incident response

Building Malware Incident Communication Template

Build structured communication templates for malware incidents including stakeholder notifications, executive briefings, technical advisories, and regulatory disclosures with severity-based escalation procedures.

crisis-communicationexecutive-briefingincident-communicationmalware-responseregulatory-disclosurestakeholder-notification
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

Effective communication during malware incidents is critical for coordinated response, stakeholder management, and regulatory compliance. A structured communication framework ensures the right people receive appropriate information at the right time, preventing panic while maintaining transparency. Communication templates should cover internal escalation, executive briefings, technical advisories for IT teams, customer notifications, regulatory disclosures, and media statements. The framework must account for different malware types (ransomware, wiper, trojan, worm) and severity levels that drive escalation speed and audience.

When to Use

  • When deploying or configuring building malware incident communication template capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Familiarity with incident response concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Communication Framework

Severity Classification

Severity Description Notification Timeline Audience
P1 - Critical Ransomware, wiper, or widespread infection affecting business operations Within 15 minutes CISO, CEO, Legal, Board (if applicable)
P2 - High Targeted malware on critical systems, data exfiltration suspected Within 1 hour CISO, IT Director, Legal
P3 - Medium Contained malware infection, limited spread Within 4 hours Security Manager, IT Director
P4 - Low Single endpoint infection, quickly contained Within 24 hours Security Team Lead

Communication Channels

Channel Use Case Security Level
Out-of-band phone calls Initial critical notifications Highest
Encrypted messaging (Signal) Real-time IR team coordination High
Secure email (encrypted) Formal notifications, documentation High
War room (physical/virtual) Ongoing incident coordination Medium
Incident ticketing system Status tracking and documentation Medium
Company intranet Broad employee communication Standard

Template 1: Initial Incident Notification (Internal)

SUBJECT: [SEVERITY] Malware Incident - Initial Notification - [DATE/TIME UTC]
 
CLASSIFICATION: CONFIDENTIAL - IR TEAM ONLY
 
INCIDENT ID: IR-[YEAR]-[NUMBER]
DETECTION TIME: [YYYY-MM-DD HH:MM UTC]
NOTIFICATION TIME: [YYYY-MM-DD HH:MM UTC]
SEVERITY: [P1/P2/P3/P4]
 
SUMMARY:
A malware incident has been detected affecting [NUMBER] systems in
[DEPARTMENT/LOCATION]. The malware has been identified as [TYPE] with
[KNOWN/UNKNOWN] characteristics.
 
CURRENT IMPACT:
- Systems affected: [COUNT and DESCRIPTION]
- Business functions impacted: [LIST]
- Data at risk: [DESCRIPTION]
- Current spread status: [CONTAINED/SPREADING/UNKNOWN]
 
IMMEDIATE ACTIONS TAKEN:
1. [ACTION - e.g., Affected endpoints isolated from network]
2. [ACTION - e.g., EDR containment policies activated]
3. [ACTION - e.g., Security team mobilized]
 
NEXT STEPS:
1. [PLANNED ACTION with TIMELINE]
2. [PLANNED ACTION with TIMELINE]
 
INCIDENT COMMANDER: [NAME]
CONTACT: [PHONE/ENCRYPTED CHANNEL]
 
NEXT UPDATE: [TIME] or sooner if situation changes
 
---
Do not forward this notification outside the IR team.

Template 2: Executive Briefing

SUBJECT: Executive Briefing - Malware Incident IR-[YEAR]-[NUMBER]
 
FOR: [CEO / CISO / CIO / Board]
FROM: [Incident Commander]
DATE: [DATE]
UPDATE: [#]
 
SITUATION SUMMARY:
[2-3 sentences describing the incident in business terms]
 
BUSINESS IMPACT:
- Revenue impact: [ESTIMATED/NONE/UNDER ASSESSMENT]
- Operational impact: [DESCRIPTION]
- Customer impact: [DESCRIPTION]
- Regulatory implications: [DESCRIPTION]
 
CURRENT STATUS: [DETECTED / CONTAINED / ERADICATING / RECOVERING]
 
KEY DECISIONS NEEDED:
1. [DECISION with context and recommendation]
2. [DECISION with context and recommendation]
 
