IR Playbook

Source: NIST SP 800-61 and https://gitlab.com/syntax-ir/playbooks

This repository contains all the Incident Response Playbooks and Workflows of Company's SOC.

Each folder contains a Playbook based on process on NIST - 800.61 r2

1. Preparation

This section should include the following information's

List of ALL Assets
- Servers
- Endpoints (+critical ones)
- Networks
- Applications
- Employees
- Security Products
Baselines
Communication Plan
Which Security Events
Thresholds
How to access Security Tools
- How to provision access
Create Playbooks
Plan Exercises
- Table Top
- Hands On

2. Detection and Analysis

This section should include the following information's

Gathering of Information
Analyzing the Data
Building Detections
Root Cause Analysis
Depth and Breath of the Attack
- Admin Rights
- Affected Systems
Techniques Used
Indicators of Compromise / Indicators of Attack
- Tactics Techniques and Procedure's (TTP)
- IP Address
- Email Address
- File Hash
- Command Line
- etc.

3. Containment, Eradication, and Recovery

This section should include the following information's

Isolate Affected Systems
Patch Threat Entry Point
Predefine threshold
- For Customers
- For internal systems
- For escalations
Preauthorized actions
- Per customers
- Per environment
  - Prod
  - QA
  - Internet Facing
How to Remove the Threat on All Affected Systems
Get Systems Operational
Rebuilt and Resume Service

4. Post-Incident Activity

Lessons Learn
New Detection
New Hardening
New Patch Management
etc.

PreviousWindows Red Team Defense Evasion Techniques NextBlue Team Opensource Online Tools

Last updated 1 year ago