Agent-Skills.md

Agent Skills: Security Incident Reporting

>-

UncategorizedID: dirnbauer/webconsulting-skills/security-incident-reporting

Repository

dirnbauer/webconsulting-skills
dirnbauerLicense: NOASSERTION
192

Install this agent skill to your local

pnpm dlx add-skill https://github.com/dirnbauer/webconsulting-skills/tree/HEAD/skills/security-incident-reporting

Skill Files

Browse the full folder contents for security-incident-reporting.

Download Skill

Loading file tree…

skills/security-incident-reporting/SKILL.md

Skill Metadata

Name
security-incident-reporting
Description
>-

Security Incident Reporting

Comprehensive framework for documenting and analyzing security incidents, drawing from NIST SP 800-61 and SANS methodologies.

When to Use

  • After a security incident (DDoS, breach, vulnerability exploitation)
  • Creating post-mortem documentation
  • Communicating with stakeholders (C-level, legal, security teams)
  • Correlating attack patterns with known CVEs
  • Establishing incident response metrics (MTTR, dwell time)

Related Skills

1. Incident Response Framework

NIST SP 800-61 / SANS Harmonization

| Phase | NIST | SANS | Documentation Focus | |-------|------|------|---------------------| | 1 | Preparation | Preparation | Runbooks, contacts, tools | | 2 | Detection & Analysis | Identification | Initial detection, triage | | 3 | Containment | Containment | Isolation actions, timeline | | 4 | Eradication | Eradication | Root cause removal | | 5 | Recovery | Recovery | Service restoration | | 6 | Post-Incident | Lessons Learned | Post-mortem, improvements |

Documentation Principle

Logbuch-Prinzip: Document in real-time during the incident, then consolidate into the post-mortem report. Never create reports retrospectively from memory.

2. Severity Rating Systems

NCISS (National Cyber Incident Scoring System)

| Level | Score | Description | |-------|-------|-------------| | Emergency (1) | 100 | Nation-state attack, critical infrastructure | | Severe (2) | 80-99 | Significant impact, data exfiltration | | High (3) | 60-79 | Service disruption, potential data loss | | Medium (4) | 40-59 | Limited impact, contained breach | | Low (5) | 20-39 | Minor incident, no data loss | | Baseline (6) | 0-19 | Informational, false positive |

DDoS Resiliency Score (DRS)

| Level | Description | Typical Bandwidth | |-------|-------------|-------------------| | 1-2 | Simple Floods | < 1 Gbps | | 3-4 | Sophisticated Multi-Vector | 1-5 Gbps | | 5-6 | Advanced (State-Actor Level) | 5-100 Gbps | | 7 | Extreme (Hyper-Volumetric) | > 100 Gbps |

CVSS Integration

For vulnerability-based incidents, include CVSS v3.1 base score from the security-audit skill.

3. Incident Report Template

Module A: Metadata & Executive Summary

# Security Incident Report

## Metadata
| Field | Value |
|-------|-------|
| Incident ID | SIR-2026-001 |
| Classification | Confidential |
| Status | Closed / Active / Under Investigation |
| Detection Time | 2026-01-21 14:32 UTC |
| Resolution Time | 2026-01-21 15:17 UTC |
| MTTR | 45 minutes |
| Severity | High (NCISS: 65) |
| Lead Analyst | Jane Doe |
| Affected Systems | web-cluster-01, cdn-edge-eu |

## Executive Summary (max 200 words)

On [DATE], our monitoring systems detected [INCIDENT TYPE] targeting [SYSTEMS].
The attack [IMPACT DESCRIPTION]. Through [RESPONSE ACTIONS], normal operations
were restored within [TIMEFRAME]. [DATA IMPACT STATEMENT].

