Incident Response
IR lifecycle, handling procedures, forensics, and post-incident activities.
Overview
Incident response minimizes damage and recovery time from security breaches.
IR Lifecycle (NIST)
1. Preparation
Architecture Diagram
- Create IR team
- Develop procedures
- Set up tools
- Training and exercises
2. Detection & Analysis
# Monitor logs
tail -f /var/log/auth.log
journalctl -f
# Check for anomalies
netstat -tuln
ps aux | grep suspicious
3. Containment
# Isolate compromised system
iptables -A INPUT -s [compromised_ip] -j DROP
iptables -A OUTPUT -d [compromised_ip] -j DROP
# Disable user accounts
usermod -L username
4. Eradication
# Remove malware
find / -name "malware_name" -delete
# Patch vulnerabilities
apt update && apt upgrade
# Reset credentials
passwd username
5. Recovery
# Restore from backup
rsync -avz backup/ /production/
# Verify system integrity
tripwire --check
6. Lessons Learned
- Document timeline
- Identify root cause
- Update procedures
- Implement controls
Incident Categories
| Severity | Response Time | Examples |
|---|---|---|
| Critical | Immediate | Data breach, ransomware |
| High | 1 hour | System compromise |
| Medium | 4 hours | Malware infection |
| Low | 24 hours | Policy violation |
Evidence Handling
Architecture Diagram
Chain of Custody:
1. Document evidence
2. Hash files (MD5/SHA256)
3. Create forensic images
4. Secure storage
5. Maintain logs
Communication Plan
Internal:
- IT Security Team
- Management
- Legal Department
External:
- Law enforcement (if required)
- Customers (if affected)
- Regulators (if required)
Practice
Develop an incident response plan for a small organization.