Incident Response Fundamentals

1NIST Incident Response Lifecycle:
2 
3┌─────────────────────────────────────────────────────────────────┐
4│                     1. PREPARATION                             │
5│  Before incidents: Plans, tools, training, contacts            │
6└─────────────────────────┬───────────────────────────────────────┘
7                          ↓
8┌─────────────────────────────────────────────────────────────────┐
9│              2. DETECTION & ANALYSIS                           │
10│  Identify incidents, assess severity, understand scope         │
11└─────────────────────────┬───────────────────────────────────────┘
12                          ↓
13┌─────────────────────────────────────────────────────────────────┐
14│           3. CONTAINMENT, ERADICATION, RECOVERY                │
15│  Stop the bleeding, remove threat, restore operations          │
16└─────────────────────────┬───────────────────────────────────────┘
17                          ↓
18┌─────────────────────────────────────────────────────────────────┐
19│              4. POST-INCIDENT ACTIVITY                         │
20│  Lessons learned, improve defenses, documentation              │
21└─────────────────────────────────────────────────────────────────┘
22                          ↑
23                          │
24          (Continuous improvement loop)

1Preparation - Before Incidents Happen:
2 
3PEOPLE
4─────────────────────────────────────────────────────────────────
5├── IR Team defined (roles and responsibilities)
6├── Contact list (on-call, management, legal, PR)
7├── Training completed and maintained
8├── Tabletop exercises conducted regularly
9└── Third-party IR retainer (if needed)
10 
11PROCESS
12─────────────────────────────────────────────────────────────────
13├── IR Plan documented and approved
14├── Playbooks for common incident types
15├── Escalation procedures defined
16├── Communication templates ready
17├── Legal/regulatory requirements known
18└── Insurance coverage understood
19 
20TECHNOLOGY
21─────────────────────────────────────────────────────────────────
22├── SIEM configured and monitored
23├── EDR deployed to endpoints
24├── Log retention adequate
25├── Forensic tools available
26├── Evidence storage prepared
27├── Backup/recovery tested
28└── Jump bag ready (laptop, tools, credentials)
29 
30KEY DOCUMENTS
31─────────────────────────────────────────────────────────────────
32├── Incident Response Plan
33├── Incident Classification Matrix
34├── Communication Plan
35├── Escalation Matrix
36├── Contact Lists (internal/external)
37├── Playbooks per incident type
38└── Evidence Handling Procedures

1Detection & Analysis:
2 
3DETECTION SOURCES
4─────────────────────────────────────────────────────────────────
5├── SIEM alerts
6├── EDR detections
7├── User reports
8├── Third-party notification (FBI, vendor, partner)
9├── External researchers
10├── Threat intelligence
11└── Automated monitoring
12 
13INITIAL QUESTIONS
14─────────────────────────────────────────────────────────────────
15WHAT happened?
16├── What type of attack/incident?
17├── What indicators are present?
18└── What's the attack vector?
19 
20WHEN did it happen?
21├── When was it first detected?
22├── When did it actually start?
23└── Timeline of events?
24 
25WHERE is it happening?
26├── Which systems are affected?
27├── Which network segments?
28└── Any external involvement?
29 
30WHO is involved?
31├── Which users/accounts?
32├── Which threat actor (if known)?
33└── Who detected it?
34 
35HOW BAD is it?
36├── What data is at risk?
37├── What systems are affected?
38├── Business impact?
39 
40INCIDENT CLASSIFICATION
41─────────────────────────────────────────────────────────────────
42Category:
43├── Malware infection
44├── Ransomware
45├── Data breach
46├── Unauthorized access
47├── Denial of service
48├── Insider threat
49└── Phishing
50 
51Severity:
52├── Critical: Immediate action, all hands
53├── High: Urgent response, significant impact
54├── Medium: Important, scheduled response
55├── Low: Minor, handle during business hours

1Containment Strategies:
2 
3SHORT-TERM CONTAINMENT (Stop the bleeding)
4─────────────────────────────────────────────────────────────────
5Network:
6├── Isolate affected systems (disable network)
7├── Block malicious IPs/domains at firewall
8├── Null route C2 traffic
9├── Disable VPN access
10└── Implement emergency firewall rules
11 
12Account:
13├── Disable compromised accounts
14├── Reset passwords
15├── Revoke tokens/sessions
16├── Enable MFA
17└── Lock privileged accounts
18 
19Endpoint:
20├── Quarantine in EDR
21├── Disable from domain
22├── Physical isolation if needed
23└── Collect forensic image first!
24 
25LONG-TERM CONTAINMENT (Stabilize)
26─────────────────────────────────────────────────────────────────
27├── Patch vulnerabilities
28├── Deploy additional monitoring
29├── Implement compensating controls
30├── Set up clean network segment
31└── Prepare for eradication
32 
33CONTAINMENT DECISIONS
34─────────────────────────────────────────────────────────────────
35Consider:
36├── Will containment alert the attacker?
37├── Is evidence being preserved?
38├── What's the business impact of containment?
39├── Do we need to monitor attacker activity?
40└── Are we ready for eradication?
41 
42Example Decision Tree:
43606070;">#a5d6ff;">"Ransomware actively encrypting"
44└── Immediate network isolation (evidence secondary)
45 
46606070;">#a5d6ff;">"APT discovered, dormant"
47└── Preserve evidence first, plan containment carefully

