Incident Response Playbook

IR Overview (NIST SP 800-61)

The NIST Incident Response lifecycle consists of 6 phases:

Phase 1: Preparation

Build Your IR Team (CSIRT)

• IR Lead: Coordinates response, makes decisions
• Security Analysts: Investigate and contain
• IT Operations: System access, recovery
• Legal: Compliance, breach notifications
• Communications: Internal/external messaging

Essential Tools & Resources

# IR Toolkit - Must have ready
- SIEM access (Splunk, Sentinel)
- EDR console (CrowdStrike, Defender)
- Forensic workstation
- Network packet capture (Wireshark)
- Memory analysis tools (Volatility)
- Offline password reset capability
- Emergency contact list (offline copy!)

Phase 2: Identification

Detection Sources

• SIEM alerts
• EDR detections
• User reports
• External notifications (FBI, vendor)
• Threat intelligence feeds

Triage Questions

1. What type of incident? (malware, phishing, data breach, DDoS)
2. What systems are affected?
3. When did it start?
4. Is it still ongoing?
5. What data may be compromised?

Severity Classification

Critical (P1)	Active ransomware, data exfiltration, core systems down
High (P2)	Compromised credentials, lateral movement detected
Medium (P3)	Malware on single endpoint, phishing success
Low (P4)	Policy violation, failed attack attempts

Phase 3: Containment

Short-Term Containment

# Isolate affected host (keep it running for forensics)
# Network isolation via EDR
crowdstrike_host_contain --hostname infected-pc

# Or via firewall
iptables -I INPUT -s 192.168.1.100 -j DROP
iptables -I OUTPUT -d 192.168.1.100 -j DROP

# Disable compromised account
Set-ADUser -Identity "compromised_user" -Enabled $false

# Block malicious IPs at firewall
# Block C2 domains at DNS

Evidence Preservation

# Capture memory before shutdown
winpmem_mini_x64.exe memory.raw

# Create disk image
dd if=/dev/sda of=/evidence/disk.img bs=4M

# Export relevant logs
wevtutil epl Security security_export.evtx
wevtutil epl System system_export.evtx

Phase 4: Eradication

• Remove malware from all affected systems
• Close vulnerabilities that were exploited
• Reset all compromised credentials
• Revoke unauthorized access
• Patch systems

Phase 5: Recovery

1. Restore systems from clean backups
2. Verify systems are clean before reconnecting
3. Monitor closely for re-infection (30 days minimum)
4. Gradually restore services in priority order
5. Validate business operations are normal

Phase 6: Lessons Learned

Within 2 weeks of incident resolution, conduct a post-mortem:

• What happened? (timeline)
• What went well?
• What could be improved?
• Action items with owners and deadlines
• Update playbooks and procedures

Updated: December 2024