Overview
These are the key elements required in a narrative statement to report a cybersecurity incident:
- Incident Overview
- Any Known Compromised or Impacted Assets
- Any Known Indicators of Compromise (IOCs)
- Any Containment, Eradication, and/or Recovery Steps Taken
Incident Overview
- When the cybersecurity incident was discovered, how it was discovered, and what was observed
- Any operational or service impacts, including Public Safety and/or Critical Infrastructure disruptions
- Any 3rd parties involved in responding to or mitigating the cybersecurity incident (e.g., vendors, NYSP, FBI, CISA, DHSES)
Any Known Compromised or Impacted Assets
- User accounts or identities, including employees, students, vendors, etc. (e.g., usernames and email addresses)
- Systems, applications, and software (e.g., servers, endpoints, or applications, including versions if known)
- Sensitive information (e.g., PCI, PHI, classified data)
Any Known Indicators of Compromise (IOCs)
Examples:
- Domains
- Hashes
- IP addresses
- URLs
- System changes
- Suspicious processes
- Network activity
- Email indicators
- Malicious files/paths
Any Containment, Eradication, and/or Recovery Steps Taken
Examples:
- Disabling impacted accounts
- Resetting passwords
- Isolating impacted systems
- Removing malware
- Applying patches
- Restoring systems from backups