TL;DR
Why Should I Care? Non-technical elements of Cyber Security such as report writing are often the main deliverable item. As an industry by default we seem to neglect developing our non-technical skills.
What Should I Consider? Working on improving technical writing to improve the quality of the final deliverable item which is a report in most cases.
Introduction
One of my goals for 2023 was to improve my report writing ability. In fact that goal was one of the reasons I created this blog. I’ve complied a collection of the tips and tricks I’ve found whilst trying to improve.
It is widely known as an industry we seem to focus on the technical and often leave the non-technical behind such as report writing. Several resources exist for penetration testing technical writing which I got a lot of value from and applied it to DFIR.
A Reports Purpose
A well-crafted DFIR report will not only serve as a document of the investigation although, should also empower the organisation and the reader to improve their security defences. Whilst during an engagement findings will be presented and discussed the report will serve as the final deliverable item. It will be the item that will be shared potentially beyond the incident response group. It will serve as a reflection of your organisations quality of work as well as your own. Essentially, the report is very important.
Story Telling
Take the readers on the journey through the incident. Explain the sequence of events and the impact and Threat Actor’s possible motives. Reduce the larger incident into smaller portions that stand independently making the report more comprehensive.
Language and Tone
Your report is likely to be read by non-technical executives as well as technical teams it should cater to everyone that may potentially read the report. You should explain and elaborate wherever possible. Remain factual and professional at all times throughout the report. Emotional language can be interpreted in unintended ways.
Visual Elements
Enhance the findings and quality of the report with visual elements such as images, timelines and attack charts. Screenshots can assist the reader to visualise what occurred.
While working with dark mode is the default for technical professionals screenshots should be adjusted for the white report backgrounds. This will involve switching to light mode for screenshots. I’ve found that Greenshot’s invert feature is great for this with a solid black dark mode style.
Improvements
Reading your report aloud can reveal overlooked errors. I’ve also found letting the report sit on your mind often will spark different ways to enhance the quality. A report review process with colleagues is also always great to get feedback on your writing style, consistency and other improvements.
Resources
- Things NOT to Do in Pentest Reports - Black Hills Information Security | Bronwen Aker: https://www.youtube.com/watch?v=eWNqaFf60fg&t=0s