Incident Response — 6 Step Process (NIST)
# PHASE 1: PREPARATION
# - Security policies documented
# - IR team and contacts identified
# - Tools ready: EDR, SIEM, forensic images
# - Playbooks written for common incidents
# PHASE 2: IDENTIFICATION (Detection)
# Questions to answer:
# - What happened? When did it start?
# - What systems are affected?
# - Is it still ongoing?
# - How did they get in? (initial access vector)
#
# Sources: SIEM alerts, EDR, IDS, user reports
# Severity classification: P1 (critical) → P4 (low)
# PHASE 3: CONTAINMENT
# Short-term: isolate affected systems
# - Block attacker's IP at firewall
# - Disable compromised user accounts
# - Isolate infected machines from network
# Long-term: patch the vulnerability used
# - Don't restore yet — preserve evidence
# PHASE 4: ERADICATION
# Remove the threat:
# - Delete malware, webshells, backdoors
# - Remove attacker persistence (scheduled tasks, registry keys)
# - Reset all compromised passwords
# - Revoke stolen API keys / certificates
# PHASE 5: RECOVERY
# Restore to normal operations:
# - Restore from clean backup
# - Monitor closely for re-infection
# - Gradually bring systems back online
# - Verify integrity before restoring
# PHASE 6: LESSONS LEARNED
# Post-incident report:
# - Timeline of events
# - Root cause analysis
# - What worked, what didn't
# - Recommendations to prevent recurrence
# - Update playbooks
# INCIDENT RESPONSE TOOLKIT
# Memory forensics: Volatility, Rekall
# Disk forensics: Autopsy, FTK
# Network forensics: Wireshark, NetworkMiner
# Log analysis: Splunk, ELK Stack, Graylog
# Threat intel: MISP, OpenCTI, VirusTotal
# EDR: CrowdStrike, SentinelOne, Defender for Endpoint