Incident Response
Incident Response
One-liner: The structured approach to detecting, containing, eradicating, and recovering from security incidents.
π― What Is It?
Incident Response (IR) is the methodology and process organizations use to handle security breaches and cyberattacks. A well-prepared IR capability minimizes damage, reduces recovery time, and lowers costs.
π Incident Response Phases (NIST)
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β βββββββββββββββ βββββββββββββββ βββββββββββββββββββββββ β
β β Preparation βββββΊβ Detection βββββΊβ Containment β β
β β β β & Analysis β β Eradication Recoveryβ β
β βββββββββββββββ βββββββββββββββ ββββββββββββ¬βββββββββββ β
β β² β β
β β βββββββββββββββββββ β β
β βββββββββββββ Post-Incident βββββββββββββ β
β β Activity β β
β βββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1. Preparation
- IR plan documentation
- Team roles and contact lists
- Playbooks for common scenarios
- Tools and access ready
- Training and exercises
2. Detection & Analysis
- Alert triage
- Log analysis
- IOC identification
- Scope determination
- Severity classification
3. Containment
Short-term: Immediate actions (isolate host, block IP)
Long-term: Sustainable controls while investigating
4. Eradication
- Remove malware
- Close attack vectors
- Patch vulnerabilities
- Reset compromised credentials
5. Recovery
- Restore from clean backups
- Rebuild compromised systems
- Monitor for re-infection
- Gradually restore services
6. Post-Incident Activity
- Lessons learned meeting
- Update IR procedures
- Improve detections
- Executive report
π Severity Levels
| Level | Description | Response Time | Example |
|---|---|---|---|
| Critical | Active breach, data exfil | Immediate | Ransomware spreading |
| High | Confirmed compromise | < 1 hour | Malware on server |
| Medium | Suspicious activity | < 4 hours | Phishing click, no execution |
| Low | Policy violation | < 24 hours | Unauthorized software |
π οΈ Essential IR Tools
| Category | Tools |
|---|---|
| Forensics | Volatility, Autopsy, FTK |
| Network | Wireshark, tcpdump, Zeek |
| Endpoint | Velociraptor, KAPE, PEStudio |
| SIEM | Splunk, Elastic, Sentinel |
| Ticketing | TheHive, JIRA, ServiceNow |
π€ Interview STAR Example
Situation: User reported ransomware note on their desktop Monday morning.
Task: Lead incident response to contain and recover.
Action: Immediately isolated affected host from network. Identified patient zero via EDR timeline. Found phishing email from Friday. Scanned for IOCs across all endpointsβfound 3 more infected. Contained all systems, restored from Thursday backups, reset credentials for affected users.
Result: Contained ransomware to 4 systems (out of 500). Full recovery in 18 hours. Implemented email filtering rule blocking similar attachments.
π‘ Interview Tips
- Know the 6 NIST phases by heart
- Have a ransomware scenario ready
- Understand chain of custody for forensics
- Know when to escalate vs handle internally
π Related Concepts
- Blue Teaming
- Security Operations Center (SOC)
- Detection Engineering
- Threat Intelligence
- Alert Triage
π References
- NIST SP 800-61r2: Computer Security Incident Handling Guide
- SANS Incident Handler's Handbook