Incident Response

Response

Incident Response (IR) is the organized approach to addressing and managing security breaches. Following a structured IR process minimizes damage and reduces recovery time.

NIST IR Lifecycle

1️⃣

Preparation

IR plan, tools, training

2️⃣

Detection

Identify & analyze incident

3️⃣

Containment

Stop the bleeding

4️⃣

Recovery

Restore & lessons learned

Containment Strategies

containment.sh
bash 
# Network isolation
# Disable switch port
interface GigabitEthernet0/1
  shutdown

# Firewall block (iptables)
iptables -A INPUT -s ATTACKER_IP -j DROP
iptables -A OUTPUT -d C2_SERVER -j DROP

# Windows - disable network adapter
netsh interface set interface "Ethernet" admin=disable

# Disable compromised account
net user compromised_user /active:no
Disable-ADAccount -Identity compromised_user

# Block malicious hash (Windows Defender)
Add-MpPreference -ThreatIDDefaultAction_Ids HASH -ThreatIDDefaultAction_Actions Block

# Collect volatile data before shutdown
# - Running processes
# - Network connections
# - Memory dump
# - Logged in users

Don't Alert the Attacker

During containment, avoid actions that might tip off the attacker (like changing passwords for accounts they control). Plan coordinated containment to remove all access simultaneously.

Related Topics

Network Forensics

Timeline Analysis