Incident Response Report
Sample post-incident report documenting timeline, root cause, and remediation from a contained security incident.
Incident Response Report
Prepared for: Sample Client Environment
Illustrative data for demonstration purposes only
Scope
- • Incident classification: Ransomware (contained, no encryption completed)
- • Affected systems: 3 file servers, 1 domain controller
- • Response window: detection to full recovery
Executive Summary
A ransomware precursor was detected and contained before encryption began, following lateral movement from a single phished workstation. Total time from detection to containment was 4 hours 12 minutes. No data exfiltration was confirmed. Root cause was traced to a phishing email that bypassed email filtering due to a missing DMARC enforcement policy.
22 min
Time to Detection
4h 12m
Time to Containment
4
Systems Affected
None Confirmed
Data Exfiltrated
Incident Timeline
- • 14:02 — Phishing email delivered, malicious macro executed on workstation
- • 14:35 — Lateral movement detected to file server via SMB
- • 14:41 — SOC alert triggered on anomalous authentication pattern
- • 15:03 — Affected systems isolated from network
- • 18:53 — Full containment confirmed, forensic imaging began
Root Cause
- • Phishing email spoofed a trusted vendor domain lacking DMARC enforcement
- • Workstation lacked application allow-listing to block macro execution
- • Flat internal network allowed rapid lateral movement to file servers
Recommendations
- Enforce DMARC (p=reject) for all vendor domains after coordinating with affected partners.
- Deploy application allow-listing on all endpoints to block unauthorized macro/script execution.
- Accelerate the planned network segmentation project given the lateral movement speed observed.
Want the full report for your environment?
This page shows illustrative sample data. Request a scoped engagement and we'll deliver the real thing for your organization.
Request This Report