
14:355x baseline traffic confirmedGrafanaIncident declared
14:38Geo-blocking activatedCloudflareEU/US traffic filtered
14:42Attack vector identified: UDP amplificationDPI AnalysisNull-route for UDP/427
14:55Traffic normalizedMonitoringMitigation confirmed
15:17All systems stableStatus pageIncident closed

Dwell Time Analysis

Dwell Time Analysis

  • Time to Detection (TTD): 0 minutes (automated)
  • Time to Containment (TTC): 10 minutes
  • Time to Eradication (TTE): 23 minutes
  • Time to Recovery (TTR): 45 minutes
undefined
  • Time to Detection (TTD): 0 minutes (automated)
  • Time to Containment (TTC): 10 minutes
  • Time to Eradication (TTE): 23 minutes
  • Time to Recovery (TTR): 45 minutes
undefined

Module C: Technical Analysis & IoCs

模块C:技术分析与IoC

markdown
undefined
markdown
undefined

Technical Analysis

Technical Analysis

Attack Vectors (MITRE ATT&CK)

Attack Vectors (MITRE ATT&CK)

  • T1498: Network Denial of Service
  • T1498.001: Direct Network Flood
  • T1498.002: Reflection Amplification
  • T1498: Network Denial of Service
  • T1498.001: Direct Network Flood
  • T1498.002: Reflection Amplification

Indicators of Compromise (IoCs)

Indicators of Compromise (IoCs)

Network Artifacts

Network Artifacts

TypeValueContext
IP Range192.0.2.0/24Source (spoofed)
ASNAS12345Amplification source
PortUDP/427SLP Amplification
Signature\x00\x00\x00\x00SLPPayload pattern
TypeValueContext
IP Range192.0.2.0/24Source (spoofed)
ASNAS12345Amplification source
PortUDP/427SLP Amplification
Signature\x00\x00\x00\x00SLPPayload pattern

System Artifacts

System Artifacts

TypeValueHash (SHA256)
Modified File/var/www/shell.phpa1b2c3...
New Userbackdoor_adminN/A
Cron Job/tmp/.hidden/beacond4e5f6...
TypeValueHash (SHA256)
Modified File/var/www/shell.phpa1b2c3...
New Userbackdoor_adminN/A
Cron Job/tmp/.hidden/beacond4e5f6...

Root Cause Analysis (5-Whys)

Root Cause Analysis (5-Whys)

  1. Why did the attack succeed? → Amplification ports were exposed
  2. Why were ports exposed? → Firewall rules not updated after migration
  3. Why weren't rules updated? → No automated validation in deployment
  4. Why no automation? → Security review not in CI/CD pipeline
  5. Why not in pipeline? → Technical debt, prioritized features
Root Cause: Missing security validation in deployment pipeline

---
  1. Why did the attack succeed? → Amplification ports were exposed
  2. Why were ports exposed? → Firewall rules not updated after migration
  3. Why weren't rules updated? → No automated validation in deployment
  4. Why no automation? → Security review not in CI/CD pipeline
  5. Why not in pipeline? → Technical debt, prioritized features
Root Cause: Missing security validation in deployment pipeline

---

4. DDoS Post-Mortem Analysis

4. DDoS事后分析

Metrics Table

指标表格

MetricValueThresholdStatus
Peak Bandwidth45 Gbps10 GbpsExceeded
Peak Packets/sec12M PPS5M PPSExceeded
Peak Requests/sec850K RPS100K RPSExceeded
Unique Source IPs145,000N/AAmplification
Attack Duration45 minN/A-
Geographic Spread89 countriesN/AGlobal botnet
指标数值阈值状态
峰值带宽45 Gbps10 Gbps已超标
峰值数据包数/秒12M PPS5M PPS已超标
峰值请求数/秒850K RPS100K RPS已超标
唯一源IP数145,000N/A放大攻击
攻击时长45 minN/A-
地域分布89个国家N/A全球僵尸网络

Attack Vector Classification

攻击向量分类

Vector% of TrafficTypeMitigation
UDP Flood60%VolumetricNull-route
SYN Flood25%ProtocolSYN cookies
HTTP Flood15%ApplicationRate limiting
攻击向量流量占比类型缓解措施
UDP洪水攻击60%流量型空路由阻断
SYN洪水攻击25%协议型SYN Cookie防护
HTTP洪水攻击15%应用层速率限制

