Incident Response#
Reference of incident response frameworks, the standard phase-models, retainer / firm landscape, common playbooks, and the regulatory disclosure regimes the operator runs into during major incidents.
For SIEM / SOAR see SIEM & SOAR. For EDR see EDR & XDR. For digital forensics see Digital Forensics. For threat actors see Hacker Groups.
Phase models#
Model |
Phases |
|---|---|
NIST SP 800-61r2 |
|
SANS PICERL |
|
ISO/IEC 27035 |
|
ENISA Good Practice |
Aligned with NIST + ISO; EU CSIRT-flavoured. |
NCSC Cyber Incident |
UK / NCSC playbook; supplier breach focus. |
US Federal Gov Cyber |
Fed CIO; aligned with NIST. |
Incident Response Pl ay |
PCI-DSS 12.10 |
US DoD Cyber CONOPS |
Defensive Cyberspace Operations. |
Cyber Kill Chain (Lockheed Martin)#
Step |
Notes |
|---|---|
|
Target research; OSINT. |
|
Pair exploit + payload. |
|
Email / web / USB. |
|
Trigger code execution. |
|
Implant persistence. |
|
Beacon to attacker infra. |
|
Steal / destroy / disrupt. |
The Unified Kill Chain (Pols) extends this to 18 phases, folding in ATT&CK tactics; see MITRE ATT&CK.
Major retainer firms#
Firm |
Notes |
|---|---|
Mandiant (Google) |
Industry-leading IR; APT/M-Trends; FLARE for malware; HX agent. |
CrowdStrike Services |
Falcon-based; OverWatch managed hunting. |
Microsoft DART |
Detection and Response Team; bundled with E5 / Premier. |
Microsoft IR |
Incident Response Service (paid retainer). |
Palo Alto Unit 42 |
Crypsis-derived; integrated with Cortex. |
SecureWorks |
Dell’s IR; Counter Threat Unit. |
IBM X-Force |
Threat intel + IR. |
Kroll |
Forensic + IR + breach response (insurance-favored). |
Stroz Friedberg (Aon) |
IR; insurance. |
Coveware |
Ransomware negotiation specialist. |
GroupSense |
Ransomware negotiation. |
GuidePoint Security |
IR retainer. |
NCC Group |
UK; IR + offensive. |
KPMG / EY / Deloitte |
/ PwC Big-4 IR practices. |
PwC IR (Bambenek) |
Threat intel. |
Booz Allen Hamilton |
US gov IR. |
Trustwave SpiderLabs |
IR + research. |
TrustedSec |
IR + offensive (Kennedy). |
DigitalGuardian DCRT |
DLP + IR. |
Volexity |
Memory forensics / APT IR (Adair). |
Recorded Future Insi |
kt Group Threat intel. |
ThreatConnect |
Intel-driven IR. |
Trellix Mandiant Adv . |
Trellix-branded. |
Sygnia |
IL-origin; APT-focused. |
Cyderes |
IR + MSSP. |
Optiv |
IR retainer + advisory. |
Arete Advisors |
IR + ransomware negotiation. |
Common playbooks#
Playbook |
Key steps |
|---|---|
Ransomware |
Isolate. Preserve evidence. Identify variant (ID Ransomware, No More Ransom). Coordinate negotiation (Coveware / Arete). Notify counsel, insurance, LE (FBI / CISA / NCSC). Restore from backups. Forensics on initial access vector. |
BEC |
Reset compromised mailbox. Audit forwarding / inbox rules. Pull authentication logs. Notify counterparties + bank. File IC3 + SAR within 30 days; Wire fraud recall < 72 hr. |
Insider threat |
Preserve endpoint + cloud audit + USB / DLP logs. Engage HR + legal. Disable but preserve credentials. |
DDoS |
Activate mitigation (Cloudflare Magic Transit, AWS Shield Advanced). Capture flow data. Notify upstream / ISP. |
Cloud account take |
Rotate root + IAM keys. Audit CloudTrail / GCP Audit / Azure Activity. Snapshot + isolate. Defender for Cloud / GuardDuty. |
Cred breach |
Force password + MFA reset. Revoke active sessions / refresh tokens. Audit federation / SAML. |
Supplier compromise |
Contact supplier IR; identify shared infrastructure; short-term workarounds; legal escalation. |
Web defacement |
Isolate + restore; review CMS plugin; audit access logs. |
Mass-malware |
AV/EDR sweep; Sysinternals Autoruns; persistence checks. |
Lost / stolen laptop |
Remote-wipe (MDM); revoke certs / passkeys / VPN; legal / LE notification per jurisdiction. |
