11.11 CISO Report

4-6 hours · Module 11

CISO Report

The investigation is complete. The containment and eradication actions are executed. The scope is assessed. Now you write the report. This subsection teaches you to write an executive incident report that a CISO reads, understands, acts on, and uses to secure budget for hardening.

The IR report structure

Every incident report follows this structure. This is the IR report template artifact you leave this module with.

1. Executive Summary (1 paragraph, 4-6 sentences). What happened, when, how it was detected, what was affected, what was done, and what is the current status. Written for someone who reads only this paragraph.

Example: “Between 27-28 February 2026, Northgate Engineering was targeted by a multi-wave adversary-in-the-middle (AiTM) credential phishing campaign. The attacker sent phishing emails to 15 employees using domains that mimicked Microsoft login pages. Three employee accounts were compromised via session token theft that bypassed MFA. The attacker accessed approximately 545 emails across three mailboxes, created persistence mechanisms (inbox rules and mail forwarding), and attempted a £47,000 vendor payment diversion via BEC. All compromised accounts were contained within 34 hours of the first alert. The BEC attempt was intercepted before any financial loss. Hardening recommendations are detailed in Section 7.”

2. Timeline. Chronological list of events from first phishing email to final containment action. Each entry: timestamp (UTC), event description, source (which log/table), and action taken.

3. Scope. Number of users targeted, number who clicked, number compromised, data exposure per account (email count, access duration), and whether PII/financial/sensitive data was accessed.

4. Containment Actions. Every containment action with timestamp, who executed it, and verification status. References subsection 11.7.

5. Eradication Actions. Every persistence mechanism removed with timestamp and verification. References subsection 11.8.

6. Root Cause. Why the attack succeeded. For AiTM: MFA was configured but token binding was not. The phishing URL was not blocked because the domain was newly registered. Internal phishing from compromised accounts bypassed Safe Links because internal sender trust.

7. Recommendations. Specific hardening actions with: the control, the blast radius, the estimated cost, the compliance requirement it satisfies, and the priority. References subsection 11.12.

8. Appendices. Campaign infrastructure table (from 11.9), scope summary table (from 11.10), and IOC list for threat intelligence sharing.

Writing for executives

The CISO does not want KQL. They want: what happened, what is the business impact, what do we need to do to prevent recurrence, and how much will it cost. Translate every technical finding into business language.

Technical: “The attacker replayed a stolen OAuth session token from IP 203.0.113.47 to access the MailItemsAccessed API, reading 340 email items over a 3-hour period.”

Executive: “The attacker used a stolen authentication credential to read 340 emails from the Finance Manager’s mailbox over 3 hours. The emails may contain vendor payment details, employee financial data, and board communications.”

Quantify the business impact: “The attacker attempted to divert a £47,000 vendor payment. This was intercepted. If the BEC attempt had succeeded, the financial loss would have been £47,000 plus investigation and remediation costs.”

Quantify the prevention cost: “Deploying token binding (Recommendation 1) costs £0 in licensing (included in E5) and requires approximately 4 hours of IT effort. It would have prevented this entire incident.”

Compliance mapping: NIST CSF RS.CO-2 (Information is shared consistent with response plans), RS.CO-3 (Improvement activities are shared with stakeholders). ISO 27001 A.5.27 (Learning from information security incidents).

Subsection artifact: The IR report template structure above. This is a reusable template for any M365 security incident — not just AiTM. Modify the specifics for each incident; the structure remains the same.

Knowledge check

Check your understanding

1. The CISO asks: "Could this happen again?" What is the correct answer?

Yes — until token binding or FIDO2 is deployed. The attacker's specific infrastructure is blocked, but any AiTM toolkit can replicate the attack using new domains and IPs. The root cause is the absence of token binding, not the specific phishing domain. Recommendation: deploy conditional access token protection (subsection 11.12), which definitively prevents token replay regardless of the phishing infrastructure used. This is the answer that secures budget for hardening.

No — we blocked the attacker's IP and domain

Only if users click phishing links again

We need more security training for users

Yes, until the root cause (no token binding) is remediated. Blocking specific IOCs does not prevent future AiTM attacks with new infrastructure. The answer that secures hardening budget.

← 11.10 Scope Assessment: Who Else Was Hit? 11.12 Hardening Recommendations →