TIMELINE:
- [TIME]: Incident detected
- [TIME]: Containment initiated
- [TIME]: [MILESTONE]
- [TIME]: Estimated recovery (if known)
 
EXTERNAL COMMUNICATION STATUS:
- Regulatory notification: [REQUIRED/SUBMITTED/NOT REQUIRED]
- Customer notification: [REQUIRED/PLANNED/NOT REQUIRED]
- Law enforcement: [ENGAGED/PLANNED/NOT APPLICABLE]
 
RESOURCE REQUIREMENTS:
- [RESOURCE NEED - e.g., External IR firm engagement]
- [RESOURCE NEED - e.g., Additional hardware for rebuild]
 
NEXT UPDATE: [TIME]

Template 3: Technical Advisory for IT Teams

SUBJECT: TECHNICAL ADVISORY - [MALWARE NAME] - Immediate Action Required
 
SEVERITY: [CRITICAL/HIGH/MEDIUM]
DATE: [DATE/TIME UTC]
ADVISORY ID: TA-[YEAR]-[NUMBER]
 
THREAT DESCRIPTION:
[Technical description of the malware, behavior, and indicators]
 
AFFECTED SYSTEMS:
- Operating Systems: [LIST]
- Applications: [LIST]
- Network segments: [LIST]
 
INDICATORS OF COMPROMISE (IOCs):
File Hashes:
  MD5: [HASH]
  SHA256: [HASH]
 
File Names:
  [FILENAME]
 
Network Indicators:
  C2 Domains: [DOMAIN]
  C2 IPs: [IP ADDRESS]
  User-Agent: [STRING]
 
Registry Keys:
  [REGISTRY PATH]
 
DETECTION METHODS:
- EDR: [DETECTION RULE/SIGNATURE]
- SIEM: [CORRELATION RULE]
- Network: [IDS/IPS SIGNATURE]
 
REQUIRED ACTIONS:
Priority 1 (Immediate):
  [ ] Block IOCs at firewall/proxy
  [ ] Push EDR containment rules
  [ ] Scan all endpoints for IOCs
 
Priority 2 (Within 4 hours):
  [ ] Apply patches [KB/CVE NUMBER]
  [ ] Update antivirus signatures
  [ ] Review logs for historical indicators
 
Priority 3 (Within 24 hours):
  [ ] Conduct enterprise-wide hunt
  [ ] Validate backup integrity
  [ ] Update detection rules
 
CONTACT: SOC - [PHONE] | Security Engineering - [PHONE]

Template 4: Regulatory Notification

[ORGANIZATION LETTERHEAD]
 
[REGULATORY BODY]
[ADDRESS]
 
Date: [DATE]
 
RE: Data Security Incident Notification - [REFERENCE NUMBER]
 
Dear [TITLE/NAME],
 
Pursuant to [REGULATION - e.g., GDPR Article 33, State Breach Notification Law],
[ORGANIZATION] is providing notification of a data security incident.
 
INCIDENT SUMMARY:
On [DATE], [ORGANIZATION] detected a malware incident affecting systems containing
[TYPE OF DATA]. The incident was detected through [DETECTION METHOD].
 
DATA POTENTIALLY AFFECTED:
- Types of data: [PERSONAL DATA, FINANCIAL, HEALTH, etc.]
- Number of individuals: [COUNT or ESTIMATE]
- Categories of individuals: [CUSTOMERS, EMPLOYEES, etc.]
 
TIMELINE:
- [DATE]: Incident occurred (estimated)
- [DATE]: Incident detected
- [DATE]: Containment achieved
- [DATE]: This notification
 
MEASURES TAKEN:
1. [CONTAINMENT ACTION]
2. [INVESTIGATION ACTION]
3. [REMEDIATION ACTION]
 
MEASURES TO MITIGATE ADVERSE EFFECTS:
1. [MITIGATION - e.g., Credit monitoring offered]
2. [MITIGATION - e.g., Password resets enforced]
 
CONTACT INFORMATION:
[DPO/PRIVACY OFFICER NAME]
[TITLE]
[EMAIL]
[PHONE]
 
Respectfully,
[SIGNATORY]
[TITLE]

Template 5: Customer/Public Notification

SUBJECT: Important Security Notice from [ORGANIZATION]
 
Dear [CUSTOMER/USER],
 
We are writing to inform you of a security incident that may have affected
your information.
 