Disclosure / regulatory#
Regime |
Notes |
|---|---|
SEC Rule 4-Day |
US public co.; material cyber incident → 8-K within 4 business days (effective Dec 2023). |
HIPAA Breach Rule |
PHI breach > 500 individuals → HHS within 60 days; press notification + state AG. |
GDPR Art 33 |
Personal data breach → DPA within 72 hr. |
NIS2 (EU) |
24h early warning, 72h notification, 1-month report. |
DORA |
EU financial-services major incident reporting. |
PIPEDA / OPC |
Canada. |
PIPL |
China; CAC notification. |
APPI |
Japan. |
LGPD |
Brazil. |
PCI-DSS |
Compromised cardholder data → forensic investigation by PFI. |
NYDFS 23 NYCRR 500 |
Cyber incident reporting for financial regulated entities. |
TLPT under DORA |
Threat-led penetration testing. |
TSA Pipeline directiv es |
US pipeline operators must report incidents. |
CIRCIA (US) |
Cyber Incident Reporting for Critical Infrastructure Act 2022; CISA reporting (rules in development). |
Tooling#
Tool |
Vendor |
Notes |
|---|---|---|
TheHive + Cortex |
OSS |
IR case management. |
DFIR-IRIS |
OSS |
Incident response platform. |
Velociraptor |
OSS |
Live forensics + remote acquisition. |
GRR Rapid Response |
Live forensics fleet. |
|
Volatility 3 |
OSS |
Memory forensics. |
Plaso / log2timeline |
OSS |
Super-timeline. |
KAPE |
OSS |
Live triage + collection. |
Eric Zimmerman tools |
OSS |
Win artifact parsers. |
RegRipper |
OSS |
Registry parser. |
SOF-ELK |
OSS |
SANS Elastic for IR. |
MISP |
OSS |
Threat intel + IOC sharing. |
OpenCTI |
OSS |
Threat intel platform. |
Yeti |
OSS |
Threat intel platform. |
Hayabusa |
OSS |
Sigma → Windows EVTX detection. |
Chainsaw |
OSS |
EVTX hunt with Sigma. |
Cobalt Strike (red) |
Fortra |
IR teams identify it constantly. |
Mandiant Redline |
Mandiant |
Free triage tool. |
Crowdstrike CrowdResponse |
CrowdStrike |
Free IR triage. |
Velociraptor + offline |
Mike Cohen |
Air-gap-friendly. |
Key data sources#
Source |
Notes |
|---|---|
Endpoint |
EDR telemetry (CrowdStrike, SentinelOne, Defender, Cortex); Sysmon; Windows Event Log; Linux auditd; macOS unified log. |
Network |
Zeek / Suricata; flow (IPFIX); pcap; DNS query log; proxy. |
Identity |
AD audit (4624 / 4625 / 4768 / 4769 / 4776); Entra ID Sign-in / Audit; Okta System Log. |
SEG logs (Proofpoint, Mimecast, Defender for O365); mailbox audit; rule-changes. |
|
Cloud audit |
AWS CloudTrail; GCP Audit; Azure Activity; K8s audit. |
SaaS |
GitHub / GitLab / Slack / Jira audit logs. |
DNS |
Recursive resolver (Umbrella / DNSFilter) + authoritative. |
Backup |
Backup server access logs. |
Physical |
Badge swipes; CCTV; visitor logs. |
Threat intel |
IoC matches + actor TTPs (see CTI Sources). |
Operator notes#
Preserve before you act, volatile evidence (memory, network state, ephemeral cloud) is destroyed by reboot; acquire first.
Chain of custody, log who touched what and when; use imaging hashes (SHA-256); store in tamper-evident archive.
Don’t tip the actor, avoid loud actions until containment plan is ready; many actors monitor their own C2 for IR activity.
Counsel-led IR for breaches with legal exposure; attorney-client privilege protects the IR report from later discovery.
Insurance carrier coordination is often a contractual requirement; involve cyber insurance early.
Ransomware payment is a US OFAC concern (sanctioned groups list); LE coordination is mandatory in many jurisdictions.
Communications, prepare statements for staff, customers, regulators, press; legal sign-off everything.
Post-incident review, separate from blame; document root cause, timeline, gaps, action items; track to closure.
Tabletop exercises, quarterly ; run cross-functional (security + IT + legal + comms + execs).