# Incident Response Overview

**Incident Response (IR)** is a structured approach to handling security breaches, cyberattacks, and other security incidents. A well-defined IR process minimizes damage, reduces recovery time, and prevents future occurrences.

## Key Concepts

| Term | Definition |
|------|------------|
| **Security Incident** | Any event that compromises confidentiality, integrity, or availability |
| **CSIRT** | Computer Security Incident Response Team |
| **SIEM** | Security Information and Event Management |
| **IOC** | Indicator of Compromise |
| **TTP** | Tactics, Techniques, and Procedures |
| **MTTR** | Mean Time to Respond |
| **MTTD** | Mean Time to Detect |

## Incident Response Lifecycle (NIST SP 800-61)

```
┌─────────────────────────────────────────────────────────────────────────────────┐
│                        INCIDENT RESPONSE LIFECYCLE                              │
└─────────────────────────────────────────────────────────────────────────────────┘

    ┌─────────────┐      ┌─────────────┐      ┌─────────────┐      ┌─────────────┐
    │ PREPARATION │─────▶│  DETECTION  │─────▶│ CONTAINMENT │─────▶│ ERADICATION │
    │             │      │  & ANALYSIS │      │             │      │             │
    └─────────────┘      └─────────────┘      └─────────────┘      └──────┬──────┘
           ▲                                                              │
           │                                                              ▼
    ┌──────┴──────┐                                               ┌─────────────┐
    │   LESSONS   │◀──────────────────────────────────────────────│  RECOVERY   │
    │   LEARNED   │                                               │             │
    └─────────────┘                                               └─────────────┘
          │
          └──────────────── Continuous Improvement Loop ──────────────────────────▶
```

### Phase Details

| Phase | Objective | Key Activities |
|-------|-----------|----------------|
| **1. Preparation** | Build IR capability | Policies, tools, training, playbooks, communication plans |
| **2. Detection & Analysis** | Identify incidents | Monitor alerts, analyze IOCs, correlate events, triage |
| **3. Containment** | Limit damage | Isolate systems, block IPs, disable accounts |
| **4. Eradication** | Remove threat | Delete malware, patch vulnerabilities, reset credentials |
| **5. Recovery** | Restore operations | Rebuild systems, restore data, monitor for recurrence |
| **6. Lessons Learned** | Improve process | Post-incident review, update playbooks, enhance controls |

## Incident Severity Levels

```
┌────────────────────────────────────────────────────────────────────────────────┐
│                          SEVERITY CLASSIFICATION                               │
├──────────┬──────────────────────────────────────────────────────┬──────────────┤
│ LEVEL    │ DESCRIPTION                                          │ RESPONSE SLA │
├──────────┼──────────────────────────────────────────────────────┼──────────────┤
│ SEV 1    │ Critical - Business-wide impact, data breach,        │ < 15 min     │
│ CRITICAL │ active attack, production down                       │ All hands    │
├──────────┼──────────────────────────────────────────────────────┼──────────────┤
│ SEV 2    │ High - Significant impact, potential breach,         │ < 1 hour     │
│ HIGH     │ critical system compromised                          │ IR Team      │
├──────────┼──────────────────────────────────────────────────────┼──────────────┤
│ SEV 3    │ Medium - Limited impact, single system affected,     │ < 4 hours    │
│ MEDIUM   │ no sensitive data exposed                            │ On-call      │
├──────────┼──────────────────────────────────────────────────────┼──────────────┤
│ SEV 4    │ Low - Minimal impact, policy violation,              │ < 24 hours   │
│ LOW      │ suspicious activity, false positive                  │ Normal queue │
└──────────┴──────────────────────────────────────────────────────┴──────────────┘
```

### Escalation Criteria
- **Escalate UP** if: Scope expands, new systems affected, sensitive data involved, or attacker persistence detected
- **Escalate DOWN** if: Confirmed false positive, contained with no spread, or minimal business impact

