Documenting security exploits is a critical practice in cybersecurity to ensure proper incident response, vulnerability management, and continuous improvement of security posture. Here are some key practices and insights from Redditors on documenting security exploits:

Importance of Documentation

• Foundation for Incident Response: Documentation is essential for building and maintaining an effective incident response framework. "After managing 50+ security breaches, I documented our incident response framework with ready to use forensic scripts"

• Challenges in Documentation: Many organizations struggle with having up-to-date and usable documentation. "The main challenge is having a document to begin with, and with that having a usable, up to date one, if in place."

Key Documentation Practices

• Centralization and Integration: Ensure that documentation is centralized and integrated with other security tools and platforms. "As a like to have would be centralisation and integration with all platforms being used."

• Timeline and Event Tracking: Capture a detailed timeline of the incident, including each event and action taken. "does your current ticketing tool allow you to capture a timeline over the entire incident? or does it only does it only focus on each event?"

• Use of Frameworks: Align documentation with recognized security frameworks like NIST and MITRE ATT&CK. "framework alignment is key! You may use NIST for example so it must align."

Vulnerability Management Documentation

• Tracking and Reporting: Security teams should be responsible for tracking and reporting vulnerabilities. "Security owns identification tools, tracking and reporting"

• Ownership and Remediation: Clearly define who owns the remediation of vulnerabilities versus who tracks and coordinates the effort. "Security 'coordinates' and Asset/Platform/Technology owners are responsible for taking action."

Real-World Examples

• Human Factors: Many security breaches are due to human errors or social engineering, which highlights the need for thorough documentation of policies and training. "The worst security breaches I've seen have all been related to human factors."

• Public API Endpoint Leak: A notable breach involved a public API endpoint leaking personal information, emphasizing the importance of secure API documentation. "Optus (second largest telco in australia) leaked almost half the entire population of the Australia’s PII (~9.8 million people) with a public API endpoint."

Additional Resources

• CISA Known Exploited Vulnerabilities Catalog: A valuable resource for tracking common exploits. "Google: 'CISA Known Exploited Vulnerabilities Catalog.'"

• MITRE ATT&CK: A comprehensive knowledge base of adversary tactics and techniques. "Maybe check out mitre att&ck as well"

For more detailed discussions and advice, consider visiting these subreddits:

• r/cybersecurity

• r/digitalforensics

• r/ExperiencedDevs