WHAT HAPPENED:
On [DATE], we detected unauthorized activity on our systems involving
malicious software. We immediately activated our incident response procedures
and engaged leading cybersecurity experts to investigate.
 
WHAT INFORMATION WAS INVOLVED:
Based on our investigation, the following types of information may have
been affected: [LIST - e.g., names, email addresses, etc.]
 
WHAT WE ARE DOING:
- We have contained the incident and removed the malicious software
- We have engaged [FORENSIC FIRM] to conduct a thorough investigation
- We have enhanced our security controls to prevent similar incidents
- We have notified relevant regulatory authorities
 
WHAT YOU CAN DO:
- Change your password for your [ORGANIZATION] account
- Enable multi-factor authentication if not already active
- Monitor your accounts for unusual activity
- [Additional specific recommendations]
 
ADDITIONAL RESOURCES:
- [DEDICATED SUPPORT LINE]
- [FAQ PAGE URL]
- [CREDIT MONITORING ENROLLMENT - if applicable]
 
We sincerely apologize for any concern this may cause and remain committed
to protecting your information.
 
[SIGNATORY]
[TITLE]

Communication Workflow

Escalation Matrix

Malware Detected
  |
  v
[Classify Severity: P1/P2/P3/P4]
  |
  |-- P1: Notify within 15 min
  |     |-- Incident Commander
  |     |-- CISO (phone call)
  |     |-- CEO (phone call)
  |     |-- Legal Counsel
  |     |-- External IR firm
  |     |-- Law enforcement (if applicable)
  |
  |-- P2: Notify within 1 hour
  |     |-- CISO
  |     |-- IT Director
  |     |-- Legal Counsel
  |
  |-- P3: Notify within 4 hours
  |     |-- Security Manager
  |     |-- IT Director
  |
  |-- P4: Notify within 24 hours
        |-- Security Team Lead

References

  • NIST SP 800-61 Rev 2: Incident Communication Guidelines
  • GDPR Article 33: Data Breach Notification Requirements
  • SANS Incident Handler's Handbook: Communication Best Practices
  • CISA Incident Reporting Guidelines
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md2.2 KB

API Reference: Malware Incident Communication Templates

Severity Levels

Level Response Time Escalation Update Frequency
Critical 15 minutes CISO + Legal + CEO 1 hour
High 1 hour CISO + SOC Manager 2 hours
Medium 4 hours SOC Manager 4 hours
Low 24 hours SOC Analyst Daily

Malware Categories

Type Impact Primary Containment
Ransomware Data encryption, ops disruption Isolate hosts, disable shares
Trojan Unauthorized access, exfiltration Block C2, isolate hosts
Wiper Data destruction Immediate isolation
Infostealer Credential/PII theft Block exfiltration channels
Worm Lateral spread Segment network

Incident Response Phases (NIST SP 800-61)

Phase Communication Focus
Detection Initial notification, severity classification
Containment Status updates, scope assessment
Eradication Technical progress, IOC sharing
Recovery Service restoration, monitoring
Post-Incident Lessons learned, executive summary

Regulatory Notification Deadlines

Regulation Deadline Authority
GDPR 72 hours Data Protection Authority
HIPAA 60 days HHS OCR
PCI DSS Immediate Card brands + acquirer
CCPA Without unreasonable delay CA Attorney General
NIS2 24h early warning + 72h full CSIRT

Communication Template Fields

Field Required Description
incident_id Yes Unique incident identifier
severity Yes critical/high/medium/low
subject Yes Email/notification subject line
timestamp Yes ISO 8601 format
affected_systems Yes List of impacted assets
actions_taken Yes Completed response actions
next_steps Yes Planned response actions

VERIS Framework Mapping

VERIS Field Maps To
action.malware.variety malware_type
attribute.integrity impact
timeline.incident detection timestamp
asset.assets affected_systems
standards.md1.2 KB

Standards for Incident Communication

NIST SP 800-61 Rev 2

  • Incident communication guidelines and templates
  • Stakeholder notification requirements
  • Media handling procedures

GDPR Article 33 and 34

  • 72-hour notification to supervisory authority
  • Communication to affected data subjects
  • Required content for breach notifications