## SIEM and Log Analysis

**SIEM (Security Information and Event Management)** aggregates, correlates, and analyzes security events from multiple sources.

```
┌──────────────────────────────────────────────────────────────────────────────┐
│                           SIEM ARCHITECTURE                                   │
└──────────────────────────────────────────────────────────────────────────────┘

   DATA SOURCES                    SIEM CORE                    OUTPUTS
  ┌───────────┐              ┌──────────────────┐         ┌────────────────┐
  │ Firewalls │─────┐        │  ┌────────────┐  │         │ Real-time      │
  ├───────────┤     │        │  │ Collection │  │    ┌───▶│ Dashboards     │
  │ Endpoints │─────┼───────▶│  └─────┬──────┘  │    │    ├────────────────┤
  ├───────────┤     │        │        ▼         │    │    │ Alerts &       │
  │ Servers   │─────┤        │  ┌────────────┐  │────┼───▶│ Notifications  │
  ├───────────┤     │        │  │ Parsing &  │  │    │    ├────────────────┤
  │ Cloud/SaaS│─────┤        │  │ Enrichment │  │    │    │ Correlation    │
  ├───────────┤     │        │  └─────┬──────┘  │    ├───▶│ Reports        │
  │ Network   │─────┤        │        ▼         │    │    ├────────────────┤
  ├───────────┤     │        │  ┌────────────┐  │    │    │ Threat Intel   │
  │ Identity  │─────┘        │  │ Correlation│──│────┘    │ Integration    │
  └───────────┘              │  │ & Rules    │  │         └────────────────┘
                             │  └────────────┘  │
                             └──────────────────┘
```

### Key Log Sources & What to Look For

| Log Source | Key Events to Monitor |
|------------|----------------------|
| **Authentication** | Failed logins, brute force, impossible travel, MFA bypass |
| **Firewall/IDS** | Blocked connections, port scans, known bad IPs |
| **Endpoint (EDR)** | Process creation, registry changes, persistence mechanisms |
| **Web Server** | SQL injection attempts, path traversal, unusual user-agents |
| **DNS** | Queries to known malicious domains, DGA patterns, tunneling |
| **Cloud/IAM** | Privilege escalation, new admin accounts, policy changes |

## Threat Hunting Basics

**Threat Hunting** is the proactive search for threats that evade existing security controls.

```
┌──────────────────────────────────────────────────────────────────────────────┐
│                        THREAT HUNTING METHODOLOGY                             │
└──────────────────────────────────────────────────────────────────────────────┘

    ┌─────────────┐     ┌──────────────┐     ┌──────────────┐     ┌───────────┐
    │ HYPOTHESIS  │────▶│   COLLECT    │────▶│   ANALYZE    │────▶│  REPORT   │
    │ GENERATION  │     │   DATA       │     │   & HUNT     │     │ FINDINGS  │
    └─────────────┘     └──────────────┘     └──────────────┘     └─────┬─────┘
          ▲                                                              │
          │                                                              │
          └───────────────── Refine Hypothesis ──────────────────────────┘
```

### Hunt Types

| Type | Description | Example |
|------|-------------|--------|
| **Intel-Driven** | Based on threat intelligence | Hunt for IOCs from new APT report |
| **Hypothesis-Driven** | Based on attacker TTPs | "Attackers may use PowerShell for C2" |
| **Anomaly-Driven** | Based on baseline deviations | Unusual outbound traffic patterns |
| **Machine Learning** | Automated detection of anomalies | UEBA detecting unusual user behavior |

### Common Hunt Queries (Pseudo-SQL)
```sql
-- Detect encoded PowerShell commands
SELECT * FROM process_events 
WHERE process_name = 'powershell.exe' 
  AND cmdline LIKE '%encodedcommand%';

-- Detect lateral movement via PsExec
SELECT * FROM network_connections 
WHERE dest_port IN (445, 135) 
  AND src_ip IN (SELECT ip FROM internal_hosts);

-- Detect data exfiltration via DNS
SELECT * FROM dns_queries 
WHERE LENGTH(subdomain) > 50 
  AND query_count > 100;
```

