search

IR Playbook

Source: NIST SP 800-61 and https://gitlab.com/syntax-ir/playbooks

This repository contains all the Incident Response Playbooks and Workflows of Company's SOC.

Each folder contains a Playbook based on process on NIST - 800.61 r2arrow-up-right

LogoIRP-AccountCompromised · main · Public Incident Response Ressources / Public Playbooks · GitLabGitLabchevron-right
Account Compromise
LogoIRP-Critical · main · Public Incident Response Ressources / Public Playbooks · GitLabGitLabchevron-right
Crisis/Critical
LogoIRP-DataLoss · main · Public Incident Response Ressources / Public Playbooks · GitLabGitLabchevron-right
DataLoss
LogoIRP-Malware · main · Public Incident Response Ressources / Public Playbooks · GitLabGitLabchevron-right
Malware
LogoIRP-Phishing · main · Public Incident Response Ressources / Public Playbooks · GitLabGitLabchevron-right
Phising
LogoIRP-Ransom · main · Public Incident Response Ressources / Public Playbooks · GitLabGitLabchevron-right
Ransomware

hashtag
1. Preparation

This section should include the following information's

  • List of ALL Assets

    • Servers

    • Endpoints (+critical ones)

    • Networks

    • Applications

    • Employees

    • Security Products

  • Baselines

  • Communication Plan

  • Which Security Events

  • Thresholds

  • How to access Security Tools

    • How to provision access

  • Create Playbooks

  • Plan Exercises

    • Table Top

    • Hands On

hashtag
2. Detection and Analysis

This section should include the following information's

  • Gathering of Information

  • Analyzing the Data

  • Building Detections

  • Root Cause Analysis

  • Depth and Breath of the Attack

    • Admin Rights

    • Affected Systems

  • Techniques Used

  • Indicators of Compromise / Indicators of Attack

    • Tactics Techniques and Procedure's (TTP)

    • IP Address

    • Email Address

    • File Hash

    • Command Line

    • etc.

hashtag
3. Containment, Eradication, and Recovery

This section should include the following information's

  • Isolate Affected Systems

  • Patch Threat Entry Point

  • Predefine threshold

    • For Customers

    • For internal systems

    • For escalations

  • Preauthorized actions

    • Per customers

    • Per environment

      • Prod

      • QA

      • Internet Facing

  • How to Remove the Threat on All Affected Systems

  • Get Systems Operational

  • Rebuilt and Resume Service

hashtag
4. Post-Incident Activity

  • Lessons Learn

  • New Detection

  • New Hardening

  • New Patch Management

  • etc.

PreviousMerancang SOCNextBlue Team Opensource Online Tools

Last updated