| Preparation |
|
|
|
| Asset inventory |
Document critical systems |
nmap -sP 192.168.1.0/24 |
Asset register |
| Baseline establishment |
Record normal behavior |
top, netstat -tuln |
Baseline document |
| IRT contacts |
Establish escalation paths |
N/A |
Contact sheet |
| Response kit |
Prepare forensic tools |
FTK, volatility, wireshark |
Kit checklist |
| Detection & Analysis |
|
|
|
| Initial triage |
Verify incident occurrence |
grep 'Failed password' /var/log/auth.log |
Incident ticket |
| Scope determination |
Identify affected systems |
lsof -i, netstat -antp |
Scope document |
| Evidence collection |
Capture volatile data |
memory_dump.sh, dd if=/dev/sda of=disk.img |
Evidence log |
| Timeline creation |
Establish sequence of events |
log2timeline.py |
Timeline document |
| Containment |
|
|
|
| Short-term containment |
Isolate affected systems |
Network segregation, iptables -A INPUT -s malicious_ip -j DROP |
Containment log |
| System backup |
Create forensic copies |
dd, FTK Imager |
Backup verification |
| Long-term remediation |
Patch vulnerabilities |
apt update && apt upgrade |
Patch log |
| Eradication |
|
|
|
| Malware removal |
Eliminate persistence |
find / -name "suspicious_file", AV scan |
Cleanup report |
| Vulnerability patching |
Address security gaps |
yum update package, apt install security-patch |
Patch verification |
| System hardening |
Strengthen security posture |
chmod 600 /etc/shadow, ufw enable |
Hardening checklist |
| Recovery |
|
|
|
| System restoration |
Return to operation |
Restore from backup, service start |
Recovery log |
| Monitoring |
Watch for repeat incidents |
SIEM alerts, tail -f /var/log/syslog |
Monitoring plan |
| Validation testing |
Verify system integrity |
Penetration test, tripwire --check |
Test results |
| Lessons Learned |
|
|
|
| Documentation |
Complete incident report |
N/A |
Final report |
| Process improvement |
Update response procedures |
N/A |
Updated playbooks |
| Team debrief |
Review response effectiveness |
N/A |
Debrief minutes |