## Digital Forensic Investigation

**Digital Forensics** involves the collection, preservation, analysis, and presentation of digital evidence.

```
┌──────────────────────────────────────────────────────────────────────────────┐
│                      FORENSIC INVESTIGATION PROCESS                          │
└──────────────────────────────────────────────────────────────────────────────┘

  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐    ┌─────────────┐
  │ IDENTIFICA- │───▶│ COLLECTION  │───▶│  ANALYSIS   │───▶│  REPORTING  │
  │    TION     │    │ & PRESERVE  │    │             │    │             │
  └─────────────┘    └─────────────┘    └─────────────┘    └─────────────┘
        │                  │                  │                  │
        ▼                  ▼                  ▼                  ▼
   ┌─────────┐       ┌─────────┐       ┌──────────┐       ┌──────────┐
   │• Scope  │       │• Imaging│       │• Timeline│       │• Document│
   │• Assets │       │• Hashing│       │• Malware │       │• Chain of│
   │• Chain  │       │• Memory │       │• Artifact│       │  Custody │
   │  Custody│       │  Capture│       │  Analysis│       │• Evidence│
   └─────────┘       └─────────┘       └──────────┘       └──────────┘
```

### Key Forensic Artifacts

| Artifact Type | Location/Source | Evidence Value |
|---------------|-----------------|----------------|
| **Windows Registry** | NTUSER.DAT, SYSTEM, SOFTWARE | User activity, installed programs, persistence |
| **Event Logs** | Security.evtx, System.evtx | Logins, service changes, errors |
| **Prefetch Files** | C:\Windows\Prefetch | Program execution history |
| **Browser History** | AppData/Local/<Browser> | URLs visited, downloads, searches |
| **Memory Dump** | Live capture or hiberfil.sys | Running processes, network connections, encryption keys |
| **Network Captures** | PCAP files | C2 communication, data exfiltration |

### Forensic Principles
- **Preserve original evidence** - Always work on forensic copies
- **Maintain chain of custody** - Document who handled evidence and when
- **Document everything** - Screenshots, hashes, timestamps
- **Use validated tools** - FTK, EnCase, Autopsy, Volatility

## Communication Protocols

Effective communication is critical during incident response to ensure coordination and minimize confusion.

```
┌──────────────────────────────────────────────────────────────────────────────┐
│                      INCIDENT COMMUNICATION FLOW                              │
└──────────────────────────────────────────────────────────────────────────────┘

                           ┌─────────────────┐
                           │  INCIDENT       │
                           │  COMMANDER (IC) │
                           └────────┬────────┘
                                    │
          ┌─────────────────────────┼─────────────────────────┐
          │                         │                         │
          ▼                         ▼                         ▼
  ┌───────────────┐        ┌───────────────┐        ┌───────────────┐
  │ TECHNICAL LEAD│        │ COMMUNICATIONS│        │   EXECUTIVE   │
  │               │        │     LEAD      │        │   LIAISON     │
  └───────┬───────┘        └───────┬───────┘        └───────┬───────┘
          │                        │                        │
          ▼                        ▼                        ▼
  ┌───────────────┐        ┌───────────────┐        ┌───────────────┐
  │• IR Team      │        │• Legal        │        │• C-Suite      │
  │• SOC Analysts │        │• PR/Comms     │        │• Board        │
  │• IT Ops       │        │• Customers    │        │• Regulators   │
  │• Vendors      │        │• Employees    │        │               │
  └───────────────┘        └───────────────┘        └───────────────┘
```

