Incident Response
Response
Incident response is a decision system under pressure. The goal is to protect the business, preserve evidence, contain the threat, restore trusted service, and convert lessons learned into stronger controls.
Containment Can Destroy Evidence
Do not isolate, rebuild, or wipe systems until the incident commander understands the evidence impact. For ransomware, active exfiltration, or destructive activity, containment may take priority, but document the decision and approval.
Triage Decision Record
yaml
incident_id: IR-2026-042
commander: <NAME>
severity: high
business_impact:
- customer portal degraded
- potential identity compromise
known_facts:
- first alert time: 2026-05-26T14:20:00Z
- affected assets: host01, vpn-gateway
- suspected vector: stolen credentials
unknowns:
- data access scope
- persistence status
- lateral movement extent
next_decisions:
- preserve memory on host01 before isolation
- disable suspected accounts after coordinated evidence capture
- notify legal if regulated data access is confirmedincident_id: IR-2026-042
commander: <NAME>
severity: high
business_impact:
- customer portal degraded
- potential identity compromise
known_facts:
- first alert time: 2026-05-26T14:20:00Z
- affected assets: host01, vpn-gateway
- suspected vector: stolen credentials
unknowns:
- data access scope
- persistence status
- lateral movement extent
next_decisions:
- preserve memory on host01 before isolation
- disable suspected accounts after coordinated evidence capture
- notify legal if regulated data access is confirmedResponse Lifecycle
Prepare
Contacts, playbooks, logging, backups, tabletop practice.
Detect
Validate alert, scope assets, assign severity, open record.
Contain
Limit blast radius while preserving critical evidence.
Recover
Rebuild from trusted state and monitor for recurrence.
Improve
Close gaps, tune detections, and update playbooks.
Containment Strategy Matrix
| Scenario | Preferred Action | Evidence Risk |
|---|---|---|
| Active data theft | Block egress, disable exposed credentials, preserve network logs. | Low if logs are exported first. |
| Malware on endpoint | Capture volatile data, isolate host, acquire disk or EDR package. | Medium if powered off too early. |
| Compromised identity | Revoke sessions, rotate credentials, preserve sign-in and audit logs. | Low if audit logs are retained. |
| Ransomware execution | Disconnect affected network segments and protect backups. | High, but business protection may dominate. |
Minimum Evidence Package
- Incident timeline with UTC timestamps and source system for each event.
- Alert IDs, case IDs, analyst notes, and containment approvals.
- Identity logs, endpoint triage package, network flows, DNS/proxy logs, and cloud audit records.
- Hashes for acquired images, memory captures, exported logs, and malware samples.
- Recovery validation: rebuilt hosts, rotated secrets, closed firewall changes, and monitoring window results.
After-Action Improvements
csv
finding,owner,due_date,validation
Missing alert for impossible travel,identity-team,2026-06-15,test with approved account
No DNS logs for branch office,network-team,2026-06-30,confirm query visibility in SIEM
Backup restore runbook stale,infrastructure-team,2026-06-20,complete tabletop and restore test
Evidence storage access too broad,security-ops,2026-06-10,review ACL and audit logsfinding,owner,due_date,validation
Missing alert for impossible travel,identity-team,2026-06-15,test with approved account
No DNS logs for branch office,network-team,2026-06-30,confirm query visibility in SIEM
Backup restore runbook stale,infrastructure-team,2026-06-20,complete tabletop and restore test
Evidence storage access too broad,security-ops,2026-06-10,review ACL and audit logs