12.11 CISO Report

CISO Report

The investigation is complete. The containment and eradication actions are executed. The scope is assessed. Now you write the report. This subsection teaches you to write an executive incident report that a CISO reads, understands, acts on, and uses to secure budget for hardening.

The IR report structure

Every incident report follows this structure. This is the IR report template artifact you leave this module with.

1. Executive Summary (1 paragraph, 4-6 sentences). What happened, when, how it was detected, what was affected, what was done, and what is the current status. Written for someone who reads only this paragraph.

Example: “Between 27-28 February 2026, Northgate Engineering was targeted by a multi-wave adversary-in-the-middle (AiTM) credential phishing campaign. The attacker sent phishing emails to 15 employees using domains that mimicked Microsoft login pages. Three employee accounts were compromised via session token theft that bypassed MFA. The attacker accessed approximately 545 emails across three mailboxes, created persistence mechanisms (inbox rules and mail forwarding), and attempted a £47,000 vendor payment diversion via BEC. All compromised accounts were contained within 34 hours of the first alert. The BEC attempt was intercepted before any financial loss. Hardening recommendations are detailed in Section 7.”

2. Timeline. Chronological list of events from first phishing email to final containment action. Each entry: timestamp (UTC), event description, source (which log/table), and action taken.

3. Scope. Number of users targeted, number who clicked, number compromised, data exposure per account (email count, access duration), and whether PII/financial/sensitive data was accessed.

4. Containment Actions. Every containment action with timestamp, who executed it, and verification status. References subsection 12.7.

5. Eradication Actions. Every persistence mechanism removed with timestamp and verification. References subsection 12.8.

6. Root Cause. Why the attack succeeded. For AiTM: MFA was configured but token binding was not. The phishing URL was not blocked because the domain was newly registered. Internal phishing from compromised accounts bypassed Safe Links because internal sender trust.

7. Recommendations. Specific hardening actions with: the control, the blast radius, the estimated cost, the compliance requirement it satisfies, and the priority. References subsection 12.12.

8. Appendices. Campaign infrastructure table (from 11.9), scope summary table (from 11.10), and IOC list for threat intelligence sharing.

Writing for executives

The CISO does not want KQL. They want: what happened, what is the business impact, what do we need to do to prevent recurrence, and how much will it cost. Translate every technical finding into business language.

Technical: “The attacker replayed a stolen OAuth session token from IP 203.0.113.47 to access the MailItemsAccessed API, reading 340 email items over a 3-hour period.”

Executive: “The attacker used a stolen authentication credential to read 340 emails from the Finance Manager’s mailbox over 3 hours. The emails may contain vendor payment details, employee financial data, and board communications.”

Quantify the business impact: “The attacker attempted to divert a £47,000 vendor payment. This was intercepted. If the BEC attempt had succeeded, the financial loss would have been £47,000 plus investigation and remediation costs.”

Quantify the prevention cost: “Deploying token binding (Recommendation 1) costs £0 in licensing (included in E5) and requires approximately 4 hours of IT effort. It would have prevented this entire incident.”

Compliance mapping: NIST CSF RS.CO-2 (Information is shared consistent with response plans), RS.CO-3 (Improvement activities are shared with stakeholders). ISO 27001 A.5.27 (Learning from information security incidents).

Subsection artifact: The IR report template structure above. This is a reusable template for any M365 security incident — not just AiTM. Modify the specifics for each incident; the structure remains the same.

Knowledge check

The executive summary — writing it in 60 seconds

During an active incident, you do not have time to write a polished report. But the CISO needs an update. Draft the executive summary as a structured fill-in:

Template: “Between [start date] and [end date], [organisation] was targeted by a [attack type] campaign. The attacker [how they gained access]. [Number] employee accounts were compromised. The attacker [what they did — read email, created rules, attempted fraud]. [Financial impact, if any]. All compromised accounts were contained by [containment time]. [Current status — eradication complete, monitoring in progress]. Hardening recommendations are in Section 7.”

Fill in for INC-2026-0227-001: “Between 27-28 February 2026, Northgate Engineering was targeted by a multi-wave adversary-in-the-middle (AiTM) credential phishing campaign. The attacker sent phishing emails from domains mimicking Microsoft login pages, capturing session tokens that bypassed MFA. Three employee accounts were compromised. The attacker accessed approximately 545 emails, created inbox forwarding rules, and attempted a £47,000 vendor payment diversion via BEC. All compromised accounts were contained within 34 hours. The BEC attempt was intercepted before financial loss. Hardening recommendations are in Section 7.”

That summary took 60 seconds to write because the template forced the structure. In a real incident: fill in the template within the first hour, send it to the CISO, and refine it as the investigation progresses. The CISO would rather have an accurate 60-second summary now than a polished 2-page summary in 6 hours.

Updating the report as the investigation progresses: Send version updates at natural milestone points: initial scope assessed (v1), containment complete (v2), eradication complete (v3), final with recommendations (v4). Each version builds on the previous — the CISO sees the investigation progressing and can brief upward at any point using the latest version.