HIPAA Breach Notification Rule

  • 60-day notification to HHS for breaches affecting 500+ individuals
  • Individual notification requirements
  • Media notification for large breaches

PCI DSS Incident Response

  • Card brand notification requirements
  • Forensic investigation reporting
  • Merchant and service provider obligations

SEC Cybersecurity Disclosure Rules (2024)

  • Material cybersecurity incident disclosure within 4 business days
  • Annual reporting on cybersecurity risk management
  • Board oversight disclosure requirements

CISA Incident Reporting

  • CIRCIA mandatory reporting requirements
  • Federal agency notification procedures
  • Voluntary reporting guidelines

ISO 27035 - Information Security Incident Management

  • Communication planning requirements
  • Stakeholder identification and notification
  • Post-incident communication review
workflows.md2.3 KB

Malware Incident Communication Workflows

Workflow 1: Initial Notification Chain

START: Malware Incident Confirmed
  |
  v
[Classify Severity]
  |-- P1: Critical (ransomware, wiper, widespread)
  |-- P2: High (targeted, data exfiltration)
  |-- P3: Medium (contained infection)
  |-- P4: Low (single endpoint, quickly resolved)
  |
  v
[Send Initial Notification]
  |-- Use appropriate template for severity
  |-- Send via secure out-of-band channel for P1/P2
  |-- Include: What happened, current impact, actions taken
  |
  v
[Establish Communication Cadence]
  |-- P1: Every 2 hours or on significant changes
  |-- P2: Every 4 hours
  |-- P3: Every 8 hours
  |-- P4: Daily summary
  |
  v
[Track Notifications Sent]
  |-- Log all communications
  |-- Record recipients and timestamps
  |-- Document approval chain
  |
  v
END: Communication Cadence Established

Workflow 2: Regulatory Notification Decision

START: Incident Scope Determined
  |
  v
[Personal Data Involved?]
  |-- No --> Document decision, continue monitoring
  |-- Yes --> Assess regulatory requirements
  |
  v
[Determine Applicable Regulations]
  |-- GDPR: EU resident data?
  |-- HIPAA: Protected health information?
  |-- PCI DSS: Payment card data?
  |-- State laws: US state breach notification?
  |-- SEC: Material to publicly traded company?
  |
  v
[Prepare Regulatory Notification]
  |-- Legal review of notification content
  |-- Determine notification timeline
  |-- Identify regulatory contact points
  |
  v
[Submit Notification]
  |-- Send within required timeframe
  |-- Document submission confirmation
  |-- Track response from regulators
  |
  v
END: Regulatory Obligations Met

Workflow 3: Customer Communication

START: Customer Notification Required
  |
  v
[Draft Customer Notification]
  |-- Use customer notification template
  |-- Include: What, when, impact, actions, resources
  |-- Avoid technical jargon
  |
  v
[Legal and PR Review]
  |-- Legal counsel approval
  |-- PR/Communications review
  |-- Executive sign-off
  |
  v
[Prepare Support Resources]
  |-- Set up dedicated hotline
  |-- Create FAQ page
  |-- Brief customer support team
  |-- Prepare credit monitoring (if applicable)
  |
  v
[Send Notification]
  |-- Email to affected customers
  |-- Website notice
  |-- Media statement (if needed)
  |
  v
END: Customer Notification Complete

Scripts 2

agent.py8.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Malware Incident Communication Template Agent - Generates structured incident communications."""

import json
import logging
import argparse
from datetime import datetime, timedelta

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)

SEVERITY_LEVELS = {
    "critical": {"response_time": "15 minutes", "escalation": "CISO + Legal + CEO", "update_freq": "1 hour"},
    "high": {"response_time": "1 hour", "escalation": "CISO + SOC Manager", "update_freq": "2 hours"},
    "medium": {"response_time": "4 hours", "escalation": "SOC Manager", "update_freq": "4 hours"},
    "low": {"response_time": "24 hours", "escalation": "SOC Analyst", "update_freq": "daily"},
}