### Business Impact
- Service Availability: [Degraded/Offline for X minutes]
- Data Impact: [None/Potential exposure of X records]
- Financial Impact: [Estimated cost]
- Reputation Impact: [Public/Internal]

Module B: Timeline (Chronological Analysis)

## Incident Timeline

| Time (UTC) | Event | Source | Action Taken |
|------------|-------|--------|--------------|
| 14:32 | Traffic spike detected | Cloudflare Alert | On-call notified |
| 14:35 | 5x baseline traffic confirmed | Grafana | Incident declared |
| 14:38 | Geo-blocking activated | Cloudflare | EU/US traffic filtered |
| 14:42 | Attack vector identified: UDP amplification | DPI Analysis | Null-route for UDP/427 |
| 14:55 | Traffic normalized | Monitoring | Mitigation confirmed |
| 15:17 | All systems stable | Status page | Incident closed |

### Dwell Time Analysis
- Time to Detection (TTD): 0 minutes (automated)
- Time to Containment (TTC): 10 minutes
- Time to Eradication (TTE): 23 minutes
- Time to Recovery (TTR): 45 minutes

Module C: Technical Analysis & IoCs

## Technical Analysis

### Attack Vectors (MITRE ATT&CK)
- T1498: Network Denial of Service
- T1498.001: Direct Network Flood
- T1498.002: Reflection Amplification

### Indicators of Compromise (IoCs)

#### Network Artifacts
| Type | Value | Context |
|------|-------|---------|
| IP Range | 192.0.2.0/24 | Source (spoofed) |
| ASN | AS12345 | Amplification source |
| Port | UDP/427 | SLP Amplification |
| Signature | \x00\x00\x00\x00SLP | Payload pattern |

#### System Artifacts
| Type | Value | Hash (SHA256) |
|------|-------|---------------|
| Modified File | /var/www/shell.php | a1b2c3... |
| New User | backdoor_admin | N/A |
| Cron Job | /tmp/.hidden/beacon | d4e5f6... |

### Root Cause Analysis (5-Whys)
1. Why did the attack succeed? → Amplification ports were exposed
2. Why were ports exposed? → Firewall rules not updated after migration
3. Why weren't rules updated? → No automated validation in deployment
4. Why no automation? → Security review not in CI/CD pipeline
5. Why not in pipeline? → Technical debt, prioritized features

**Root Cause**: Missing security validation in deployment pipeline

4. DDoS Post-Mortem Analysis

Metrics Table

| Metric | Value | Threshold | Status | |--------|-------|-----------|--------| | Peak Bandwidth | 45 Gbps | 10 Gbps | Exceeded | | Peak Packets/sec | 12M PPS | 5M PPS | Exceeded | | Peak Requests/sec | 850K RPS | 100K RPS | Exceeded | | Unique Source IPs | 145,000 | N/A | Amplification | | Attack Duration | 45 min | N/A | - | | Geographic Spread | 89 countries | N/A | Global botnet |

Attack Vector Classification

| Vector | % of Traffic | Type | Mitigation | |--------|--------------|------|------------| | UDP Flood | 60% | Volumetric | Null-route | | SYN Flood | 25% | Protocol | SYN cookies | | HTTP Flood | 15% | Application | Rate limiting |

Multi-Vector Detection

Was this a smoke-screen attack?
├── Volumetric attack started: 14:32
├── Application-layer probing detected: 14:38
├── Login brute-force attempts: 14:40-14:45
└── Conclusion: Coordinated multi-vector attack

5. CVE Correlation for DDoS

Map attack signatures to known vulnerabilities for threat intelligence.

Amplification Vector CVE Table

| Attack Type | Port | Amplification Factor | CVE | Description | |-------------|------|---------------------|-----|-------------| | NTP Monlist | UDP/123 | 556x | CVE-2013-5211 | NTP mode 7 monlist | | Memcached | UDP/11211 | 51,000x | CVE-2018-1000115 | UDP reflection | | CLDAP | UDP/389 | 70x | CVE-2020-9490 | LDAP reflection | | SLP | UDP/427 | 2,200x | CVE-2023-29552 | Service Location Protocol | | DNS | UDP/53 | 54x | Various | Open resolver abuse | | SSDP | UDP/1900 | 30x | Various | UPnP reflection | | Chargen | UDP/19 | 358x | CVE-1999-0103 | Character generator |

Analysis Example

## CVE Correlation Analysis

Traffic analysis shows 40% of UDP flood originated from port 427.
Deep Packet Inspection confirmed payloads typical for CVE-2023-29552.