1Eradication - Remove the Threat:
2 
3IDENTIFY ALL COMPROMISED SYSTEMS
4─────────────────────────────────────────────────────────────────
5├── Scan all systems for IOCs
6├── Review authentication logs
7├── Check for persistence mechanisms
8├── Verify no additional backdoors
9└── Document full scope
10 
11REMOVE MALICIOUS ARTIFACTS
12─────────────────────────────────────────────────────────────────
13├── Delete malware files
14├── Remove malicious registry keys
15├── Delete scheduled tasks/services
16├── Remove unauthorized accounts
17├── Clear malicious group policies
18└── Update AV signatures
19 
20FIX ROOT CAUSE
21─────────────────────────────────────────────────────────────────
22├── Patch exploited vulnerability
23├── Fix misconfiguration
24├── Update credentials
25├── Improve controls
26└── Address policy gaps
27 
28Recovery - Restore Operations:
29 
30RECOVERY STEPS
31─────────────────────────────────────────────────────────────────
32├── Rebuild from known-good images (preferred)
33├── Restore from clean backups
34├── Verify integrity of restored systems
35├── Gradually reconnect to network
36├── Monitor closely for re-infection
37└── Validate business operations
38 
39RECOVERY ORDER
40─────────────────────────────────────────────────────────────────
411. Domain controllers (if affected)
422. Critical business systems
433. Security infrastructure
444. User workstations
455. Nice-to-have systems
46 
47VERIFICATION
48─────────────────────────────────────────────────────────────────
49├── All IOCs removed?
50├── No signs of attacker activity?
51├── Security controls restored?
52├── Business functions working?
53├── Users can work normally?
54└── Monitoring in place for return?

1Post-Incident Activity:
2 
3LESSONS LEARNED MEETING
4─────────────────────────────────────────────────────────────────
5Timing: Within 1-2 weeks of incident closure
6Attendees: IR team, management, affected teams
7 
8Agenda:
9├── Incident timeline review
10├── What went well?
11├── What could be improved?
12├── What prevented earlier detection?
13├── Were runbooks/playbooks adequate?
14├── What tools/resources were missing?
15└── Action items for improvement
16 
17INCIDENT REPORT
18─────────────────────────────────────────────────────────────────
19Contents:
20├── Executive summary
21├── Incident timeline
22├── Technical details
23├── Root cause analysis
24├── Impact assessment
25├── Actions taken
26├── Recommendations
27└── Appendices (IOCs, logs, evidence)
28 
29IMPROVEMENTS
30─────────────────────────────────────────────────────────────────
31├── New detection rules added
32├── Playbooks updated
33├── Training gaps addressed
34├── Tools/processes improved
35├── Controls strengthened
36└── Policies updated
37 
38METRICS TO TRACK
39─────────────────────────────────────────────────────────────────
40├── Mean Time to Detect (MTTD)
41├── Mean Time to Respond (MTTR)
42├── Mean Time to Contain (MTTC)
43├── Mean Time to Recover
44├── Incidents by type/severity
45└── Root cause distribution

1Incident Communication:
2 
3INTERNAL COMMUNICATION
4─────────────────────────────────────────────────────────────────
5IR Team:
6├── Use secure channel (Signal, dedicated Slack)
7├── Regular status updates (every 2-4 hours)
8├── Clear ownership and tasks
9└── Document all decisions
10 
11Management:
12├── Brief at defined intervals
13├── Clear, non-technical language
14├── Focus on business impact
15├── Provide options, not just problems
16└── Get decisions when needed
17 
18Legal:
19├── Engage early for potential breach
20├── Preserve attorney-client privilege
21├── Guidance on disclosure requirements
22└── Review external communications
23 
24EXTERNAL COMMUNICATION
25─────────────────────────────────────────────────────────────────
26Customers:
27├── Required for data breaches (check regulations)
28├── PR-approved messaging
29├── Clear, honest, helpful
30└── Provide remediation steps
31 
32Regulators:
33├── Know notification deadlines (GDPR: 72 hours)
34├── Prepare required documentation
35├── Engage legal counsel
36└── Be accurate (don't speculate)
37 
38Law Enforcement:
39├── Consider for serious incidents
40├── May provide threat intelligence
41├── FBI IC3 for cyber crimes
42├── Preserve evidence chain of custody
43 
44Media:
45├── Designated spokesperson only
46├── Pre-approved statements
47├── Stick to facts
48└── Don't speculate

What are the four phases of the NIST Incident Response lifecycle?

Create a checklist of containment actions for a ransomware incident. Consider network, account, and endpoint containment steps.