MALWARE_CATEGORIES = {
    "ransomware": {"impact": "Data encryption, operational disruption", "containment": "Isolate affected hosts, disable network shares",
                    "recovery": "Restore from backups, rebuild affected systems"},
    "trojan": {"impact": "Unauthorized access, data exfiltration", "containment": "Block C2 IPs, isolate hosts",
               "recovery": "Full malware removal, credential reset"},
    "wiper": {"impact": "Data destruction, system damage", "containment": "Isolate immediately, preserve evidence",
              "recovery": "Rebuild from known-good images"},
    "infostealer": {"impact": "Credential theft, PII exposure", "containment": "Block exfiltration channels, isolate hosts",
                    "recovery": "Force password resets, monitor for abuse"},
    "worm": {"impact": "Lateral spread, network disruption", "containment": "Segment network, block propagation vectors",
             "recovery": "Patch vulnerability, clean all hosts"},
}


def generate_initial_notification(incident_id, severity, malware_type, affected_systems, detected_by):
    """Generate initial incident notification."""
    sev_info = SEVERITY_LEVELS.get(severity, SEVERITY_LEVELS["medium"])
    mal_info = MALWARE_CATEGORIES.get(malware_type, {"impact": "Under investigation", "containment": "Isolate affected systems"})
    notification = {
        "type": "initial_notification",
        "incident_id": incident_id,
        "timestamp": datetime.utcnow().isoformat(),
        "subject": f"[{severity.upper()}] Malware Incident {incident_id} - {malware_type.title()} Detected",
        "severity": severity,
        "escalation_to": sev_info["escalation"],
        "response_deadline": sev_info["response_time"],
        "body": {
            "summary": f"A {malware_type} infection has been detected on {len(affected_systems)} system(s).",
            "detection_source": detected_by,
            "affected_systems": affected_systems,
            "potential_impact": mal_info["impact"],
            "immediate_actions": mal_info["containment"],
            "next_update": sev_info["update_freq"],
        },
    }
    return notification


def generate_status_update(incident_id, severity, phase, containment_status, iocs_found, actions_taken):
    """Generate incident status update communication."""
    update = {
        "type": "status_update",
        "incident_id": incident_id,
        "timestamp": datetime.utcnow().isoformat(),
        "subject": f"[UPDATE] Incident {incident_id} - {phase.replace('_', ' ').title()}",
        "phase": phase,
        "body": {
            "current_status": containment_status,
            "actions_completed": actions_taken,
            "indicators_discovered": iocs_found,
            "next_steps": [],
        },
    }
    if phase == "containment":
        update["body"]["next_steps"] = ["Complete host isolation", "Collect forensic evidence", "Begin malware analysis"]
    elif phase == "eradication":
        update["body"]["next_steps"] = ["Remove all malware artifacts", "Patch exploited vulnerabilities", "Verify clean state"]
    elif phase == "recovery":
        update["body"]["next_steps"] = ["Restore services from backups", "Monitor for reinfection", "Validate system integrity"]
    return update


def generate_executive_summary(incident_id, severity, malware_type, affected_count, timeline_events, business_impact):
    """Generate executive-level incident summary."""
    summary = {
        "type": "executive_summary",
        "incident_id": incident_id,
        "timestamp": datetime.utcnow().isoformat(),
        "subject": f"Executive Briefing: Malware Incident {incident_id}",
        "body": {
            "overview": f"On {datetime.utcnow().strftime('%B %d, %Y')}, a {malware_type} incident affecting "
                        f"{affected_count} systems was detected and classified as {severity} severity.",
            "business_impact": business_impact,
            "timeline": timeline_events,
            "response_effectiveness": {
                "detection_to_containment": "Under assessment",
                "systems_recovered": 0,
                "data_loss": "Under investigation",
            },
            "recommendations": [
                "Conduct post-incident review within 5 business days",
                "Update incident response playbook based on lessons learned",
                "Review and enhance detection capabilities for similar threats",
                "Schedule tabletop exercise for similar scenarios",
            ],
        },
    }
    return summary


