📃
Anggi's Notes
  • Tentang Penulis
  • Preambule
  • Tutorial Red Team Area (General)
    • Tutorial Setup VirtualBox
    • Tutorial Setup Kali Linux pada VirtualBox
    • Network Adapter Type pada Virtual Box
    • Tutorial Port Forwarding Pada Virtual Box
    • Mempercepat update/upgrade/install Kali Linux
    • Networking in a Nutshell
    • Linux in A Nutshell
    • Linux Command Intro
    • VA-PT Cheatsheet
    • Penetration Testing Guide & Checklist
    • Pentesting Web checklist
    • NMAP Cheatsheet
    • Bind vs Reverse Shell Concept
    • Reverse Shell Cheatsheet
    • Linux TTY Shell Cheat Sheet
    • Menaikkan Common Shell ke Meterpreter
    • Metasploit Cheatsheet
      • msfvenom
      • searchploit
    • Metasploitable-2
    • Metasploitable-3
    • Linux Privilege Escalation
      • Linux Privilege Escalation with Misconfigured /etc/passwd
      • Linux Privilege Escalation with SUID
      • Linux Privilege Escalation with Misconfigured Sudo
      • Linux Privilege Escalation with MSF
    • DVWA
      • Brute Force
        • Low
        • Medium
        • High
      • Command Injection
        • Low
        • Medium
        • High
      • Local File Inclusion
        • Low
        • Medium
        • High
      • File Upload Vulnerability
        • Low
        • Medium
        • High
      • Cross Site Scripting (XSS)
        • Reflected
          • Low
          • Medium
          • High
        • Stored
          • Low
          • Medium
          • High
        • DOM
          • Low
          • Medium
          • High
      • SQL Injection
        • Non Blind
          • Low
          • Medium
          • High
        • Blind
          • Low
          • Medium
          • High
      • CSRF
        • Low
        • Medium
        • High
    • Pentesting Report Sample
    • Tutorial Penggunaan ZAP
    • Windows VA/Audit
      • DetExploit
      • HardeningKitty
      • Tutorial Installasi OWASP ZAP pada Windows OS
    • Linux VA/Audit dengan Lynis
    • Mobile Security Framework (MobSF) Windows Docker
  • Tutorial Red Team Area (Teknik Windows Attack )
    • Reconnaissance Techniques
    • Windows Red Team Exploitation Techniques
    • Windows Red Team Defense Evasion Techniques
  • Tutorial Blue Team Area
    • Merancang SOC
    • IR Playbook
    • Blue Team Opensource Online Tools
    • Wireshark Query Cheatsheet
  • Temuan Celah Keamanan
    • LFI (Directory Traversal) di redacted.co.id
    • Kredensial Database dan Azure Leaks pada redacted.com
    • HTML Injection di Tokopedia
    • 🤪4300$ Bounty from Opensource automate recon tools, why not?
    • I hacked Mastercard 4 times? But How?
    • LFI dan RCE di aset redacted.com
    • FTPd DOS di aset redacted.co.id
    • Gitlab SSRF di redacted.com
    • Firebase Android database Takeover
    • RCE di 11 Subdomain Dell
    • SSRF di redacted.com
    • Reflected XSS di CelticPipes
    • Git Disclosure di redacted.co.id
    • Open Redirection+XSS pada Private Program Bugcrowd
    • Rails Debug Mode Enabled pada redacted.com
Powered by GitBook
On this page
  • 1. Preparation
  • 2. Detection and Analysis
  • 3. Containment, Eradication, and Recovery
  • 4. Post-Incident Activity

Was this helpful?

  1. Tutorial Blue Team Area

IR Playbook

Source: NIST SP 800-61 and https://gitlab.com/syntax-ir/playbooks

PreviousMerancang SOCNextBlue Team Opensource Online Tools

Last updated 1 year ago

Was this helpful?

This repository contains all the Incident Response Playbooks and Workflows of Company's SOC.

Each folder contains a Playbook based on process on

1. Preparation

This section should include the following information's

  • List of ALL Assets

    • Servers

    • Endpoints (+critical ones)

    • Networks

    • Applications

    • Employees

    • Security Products

  • Baselines

  • Communication Plan

  • Which Security Events

  • Thresholds

  • How to access Security Tools

    • How to provision access

  • Create Playbooks

  • Plan Exercises

    • Table Top

    • Hands On

2. Detection and Analysis

This section should include the following information's

  • Gathering of Information

  • Analyzing the Data

  • Building Detections

  • Root Cause Analysis

  • Depth and Breath of the Attack

    • Admin Rights

    • Affected Systems

  • Techniques Used

  • Indicators of Compromise / Indicators of Attack

    • Tactics Techniques and Procedure's (TTP)

    • IP Address

    • Email Address

    • File Hash

    • Command Line

    • etc.

3. Containment, Eradication, and Recovery

This section should include the following information's

  • Isolate Affected Systems

  • Patch Threat Entry Point

  • Predefine threshold

    • For Customers

    • For internal systems

    • For escalations

  • Preauthorized actions

    • Per customers

    • Per environment

      • Prod

      • QA

      • Internet Facing

  • How to Remove the Threat on All Affected Systems

  • Get Systems Operational

  • Rebuilt and Resume Service

4. Post-Incident Activity

  • Lessons Learn

  • New Detection

  • New Hardening

  • New Patch Management

  • etc.

NIST - 800.61 r2
IRP-AccountCompromised · main · Public Incident Response Ressources / Public Playbooks · GitLabGitLab
Account Compromise
IRP-Critical · main · Public Incident Response Ressources / Public Playbooks · GitLabGitLab
Crisis/Critical
IRP-DataLoss · main · Public Incident Response Ressources / Public Playbooks · GitLabGitLab
DataLoss
IRP-Malware · main · Public Incident Response Ressources / Public Playbooks · GitLabGitLab
Malware
IRP-Phishing · main · Public Incident Response Ressources / Public Playbooks · GitLabGitLab
Phising
IRP-Ransom · main · Public Incident Response Ressources / Public Playbooks · GitLabGitLab
Ransomware
Logo
Logo
Logo
Logo
Logo
Logo