Blue Team Report (BTR)
| No: 562240000067 | Date(g): 13/5/2019 | Date(h): 9/9/1440 | Status: In-Force |
After the distribution of the Red Team Evaluation Report, the Blue Team will generate their own report. This report should be based on the monitoring and detection alerts, response and recover activities and process-steps taken by the Blue Team during the exercise. The report should include the defense and monitoring techniques and capabilities that the Blue Team is currently using to detect cyber security attacks (e.g. events, alerts, incidents). The report should also include the Blue Team's observations regarding the identified limitations or weaknesses.
Below the outline of the report and the required elements (not limiative):
| Blue Team Report (BTR) | ||
| 1. | Introduction | |
| 2. | Executive summary | |
| 3. | Background of the report | |
| Goal and objectives of the red teaming test | ||
| 4. | Introduction into the financial sector current threat landscape and cyber-attack trends | |
| 5. | Explanation of the current incident handling, incident response and crisis management processes regarding cyber incidents within the Member Organization | |
| Process flows | ||
| People/teams involved | ||
| Overview of the relevant tasks and responsibilities | ||
| 6. | Time line of the detected activities or generated alerts (against the performed red teaming exercise and activities) | |
| 7. | Observations per performed attack scenario (chronological) | |
| First notification(s) or s) | ||
| The monitoring and defense tools and techniques used | ||
| Incident response plan and steps performed (e.g. was the crisis management organization activated and what where the observations) | ||
| Involvement of other departments (e.g. Help desk, CISO, CIO, HR, Legal, Public Relations) | ||
| What where the results reported by the Red Team | ||
| What went well or what can or should be improved | ||
| Results of the root-cause analysis performed | ||
| 8. | Recommendations or areas of improvement | |
| Recommendations focused on people, process and technology, | ||
| Recommendations focused on detection, response and recover | ||
| Suggested priority rating for each recommendation | ||
| Roadmap for the suggested improvements | ||
| Suggested input for upcoming cyber security awareness campaigns | ||
| 9. | Conclusions | |
| An overall conclusion of the current cyber resilience state of the Member Organization | ||
| The conclusions regarding the required and suggested improvements (from both the Blue and Red Team) | ||
| Detailed conclusions for each attack scenario performed and the state of the current capabilities of the Blue Team | ||
| Appendices | ||
| The list of involved departments, teams and team members | ||
| Screenshots with supporting evidence | ||
| Any other supportive materials | ||
| The report should be classified as: Confidential | ||