def generate_regulatory_notification(incident_id, data_types_affected, record_count, jurisdiction):
    """Generate regulatory breach notification template."""
    notification = {
        "type": "regulatory_notification",
        "incident_id": incident_id,
        "timestamp": datetime.utcnow().isoformat(),
        "subject": f"Data Breach Notification - Incident {incident_id}",
        "jurisdiction": jurisdiction,
        "body": {
            "nature_of_breach": "Malware-related unauthorized access to personal data",
            "data_categories": data_types_affected,
            "approximate_records": record_count,
            "date_of_awareness": datetime.utcnow().isoformat(),
            "notification_deadline": (datetime.utcnow() + timedelta(hours=72)).isoformat() if jurisdiction == "GDPR"
                                     else (datetime.utcnow() + timedelta(days=30)).isoformat(),
            "measures_taken": ["Contained the incident", "Engaged forensic investigators",
                               "Notified law enforcement", "Implementing additional safeguards"],
            "contact_dpo": "dpo@organization.com",
        },
    }
    return notification


def generate_full_template_set(incident_id, severity, malware_type, affected_systems, detected_by):
    """Generate complete set of communication templates."""
    templates = {
        "initial_notification": generate_initial_notification(incident_id, severity, malware_type, affected_systems, detected_by),
        "containment_update": generate_status_update(incident_id, severity, "containment", "In progress", [], ["Hosts isolated"]),
        "eradication_update": generate_status_update(incident_id, severity, "eradication", "Pending", [], []),
        "recovery_update": generate_status_update(incident_id, severity, "recovery", "Pending", [], []),
        "executive_summary": generate_executive_summary(incident_id, severity, malware_type, len(affected_systems), [], "Under assessment"),
    }
    return templates


def generate_report(templates):
    """Generate communication template report."""
    report = {
        "timestamp": datetime.utcnow().isoformat(),
        "template_count": len(templates),
        "template_types": list(templates.keys()),
        "templates": templates,
    }
    print(f"COMMUNICATION REPORT: {len(templates)} templates generated")
    return report


def main():
    parser = argparse.ArgumentParser(description="Malware Incident Communication Template Generator")
    parser.add_argument("--incident-id", required=True, help="Incident identifier")
    parser.add_argument("--severity", choices=["critical", "high", "medium", "low"], required=True)
    parser.add_argument("--malware-type", choices=list(MALWARE_CATEGORIES.keys()), required=True)
    parser.add_argument("--affected-systems", nargs="+", required=True)
    parser.add_argument("--detected-by", default="EDR Alert")
    parser.add_argument("--output", default="incident_comms_report.json")
    args = parser.parse_args()

    templates = generate_full_template_set(args.incident_id, args.severity, args.malware_type,
                                           args.affected_systems, args.detected_by)
    report = generate_report(templates)
    with open(args.output, "w") as f:
        json.dump(report, f, indent=2)
    logger.info("Report saved to %s", args.output)


if __name__ == "__main__":
    main()
process.py10.2 KB
Display-only source. This catalog never executes bundled scripts.
"""
Malware Incident Communication Template Generator
Generates severity-appropriate communication templates for malware incidents.
"""

import json
from datetime import datetime, timezone
from pathlib import Path


class IncidentCommunicationGenerator:
    """Generates incident communication templates based on severity and type."""

    SEVERITY_LEVELS = {
        "P1": {"name": "Critical", "notify_minutes": 15, "update_hours": 2},
        "P2": {"name": "High", "notify_minutes": 60, "update_hours": 4},
        "P3": {"name": "Medium", "notify_minutes": 240, "update_hours": 8},
        "P4": {"name": "Low", "notify_minutes": 1440, "update_hours": 24},
    }

    STAKEHOLDER_MATRIX = {
        "P1": ["incident_commander", "ciso", "ceo", "legal", "board", "external_ir", "law_enforcement"],
        "P2": ["incident_commander", "ciso", "it_director", "legal"],
        "P3": ["security_manager", "it_director"],
        "P4": ["security_team_lead"],
    }

    def __init__(self, org_name="Organization", output_dir="communication_output"):
        self.org_name = org_name
        self.output_dir = Path(output_dir)
        self.output_dir.mkdir(parents=True, exist_ok=True)

    def generate_initial_notification(self, case_id, severity, malware_type,
                                       affected_systems, impact_description):
        """Generate initial incident notification."""
        now = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M UTC")
        sev_info = self.SEVERITY_LEVELS.get(severity, self.SEVERITY_LEVELS["P2"])

        notification = f"""SUBJECT: [{severity} - {sev_info['name']}] Malware Incident - Initial Notification - {now}

CLASSIFICATION: CONFIDENTIAL - IR TEAM ONLY

INCIDENT ID: {case_id}
DETECTION TIME: {now}
NOTIFICATION TIME: {now}
SEVERITY: {severity} - {sev_info['name']}

SUMMARY:
A malware incident has been detected affecting {len(affected_systems)} system(s).
The malware has been identified as {malware_type}.

