this post was submitted on 13 Jun 2023
1 points (100.0% liked)

Blue Team

529 readers
3 users here now

Blue Teamers are the first (and sometimes last) line of defense in the ongoing cyber war. This place is to chat out detection strategies, complain about SIEMs, compare SOAR playbooks, or post mean memes about the Red Team.

founded 1 year ago
MODERATORS
 

Whether you are a buyer of security services, or a provider of them, what metrics, visuals, information is actually important to customers? What is the preferred way to consume reports - emails, dashboards, PDF reports, chat bots, smoke signals? Any thoughts and inputs much appreciated!

top 1 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 1 year ago

Proving I am in DFIR with my initial response "It depends"

I have done both, and even when doing work internally, I have identified who the report is actually designed for. Is this something the Dir of Sec wants to use as leverage with the CISO for budget? Is this report going to be parsed out to security engineers to harden systems and networks? Is this report going to be used by lawyers and insurance companies to understand what happened so they can inform shareholders, regulators, or underwriters?

Typically all my reports are narrative stories, even when doing threat hunts or security assessments. This may sound awkward, but a class on fictional writing helps for building the narration (not the content, I am still camp "The Evidence Speaks")

I use pictures and tables to emphasize points I am making in the narration, not replace it. So I will say something, then reference a figure on the same page that will help the reader understand or get a point across to them.

I try to keep the raw tech in appendices or specific chapters like, "Forensics Analysis of Host $HOSTNAME". The narration is always in time order, even for proactive assessments. So "This is what we are going to do, this is how we are going to do it, this is what we collected, this is what we did, this is what we observed, this is our analysis, this is our conclusions"

Final report goes out to to the customer I identified during scoping. I have found that report readouts are common enough in the service provider space that as I write the report, I will make notes for "If asked to do a report readout, this will be a slide" I don't make the slides until the read out is requested, but it helps to have those notes.

Last, no matter what you are writing, take a 24 break, then have your computer read it out loud to you while you read through the text. You will be amazed how many small problems like a change in verb tense, that you will pick up on. It also helps make sure your narrative flows and you can also realize where you may have repeated narrative (happens on multiple author reports often) or realize you missed something.