IR Playbook
Source: NIST SP 800-61 and https://gitlab.com/syntax-ir/playbooks
This repository contains all the Incident Response Playbooks and Workflows of Company's SOC.
Each folder contains a Playbook based on process on NIST - 800.61 r2
1. Preparation
This section should include the following information's
List of ALL Assets
Servers
Endpoints (+critical ones)
Networks
Applications
Employees
Security Products
Baselines
Communication Plan
Which Security Events
Thresholds
How to access Security Tools
How to provision access
Create Playbooks
Plan Exercises
Table Top
Hands On
2. Detection and Analysis
This section should include the following information's
Gathering of Information
Analyzing the Data
Building Detections
Root Cause Analysis
Depth and Breath of the Attack
Admin Rights
Affected Systems
Techniques Used
Indicators of Compromise / Indicators of Attack
Tactics Techniques and Procedure's (TTP)
IP Address
Email Address
File Hash
Command Line
etc.
3. Containment, Eradication, and Recovery
This section should include the following information's
Isolate Affected Systems
Patch Threat Entry Point
Predefine threshold
For Customers
For internal systems
For escalations
Preauthorized actions
Per customers
Per environment
Prod
QA
Internet Facing
How to Remove the Threat on All Affected Systems
Get Systems Operational
Rebuilt and Resume Service
4. Post-Incident Activity
Lessons Learn
New Detection
New Hardening
New Patch Management
etc.
Last updated