**Conclusion**: Botnet leveraging unpatched VMware ESXi instances as
SLP reflectors. Recommend:
1. Verify our infrastructure is not acting as reflector
2. Block UDP/427 at edge
3. Report to upstream provider

6. Impact Assessment Matrix

Operational Impact

| Category | Level | Description | |----------|-------|-------------| | Availability | Critical | Complete outage for 15 minutes | | Performance | High | 50% degradation for 30 minutes | | Collateral | Medium | API gateway affected |

Financial Impact

| Category | Estimated Cost | |----------|----------------| | Lost Revenue | $15,000 | | Scrubbing Overage | $2,500 | | Incident Response | $5,000 (8 person-hours) | | Total | $22,500 |

Reputation Impact

| Channel | Severity | Action Required | |---------|----------|-----------------| | Social Media | Medium | Prepared statement | | B2B Partners | Low | Direct notification | | Press | None | No external coverage |

7. Blameless Post-Mortem

Principles

  1. Focus on systems, not individuals: "Why did the process allow X?" not "Who did X?"
  2. Assume good intentions: Everyone acted with the best information available
  3. Learn, don't punish: Goal is improvement, not blame
  4. Share openly: Publish internally for organizational learning

Post-Mortem Template

## Post-Mortem: [Incident Title]

### What Happened
[Factual description of the incident]

### What Went Well
- Detection was automated (0 min TTD)
- On-call responded within SLA
- Communication was clear

### What Went Wrong
- Firewall rules were outdated
- No alerting for UDP traffic spikes
- Runbook was incomplete

### Action Items
| ID | Action | Owner | Due Date | Status |
|----|--------|-------|----------|--------|
| 1 | Add security validation to CI/CD | @devops | 2026-02-01 | Open |
| 2 | Update runbook with DDoS procedures | @security | 2026-01-28 | Open |
| 3 | Implement UDP traffic alerting | @sre | 2026-02-05 | Open |

### Lessons Learned
- Automated security gates prevent configuration drift
- Regular runbook reviews are essential
- Multi-vector attacks require layered defense

8. Report Distribution

Classification Levels

| Level | Audience | Content | |-------|----------|---------| | Executive | C-Level, Board | Summary, business impact, remediation status | | Technical | Security Team, SOC | Full IoCs, TTPs, forensic details | | Legal | Legal, Compliance | Data impact, regulatory implications | | Public | Customers, Press | Sanitized summary, no technical details |

Retention Requirements

| Document Type | Retention | Storage | |---------------|-----------|---------| | Full Incident Report | 7 years | Encrypted archive | | IoC Data | 2 years | Threat Intelligence Platform | | Logs & Evidence | 1 year | Immutable storage |

9. Checklists

Pre-Incident Preparation

  • [ ] Incident response runbooks documented
  • [ ] On-call rotation established
  • [ ] Communication templates prepared
  • [ ] Evidence collection tools ready
  • [ ] Stakeholder contact list updated

During Incident

  • [ ] Incident declared and logged
  • [ ] Timeline documentation started
  • [ ] Evidence preserved (logs, packets)
  • [ ] Stakeholders notified
  • [ ] Status page updated

Post-Incident

  • [ ] Full incident report completed
  • [ ] Post-mortem meeting scheduled
  • [ ] Action items assigned and tracked
  • [ ] Lessons learned documented
  • [ ] Controls validated/improved

References

Credits & Attribution

This skill draws from the "Handbuch für Advanced Security Incident Reporting" methodology, incorporating elements of NIST SP 800-61, SANS frameworks, and industry best practices.

Developed by webconsulting.at for the Claude skill collection.

Source: https://github.com/dirnbauer/webconsulting-skills Thanks to Netresearch DTT GmbH for their contributions to the TYPO3 community.