Multi-Vector Detection

多向量攻击检测

Was this a smoke-screen attack?
├── Volumetric attack started: 14:32
├── Application-layer probing detected: 14:38
├── Login brute-force attempts: 14:40-14:45
└── Conclusion: Coordinated multi-vector attack
Was this a smoke-screen attack?
├── Volumetric attack started: 14:32
├── Application-layer probing detected: 14:38
├── Login brute-force attempts: 14:40-14:45
└── Conclusion: Coordinated multi-vector attack

5. CVE Correlation for DDoS

5. DDoS攻击的CVE关联

Map attack signatures to known vulnerabilities for threat intelligence.
将攻击特征与已知漏洞关联以生成威胁情报。

Amplification Vector CVE Table

放大攻击向量CVE表格

Attack TypePortAmplification FactorCVEDescription
NTP MonlistUDP/123556xCVE-2013-5211NTP mode 7 monlist
MemcachedUDP/1121151,000xCVE-2018-1000115UDP reflection
CLDAPUDP/38970xCVE-2020-9490LDAP reflection
SLPUDP/4272,200xCVE-2023-29552Service Location Protocol
DNSUDP/5354xVariousOpen resolver abuse
SSDPUDP/190030xVariousUPnP reflection
ChargenUDP/19358xCVE-1999-0103Character generator
攻击类型端口放大倍数CVE描述
NTP MonlistUDP/123556xCVE-2013-5211NTP模式7 monlist
MemcachedUDP/1121151,000xCVE-2018-1000115UDP反射
CLDAPUDP/38970xCVE-2020-9490LDAP反射
SLPUDP/4272,200xCVE-2023-29552服务定位协议
DNSUDP/5354xVarious开放解析器滥用
SSDPUDP/190030xVariousUPnP反射
ChargenUDP/19358xCVE-1999-0103字符生成器

Analysis Example

分析示例

markdown
undefined
markdown
undefined

CVE Correlation Analysis

CVE Correlation Analysis

Traffic analysis shows 40% of UDP flood originated from port 427. Deep Packet Inspection confirmed payloads typical for CVE-2023-29552.
Conclusion: Botnet leveraging unpatched VMware ESXi instances as SLP reflectors. Recommend:
  1. Verify our infrastructure is not acting as reflector
  2. Block UDP/427 at edge
  3. Report to upstream provider

---
Traffic analysis shows 40% of UDP flood originated from port 427. Deep Packet Inspection confirmed payloads typical for CVE-2023-29552.
Conclusion: Botnet leveraging unpatched VMware ESXi instances as SLP reflectors. Recommend:
  1. Verify our infrastructure is not acting as reflector
  2. Block UDP/427 at edge
  3. Report to upstream provider

---

6. Impact Assessment Matrix

6. 影响评估矩阵

Operational Impact

业务运营影响

CategoryLevelDescription
AvailabilityCriticalComplete outage for 15 minutes
PerformanceHigh50% degradation for 30 minutes
CollateralMediumAPI gateway affected
类别级别描述
可用性严重完全中断15分钟
性能性能下降50%达30分钟
附带影响API网关受影响

Financial Impact

财务影响

CategoryEstimated Cost
Lost Revenue$15,000
Scrubbing Overage$2,500
Incident Response$5,000 (8 person-hours)
Total$22,500
类别预估损失
营收损失$15,000
流量清洗超额费用$2,500
事件响应成本$5,000(8人时)
总计$22,500

Reputation Impact

声誉影响

ChannelSeverityAction Required
Social MediaMediumPrepared statement
B2B PartnersLowDirect notification
PressNoneNo external coverage
渠道严重程度需采取的行动
社交媒体准备声明
B2B合作伙伴直接通知
媒体无需对外披露

7. Blameless Post-Mortem

7. 无责事后复盘

Principles

原则

  1. Focus on systems, not individuals: "Why did the process allow X?" not "Who did X?"
  2. Assume good intentions: Everyone acted with the best information available
  3. Learn, don't punish: Goal is improvement, not blame
  4. Share openly: Publish internally for organizational learning
  1. 聚焦系统而非个人:应问“流程为何允许X发生?”而非“谁导致了X?”
  2. 假设善意:所有人都是基于当时可得的最优信息采取行动
  3. 学习而非惩罚:目标是改进而非追责
  4. 公开分享:内部发布复盘结果以促进组织学习

