Incident Response Guide
NIST IR Phases
| Phase | Key Activities |
|---|---|
| 1. Preparation | IR plan, runbooks, tools, team roles, contact lists, training |
| 2. Detection & Analysis | Alert triage, scope assessment, severity classification, timeline |
| 3. Containment | Short-term (isolate), long-term (patch/block), evidence preservation |
| 4. Eradication | Remove malware/backdoors, patch vulnerabilities, harden systems |
| 5. Recovery | Restore from clean backup, monitor closely, gradual return to production |
| 6. Post-Incident | Root cause analysis, timeline documentation, lessons learned, process updates |
Severity Classification
| Severity | Definition | Response Time |
|---|---|---|
| P1 โ Critical | Active breach, data exfiltration, ransomware, system shutdown | Immediate (24/7) |
| P2 โ High | Confirmed compromise, service degradation, suspicious admin access | 1 hour |
| P3 โ Medium | Malware detected, unauthorized access attempt, policy violation | 4 hours |
| P4 โ Low | Phishing attempt, vulnerability scan detected, minor anomaly | 24 hours |
Containment Checklist
- Isolate affected systems from network (not shutdown โ preserve forensic evidence)
- Block attacker's IPs/domains at firewall and DNS level
- Disable compromised accounts immediately
- Revoke compromised API keys, tokens, certificates
- Capture memory dumps and disk images before changes
- Preserve logs (rotate to secure storage)
- Notify legal, compliance, and management
- Assess whether breach notification is legally required (GDPR, etc.)
Evidence Collection
- System logs (auth, application, OS events)
- Network captures (pcap files)
- Memory dumps (volatility for analysis)
- Process list and running services at time of incident
- List of open network connections
- File system timeline (recently modified files)
- DNS query logs
- Browser history and email logs if relevant