### Communication Best Practices

| Aspect | Guidelines |
|--------|------------|
| **Secure Channels** | Use out-of-band communication (assume adversary has access) |
| **Regular Updates** | Status calls every 30-60 min during active incidents |
| **Clear Language** | Avoid jargon with non-technical stakeholders |
| **Document Everything** | Keep incident log with timestamps |
| **Need-to-Know** | Limit sensitive details to essential personnel |
| **Regulatory Notification** | Know breach notification requirements (GDPR: 72hrs, etc.) |

## Incident Response Playbook Template

```
┌──────────────────────────────────────────────────────────────────────────────┐
│                    RANSOMWARE INCIDENT PLAYBOOK                               │
├──────────────────────────────────────────────────────────────────────────────┤
│ TRIGGER: Ransomware detected by EDR or user reports encrypted files         │
├──────────────────────────────────────────────────────────────────────────────┤
│                                                                              │
│  DETECTION ──────────────────────────────────────────────────────────────▶   │
│  □ Verify alert is not false positive                                        │
│  □ Identify affected systems (hostname, IP, user)                            │
│  □ Determine ransomware variant (check ransom note, file extensions)         │
│  □ Assess scope - single system or network-wide?                             │
│                                                                              │
│  CONTAINMENT ────────────────────────────────────────────────────────────▶   │
│  □ Isolate affected systems immediately (network, but keep powered on)       │
│  □ Disable potentially compromised accounts                                  │
│  □ Block known IOCs at firewall/proxy                                        │
│  □ Preserve memory and disk images before changes                            │
│                                                                              │
│  ERADICATION ────────────────────────────────────────────────────────────▶   │
│  □ Identify initial access vector (phishing, RDP, vulnerability)             │
│  □ Remove persistence mechanisms                                             │
│  □ Patch exploited vulnerabilities                                           │
│  □ Reset compromised credentials                                             │
│                                                                              │
│  RECOVERY ───────────────────────────────────────────────────────────────▶   │
│  □ Restore from clean backups (verify backup integrity first)                │
│  □ Rebuild systems if backups unavailable                                    │
│  □ Monitor for re-infection indicators                                       │
│  □ Gradually restore network connectivity                                    │
│                                                                              │
│  DO NOT: Pay ransom without executive/legal approval                         │
│  DO NOT: Wipe systems before forensic imaging                                │
│  DO NOT: Communicate incident details over compromised channels              │
└──────────────────────────────────────────────────────────────────────────────┘
```

### Key Metrics to Track

| Metric | Description | Target |
|--------|-------------|--------|
| **MTTD** | Mean Time to Detect | < 24 hours |
| **MTTR** | Mean Time to Respond | < 4 hours |
| **MTTC** | Mean Time to Contain | < 1 hour |
| **Incidents/Month** | Volume trend | Decreasing |
| **False Positive Rate** | Alert quality | < 20% |

## Further Reading & Frameworks

| Resource | Description |
|----------|-------------|
| [NIST SP 800-61r2](https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final) | Computer Security Incident Handling Guide |
| [MITRE ATT&CK](https://attack.mitre.org/) | Adversary tactics and techniques knowledge base |
| [SANS Incident Handler's Handbook](https://www.sans.org/white-papers/) | Practical incident response guidance |
| [FIRST CSIRT Services Framework](https://www.first.org/standards/frameworks/) | Building CSIRT capabilities |
| [The Pyramid of Pain](https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html) | IOC value hierarchy for detection |

### Key Tools

| Category | Tools |
|----------|-------|
| **SIEM** | Splunk, Microsoft Sentinel, Elastic SIEM, QRadar |
| **EDR** | CrowdStrike Falcon, Microsoft Defender, Carbon Black |
| **Forensics** | Autopsy, FTK, EnCase, Volatility (memory), KAPE |
| **Network** | Wireshark, Zeek, NetworkMiner |
| **Threat Intel** | MISP, OpenCTI, VirusTotal, AbuseIPDB |