CURRENT IMPACT:
- Systems affected: {', '.join(affected_systems)}
- Business impact: {impact_description}
- Current spread status: Under investigation

IMMEDIATE ACTIONS TAKEN:
1. Affected endpoints have been isolated from the network
2. EDR containment policies have been activated
3. Security operations team has been mobilized
4. Forensic evidence preservation has been initiated

NEXT STEPS:
1. Complete scope assessment within the next 2 hours
2. Deploy IOC-based hunting across enterprise
3. Engage external IR support if needed

INCIDENT COMMANDER: [Assigned IC Name]
CONTACT: [Secure Communication Channel]

NEXT UPDATE: {sev_info['update_hours']} hours or sooner if situation changes

---
Do not forward this notification outside the IR team.
"""
        output_file = self.output_dir / f"{case_id}_initial_notification.txt"
        with open(output_file, "w") as f:
            f.write(notification)

        print(f"[+] Initial notification generated: {output_file}")
        return notification

    def generate_executive_briefing(self, case_id, severity, incident_summary,
                                     business_impact, status, decisions_needed):
        """Generate executive briefing document."""
        now = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M UTC")

        briefing = f"""SUBJECT: Executive Briefing - Malware Incident {case_id}

FOR: CISO / CEO / CIO
FROM: Incident Commander
DATE: {now}

SITUATION SUMMARY:
{incident_summary}

BUSINESS IMPACT:
{business_impact}

CURRENT STATUS: {status}

KEY DECISIONS NEEDED:
"""
        for i, decision in enumerate(decisions_needed, 1):
            briefing += f"{i}. {decision}\n"

        briefing += f"""
EXTERNAL COMMUNICATION STATUS:
- Regulatory notification: Under assessment by Legal
- Customer notification: Under assessment
- Law enforcement: Under assessment

NEXT UPDATE: As determined by severity level
"""
        output_file = self.output_dir / f"{case_id}_executive_briefing.txt"
        with open(output_file, "w") as f:
            f.write(briefing)

        print(f"[+] Executive briefing generated: {output_file}")
        return briefing

    def generate_technical_advisory(self, case_id, malware_name, description,
                                     iocs, affected_systems, required_actions):
        """Generate technical advisory for IT teams."""
        now = datetime.now(timezone.utc).strftime("%Y-%m-%d %H:%M UTC")

        advisory = f"""SUBJECT: TECHNICAL ADVISORY - {malware_name} - Immediate Action Required

SEVERITY: CRITICAL
DATE: {now}
ADVISORY ID: TA-{case_id}

THREAT DESCRIPTION:
{description}

AFFECTED SYSTEMS:
"""
        for system in affected_systems:
            advisory += f"- {system}\n"

        advisory += "\nINDICATORS OF COMPROMISE (IOCs):\n"

        if "hashes" in iocs:
            advisory += "\nFile Hashes:\n"
            for h in iocs["hashes"]:
                advisory += f"  {h['type']}: {h['value']}\n"

        if "domains" in iocs:
            advisory += "\nC2 Domains:\n"
            for d in iocs["domains"]:
                advisory += f"  {d}\n"

        if "ips" in iocs:
            advisory += "\nC2 IP Addresses:\n"
            for ip in iocs["ips"]:
                advisory += f"  {ip}\n"

        if "filenames" in iocs:
            advisory += "\nFile Names:\n"
            for fn in iocs["filenames"]:
                advisory += f"  {fn}\n"

        advisory += "\nREQUIRED ACTIONS:\n"
        for i, action in enumerate(required_actions, 1):
            advisory += f"{i}. [{action.get('priority', 'MEDIUM')}] {action['description']}\n"

        output_file = self.output_dir / f"{case_id}_technical_advisory.txt"
        with open(output_file, "w") as f:
            f.write(advisory)

        print(f"[+] Technical advisory generated: {output_file}")
        return advisory

    def generate_regulatory_notification(self, case_id, regulation, data_types,
                                          affected_count, timeline_events):
        """Generate regulatory breach notification."""
        now = datetime.now(timezone.utc).strftime("%Y-%m-%d")

        notification = f"""[ORGANIZATION LETTERHEAD]

Date: {now}
RE: Data Security Incident Notification - {case_id}

Pursuant to {regulation}, {self.org_name} is providing notification
of a data security incident.