Post-Mortem Template

事后复盘模板

markdown
undefined
markdown
undefined

Post-Mortem: [Incident Title]

Post-Mortem: [Incident Title]

What Happened

What Happened

[Factual description of the incident]
[Factual description of the incident]

What Went Well

What Went Well

  • Detection was automated (0 min TTD)
  • On-call responded within SLA
  • Communication was clear
  • Detection was automated (0 min TTD)
  • On-call responded within SLA
  • Communication was clear

What Went Wrong

What Went Wrong

  • Firewall rules were outdated
  • No alerting for UDP traffic spikes
  • Runbook was incomplete
  • Firewall rules were outdated
  • No alerting for UDP traffic spikes
  • Runbook was incomplete

Action Items

Action Items

IDActionOwnerDue DateStatus
1Add security validation to CI/CD@devops2026-02-01Open
2Update runbook with DDoS procedures@security2026-01-28Open
3Implement UDP traffic alerting@sre2026-02-05Open
IDActionOwnerDue DateStatus
1Add security validation to CI/CD@devops2026-02-01Open
2Update runbook with DDoS procedures@security2026-01-28Open
3Implement UDP traffic alerting@sre2026-02-05Open

Lessons Learned

Lessons Learned

  • Automated security gates prevent configuration drift
  • Regular runbook reviews are essential
  • Multi-vector attacks require layered defense

---
  • Automated security gates prevent configuration drift
  • Regular runbook reviews are essential
  • Multi-vector attacks require layered defense

---

8. Report Distribution

8. 报告分发

Classification Levels

保密级别

LevelAudienceContent
ExecutiveC-Level, BoardSummary, business impact, remediation status
TechnicalSecurity Team, SOCFull IoCs, TTPs, forensic details
LegalLegal, ComplianceData impact, regulatory implications
PublicCustomers, PressSanitized summary, no technical details
级别受众内容
高管层高管、董事会摘要、业务影响、整改状态
技术层安全团队、SOC完整IoC、TTP、取证细节
法务层法务、合规部门数据影响、合规影响
公众层客户、媒体经过脱敏的摘要,不含技术细节

Retention Requirements

留存要求

Document TypeRetentionStorage
Full Incident Report7 yearsEncrypted archive
IoC Data2 yearsThreat Intelligence Platform
Logs & Evidence1 yearImmutable storage
文档类型留存期限存储方式
完整事件报告7年加密归档
IoC数据2年威胁情报平台
日志与证据1年不可变存储

9. Checklists

9. 检查清单

Pre-Incident Preparation

事前准备

  • Incident response runbooks documented
  • On-call rotation established
  • Communication templates prepared
  • Evidence collection tools ready
  • Stakeholder contact list updated
  • 已编写事件响应手册
  • 已建立轮值待命机制
  • 已准备沟通模板
  • 取证工具就绪
  • 利益相关方联系人列表已更新

During Incident

事件处置中

  • Incident declared and logged
  • Timeline documentation started
  • Evidence preserved (logs, packets)
  • Stakeholders notified
  • Status page updated
  • 已宣布事件并记录
  • 已开始记录事件时间线
  • 已留存证据(日志、数据包)
  • 已通知利益相关方
  • 已更新状态页面

Post-Incident

事件处置后

  • Full incident report completed
  • Post-mortem meeting scheduled
  • Action items assigned and tracked
  • Lessons learned documented
  • Controls validated/improved
  • 已完成完整事件报告
  • 已安排事后复盘会议
  • 已分配并跟踪行动项
  • 已记录经验教训
  • 已验证/改进控制措施

References

参考资料

Credits & Attribution

致谢与归属

This skill draws from the "Handbuch für Advanced Security Incident Reporting" methodology, incorporating elements of NIST SP 800-61, SANS frameworks, and industry best practices.
Developed by webconsulting.at for the Claude skill collection.
本技能基于《高级安全事件报告手册》方法论开发,整合了NIST SP 800-61、SANS框架及行业最佳实践。
由webconsulting.at为Claude技能集开发。