Incident Response#

Reference of incident response frameworks, the standard phase-models, retainer / firm landscape, common playbooks, and the regulatory disclosure regimes the operator runs into during major incidents.

For SIEM / SOAR see SIEM & SOAR. For EDR see EDR & XDR. For digital forensics see Digital Forensics. For threat actors see Hacker Groups.

Phase models#

Model

Phases

NIST SP 800-61r2

  1. Preparation. 2. Detection & Analysis. 3. Containment, Eradication & Recovery. 4. Post-Incident Activity.

SANS PICERL

  1. Preparation. 2. Identification. 3. Containment. 4. Eradication. 5. Recovery. 6. Lessons learned.

ISO/IEC 27035

  1. Plan & Prepare. 2. Detect & Report. 3. Assess & Decide. 4. Respond. 5. Lessons.

ENISA Good Practice

Aligned with NIST + ISO; EU CSIRT-flavoured.

NCSC Cyber Incident

UK / NCSC playbook; supplier breach focus.

US Federal Gov Cyber

Fed CIO; aligned with NIST.

Incident Response Pl ay

PCI-DSS 12.10

US DoD Cyber CONOPS

Defensive Cyberspace Operations.

Cyber Kill Chain (Lockheed Martin)#

Step

Notes

  1. Reconnaissance

Target research; OSINT.

  1. Weaponisation

Pair exploit + payload.

  1. Delivery

Email / web / USB.

  1. Exploitation

Trigger code execution.

  1. Installation

Implant persistence.

  1. Command & Control

Beacon to attacker infra.

  1. Actions on Objs

Steal / destroy / disrupt.

The Unified Kill Chain (Pols) extends this to 18 phases, folding in ATT&CK tactics; see MITRE ATT&CK.

Major retainer firms#

Firm

Notes

Mandiant (Google)

Industry-leading IR; APT/M-Trends; FLARE for malware; HX agent.

CrowdStrike Services

Falcon-based; OverWatch managed hunting.

Microsoft DART

Detection and Response Team; bundled with E5 / Premier.

Microsoft IR

Incident Response Service (paid retainer).

Palo Alto Unit 42

Crypsis-derived; integrated with Cortex.

SecureWorks

Dell’s IR; Counter Threat Unit.

IBM X-Force

Threat intel + IR.

Kroll

Forensic + IR + breach response (insurance-favored).

Stroz Friedberg (Aon)

IR; insurance.

Coveware

Ransomware negotiation specialist.

GroupSense

Ransomware negotiation.

GuidePoint Security

IR retainer.

NCC Group

UK; IR + offensive.

KPMG / EY / Deloitte

/ PwC Big-4 IR practices.

PwC IR (Bambenek)

Threat intel.

Booz Allen Hamilton

US gov IR.

Trustwave SpiderLabs

IR + research.

TrustedSec

IR + offensive (Kennedy).

DigitalGuardian DCRT

DLP + IR.

Volexity

Memory forensics / APT IR (Adair).

Recorded Future Insi

kt Group Threat intel.

ThreatConnect

Intel-driven IR.

Trellix Mandiant Adv .

Trellix-branded.

Sygnia

IL-origin; APT-focused.

Cyderes

IR + MSSP.

Optiv

IR retainer + advisory.

Arete Advisors

IR + ransomware negotiation.

Common playbooks#

Playbook

Key steps

Ransomware

Isolate. Preserve evidence. Identify variant (ID Ransomware, No More Ransom). Coordinate negotiation (Coveware / Arete). Notify counsel, insurance, LE (FBI / CISA / NCSC). Restore from backups. Forensics on initial access vector.

BEC

Reset compromised mailbox. Audit forwarding / inbox rules. Pull authentication logs. Notify counterparties + bank. File IC3 + SAR within 30 days; Wire fraud recall < 72 hr.

Insider threat

Preserve endpoint + cloud audit + USB / DLP logs. Engage HR + legal. Disable but preserve credentials.

DDoS

Activate mitigation (Cloudflare Magic Transit, AWS Shield Advanced). Capture flow data. Notify upstream / ISP.

Cloud account take

Rotate root + IAM keys. Audit CloudTrail / GCP Audit / Azure Activity. Snapshot + isolate. Defender for Cloud / GuardDuty.

Cred breach

Force password + MFA reset. Revoke active sessions / refresh tokens. Audit federation / SAML.

