Incident Response

Handle security incidents effectively with structured response procedures.

Incident Response Phases

phases:
  1_preparation:
    - IR team and contacts
    - Tools and access ready
    - Playbooks documented
    
  2_detection:
    - Alert triage
    - Initial assessment
    - Severity classification
    
  3_containment:
    - Short-term containment
    - Evidence preservation
    - System isolation
    
  4_eradication:
    - Root cause analysis
    - Remove threat
    - Patch vulnerabilities
    
  5_recovery:
    - System restoration
    - Monitoring enhanced
    - Business continuity
    
  6_lessons_learned:
    - Post-incident review
    - Documentation update
    - Process improvement

Severity Classification

Level	Impact	Response Time
Critical	Data breach, full outage	Immediate
High	Service degraded, potential breach	< 1 hour
Medium	Limited impact, contained	< 4 hours
Low	Minimal impact	Next business day

Initial Response Checklist

- [ ] Confirm incident is real (not false positive)
- [ ] Classify severity level
- [ ] Notify IR team
- [ ] Begin documentation
- [ ] Preserve evidence
- [ ] Implement containment
- [ ] Communicate to stakeholders

Evidence Collection

# System state
ps aux > /evidence/processes.txt
netstat -tuln > /evidence/connections.txt
last -a > /evidence/logins.txt

# Memory dump
dd if=/dev/mem of=/evidence/memory.dump

# Log preservation
tar czf /evidence/logs.tar.gz /var/log/

Best Practices

Pre-defined playbooks
Regular IR drills
Clear communication channels
Legal team involvement
Post-incident reviews

Related Skills

audit-logging - Log analysis
alerting-oncall - Alert management

incident-response

Incident Response

Incident Response Phases

Severity Classification

Initial Response Checklist

Evidence Collection

Best Practices

Related Skills