INCIDENT SUMMARY:
On {timeline_events.get('detected', now)}, {self.org_name} detected a malware incident
affecting systems containing {', '.join(data_types)}.

DATA POTENTIALLY AFFECTED:
- Types of data: {', '.join(data_types)}
- Number of individuals: {affected_count}

TIMELINE:
- Incident occurred (estimated): {timeline_events.get('occurred', 'Under investigation')}
- Incident detected: {timeline_events.get('detected', now)}
- Containment achieved: {timeline_events.get('contained', 'In progress')}
- This notification: {now}

MEASURES TAKEN:
1. Immediate containment of affected systems
2. Engagement of external forensic investigators
3. Enhanced monitoring and security controls
4. Comprehensive review of security posture

CONTACT INFORMATION:
[Data Protection Officer / Privacy Officer]
{self.org_name}
[Contact Details]
"""
        output_file = self.output_dir / f"{case_id}_regulatory_notification.txt"
        with open(output_file, "w") as f:
            f.write(notification)

        print(f"[+] Regulatory notification generated: {output_file}")
        return notification

    def generate_full_communication_pack(self, case_id, severity, malware_type,
                                          malware_name, affected_systems, impact,
                                          iocs=None):
        """Generate complete communication pack for an incident."""
        print(f"[*] Generating full communication pack for {case_id}")

        self.generate_initial_notification(
            case_id, severity, malware_type, affected_systems, impact
        )

        self.generate_executive_briefing(
            case_id, severity,
            f"A {malware_type} incident has been detected affecting {len(affected_systems)} systems.",
            impact, "CONTAINMENT IN PROGRESS",
            ["Approve engagement of external IR firm",
             "Approve customer notification if data exposure confirmed"]
        )

        self.generate_technical_advisory(
            case_id, malware_name or malware_type,
            f"{malware_type} detected on enterprise systems",
            iocs or {},
            affected_systems,
            [
                {"priority": "CRITICAL", "description": "Block all IOCs at perimeter"},
                {"priority": "HIGH", "description": "Scan all endpoints for indicators"},
                {"priority": "MEDIUM", "description": "Verify backup integrity"},
            ]
        )

        manifest = {
            "case_id": case_id,
            "severity": severity,
            "generated": datetime.now(timezone.utc).isoformat(),
            "documents": [
                f"{case_id}_initial_notification.txt",
                f"{case_id}_executive_briefing.txt",
                f"{case_id}_technical_advisory.txt",
            ],
            "stakeholders": self.STAKEHOLDER_MATRIX.get(severity, []),
        }

        manifest_file = self.output_dir / f"{case_id}_communication_manifest.json"
        with open(manifest_file, "w") as f:
            json.dump(manifest, f, indent=2)

        print(f"[+] Full communication pack generated in {self.output_dir}/")
        return manifest


def main():
    import argparse

    parser = argparse.ArgumentParser(description="Malware Incident Communication Generator")
    parser.add_argument("--case-id", default="IR-2025-001")
    parser.add_argument("--severity", choices=["P1", "P2", "P3", "P4"], default="P1")
    parser.add_argument("--malware-type", default="ransomware")
    parser.add_argument("--malware-name", default="Unknown")
    parser.add_argument("--affected", nargs="+", default=["SRV-01", "WKS-042"])
    parser.add_argument("--impact", default="Business operations partially disrupted")
    parser.add_argument("--org", default="Organization")
    parser.add_argument("-o", "--output", default="communication_output")

    args = parser.parse_args()

    generator = IncidentCommunicationGenerator(org_name=args.org, output_dir=args.output)
    generator.generate_full_communication_pack(
        args.case_id, args.severity, args.malware_type,
        args.malware_name, args.affected, args.impact
    )


if __name__ == "__main__":
    main()

Assets 1

template.mdtext/markdown · 1.3 KB
Keep exploring