Supplier compromise

Contact supplier IR; identify shared infrastructure; short-term workarounds; legal escalation.

Web defacement

Isolate + restore; review CMS plugin; audit access logs.

Mass-malware

AV/EDR sweep; Sysinternals Autoruns; persistence checks.

Lost / stolen laptop

Remote-wipe (MDM); revoke certs / passkeys / VPN; legal / LE notification per jurisdiction.

Disclosure / regulatory#

Regime

Notes

SEC Rule 4-Day

US public co.; material cyber incident → 8-K within 4 business days (effective Dec 2023).

HIPAA Breach Rule

PHI breach > 500 individuals → HHS within 60 days; press notification + state AG.

GDPR Art 33

Personal data breach → DPA within 72 hr.

NIS2 (EU)

24h early warning, 72h notification, 1-month report.

DORA

EU financial-services major incident reporting.

PIPEDA / OPC

Canada.

PIPL

China; CAC notification.

APPI

Japan.

LGPD

Brazil.

PCI-DSS

Compromised cardholder data → forensic investigation by PFI.

NYDFS 23 NYCRR 500

Cyber incident reporting for financial regulated entities.

TLPT under DORA

Threat-led penetration testing.

TSA Pipeline directiv es

US pipeline operators must report incidents.

CIRCIA (US)

Cyber Incident Reporting for Critical Infrastructure Act 2022; CISA reporting (rules in development).

Tooling#

Tool

Vendor

Notes

TheHive + Cortex

OSS

IR case management.

DFIR-IRIS

OSS

Incident response platform.

Velociraptor

OSS

Live forensics + remote acquisition.

GRR Rapid Response

Google

Live forensics fleet.

Volatility 3

OSS

Memory forensics.

Plaso / log2timeline

OSS

Super-timeline.

KAPE

OSS

Live triage + collection.

Eric Zimmerman tools

OSS

Win artifact parsers.

RegRipper

OSS

Registry parser.

SOF-ELK

OSS

SANS Elastic for IR.

MISP

OSS

Threat intel + IOC sharing.

OpenCTI

OSS

Threat intel platform.

Yeti

OSS

Threat intel platform.

Hayabusa

OSS

Sigma → Windows EVTX detection.

Chainsaw

OSS

EVTX hunt with Sigma.

Cobalt Strike (red)

Fortra

IR teams identify it constantly.

Mandiant Redline

Mandiant

Free triage tool.

Crowdstrike CrowdResponse

CrowdStrike

Free IR triage.

Velociraptor + offline

Mike Cohen

Air-gap-friendly.

Key data sources#

Source

Notes

Endpoint

EDR telemetry (CrowdStrike, SentinelOne, Defender, Cortex); Sysmon; Windows Event Log; Linux auditd; macOS unified log.

Network

Zeek / Suricata; flow (IPFIX); pcap; DNS query log; proxy.

Identity

AD audit (4624 / 4625 / 4768 / 4769 / 4776); Entra ID Sign-in / Audit; Okta System Log.

Email

SEG logs (Proofpoint, Mimecast, Defender for O365); mailbox audit; rule-changes.

Cloud audit

AWS CloudTrail; GCP Audit; Azure Activity; K8s audit.

SaaS

GitHub / GitLab / Slack / Jira audit logs.

DNS

Recursive resolver (Umbrella / DNSFilter) + authoritative.

Backup

Backup server access logs.

Physical

Badge swipes; CCTV; visitor logs.

Threat intel

IoC matches + actor TTPs (see CTI Sources).

Operator notes#

  • Preserve before you act, volatile evidence (memory, network state, ephemeral cloud) is destroyed by reboot; acquire first.

  • Chain of custody, log who touched what and when; use imaging hashes (SHA-256); store in tamper-evident archive.

  • Don’t tip the actor, avoid loud actions until containment plan is ready; many actors monitor their own C2 for IR activity.

  • Counsel-led IR for breaches with legal exposure; attorney-client privilege protects the IR report from later discovery.

  • Insurance carrier coordination is often a contractual requirement; involve cyber insurance early.

  • Ransomware payment is a US OFAC concern (sanctioned groups list); LE coordination is mandatory in many jurisdictions.

  • Communications, prepare statements for staff, customers, regulators, press; legal sign-off everything.

  • Post-incident review, separate from blame; document root cause, timeline, gaps, action items; track to closure.

  • Tabletop exercises, quarterly ; run cross-functional (security + IT + legal + comms + execs).

References#