// Incident Response

Incident Response Playbook: Handling Security Incidents from Detection to Recovery

📅 June 2025🕐 19 min readIncident Response

Introduction

Incident response (IR) is the structured process an organization follows when a security breach or attack is detected. Having a documented, practiced IR process dramatically reduces the impact of security incidents by enabling rapid, coordinated action. Without IR procedures, even a minor incident can spiral into a major breach due to confusion, missed evidence, or poor containment decisions.

This playbook documents the IR procedures used at PostEx, covering the complete lifecycle from initial detection through recovery and lessons learned. It follows the NIST SP 800-61r2 framework.

NIST IR Framework: 4 Phases

Phase 1: Preparation
  - Incident response plan documented
  - IR team identified with clear roles
  - Communication channels established
  - Tools and access pre-provisioned
  - Runbooks written for known incident types

Phase 2: Detection and Analysis
  - Identify and confirm the incident
  - Scope determination
  - Severity rating
  - Evidence preservation

Phase 3: Containment, Eradication, Recovery
  - Short-term containment (isolate affected systems)
  - Evidence collection before eradication
  - Eradication (remove malware, patch vulnerabilities)
  - Recovery (restore from clean backups, verify)

Phase 4: Post-Incident Activity
  - Lessons learned meeting
  - Incident report
  - Detection/control improvement

Incident Severity Classification

CRITICAL (P1): Active breach, data exfiltration in progress, ransomware
  Response SLA: Immediate escalation, all hands
  Examples: Ransomware encryption active, confirmed data exfil to C2

HIGH (P2): Confirmed compromise, no active exfil, lateral movement
  Response SLA: 1 hour response
  Examples: Compromised admin credentials, active lateral movement

MEDIUM (P3): Suspicious activity requiring investigation
  Response SLA: 4 hour response
  Examples: Anomalous login patterns, unusual process execution

LOW (P4): Policy violations, low-impact events
  Response SLA: 24 hour response
  Examples: Unauthorized software installation, BYOD policy violation

Incident Runbooks

Ransomware Response Runbook

RANSOMWARE RESPONSE RUNBOOK v1.2

Trigger: SIEM alert for ransomware indicators (file extension mass change, shadow copy deletion)

Step 1: IMMEDIATE (0-5 minutes)
  - Isolate affected host: Remove from network (disable NIC, change VLAN to quarantine)
  - DO NOT power off - memory forensics may be needed
  - Alert IR team lead and CISO

Step 2: SCOPE (5-30 minutes)
  - Query SIEM for lateral movement from affected host
    index=windows_events EventCode=4624 src_ip=[AFFECTED_IP]
  - Check file server for encrypted files
  - Identify patient zero timeline

Step 3: CONTAIN (30-60 minutes)
  - Block C2 IPs/domains at firewall
  - Isolate all potentially affected systems
  - Preserve memory dump: winpmem -o memory.raw
  - Preserve disk image: FTK Imager or dd

Step 4: ERADICATE
  - Identify persistence mechanisms (scheduled tasks, registry, services)
  - Remove malware artifacts
  - Patch exploited vulnerability

Step 5: RECOVER
  - Restore from last known-good backup (verify integrity first)
  - Apply additional security controls
  - Monitor closely for 72 hours

Forensic Evidence Collection

# Windows Live Forensics (order of volatility - most volatile first)

# 1. Memory dump (most volatile)
winpmem_mini_x64.exe memory.raw

# 2. Running processes
tasklist /v > processes.txt
wmic process get ProcessId,Name,CommandLine,ParentProcessId > process_detail.txt

# 3. Network connections
netstat -anob > netstat.txt

# 4. Logged-in users
query user > users.txt

# 5. Scheduled tasks
schtasks /query /fo LIST /v > scheduled_tasks.txt

# 6. Services
sc query > services.txt

# 7. Autorun entries
autorunsc -a * -ct -h > autoruns.txt

# 8. Event logs (export all)
wevtutil epl Security security.evtx
wevtutil epl System system.evtx
wevtutil epl Application application.evtx

Communication During Incidents

Clear communication prevents chaos during high-stress incidents. Our communication structure:

  • Technical channel - Secure Slack/Teams channel for IR team. Technical detail, IOCs, timeline updates.
  • Management channel - Plain-English status updates every 30 minutes to CISO and relevant stakeholders
  • Legal/Compliance - Immediate notification if personal data may be involved (GDPR 72-hour notification clock)
  • External parties - Customer notification only after scope is confirmed and approved by legal
Incident ResponseNISTForensicsSOC