Building effective incident response capabilities
An Incident Response Plan (IRP) is a documented set of procedures that guides an organization's response to security incidents. It defines roles, responsibilities, communication channels, and step-by-step procedures for handling incidents from detection through recovery.
Definitions of incident types and severity levels to ensure consistent categorization.
Who does what during an incident - CSIRT, management, legal, communications.
Internal notifications, external reporting requirements, stakeholder updates.
Step-by-step playbooks for common incident types (malware, phishing, data breach).
Every IRP must define severity levels so analysts triage consistently. Here is a standard 4-tier model:
| Severity | Definition | Response Time | Example |
|---|---|---|---|
| SEV-1 Critical | Active breach, data exfiltration, ransomware, critical system compromise | Immediate (15 min) | Ransomware encrypting file shares, active C2 on domain controller |
| SEV-2 High | Confirmed compromise, potential data exposure, malware with persistence | 1 hour | Emotet infection with C2 callback, stolen credentials in use |
| SEV-3 Medium | Suspicious activity requiring investigation, potential policy violation | 4 hours | Unusual login from foreign IP, DLP alert on large file transfer |
| SEV-4 Low | Informational, minor policy violation, false positive investigation | Next business day | Blocked phishing email, port scan from known scanner |
A Computer Security Incident Response Team (CSIRT) has defined roles that activate during incidents:
Owns the incident. Makes escalation decisions, coordinates resources, communicates with management. Usually a senior security engineer or SOC manager.
Directs the technical investigation. Assigns analysis tasks, reviews findings, determines root cause. Usually the most experienced analyst available.
Manages all internal and external communications. Drafts status updates, coordinates with legal/PR, handles regulatory notifications (GDPR 72-hour rule, HIPAA breach notification).
Records every action, decision, and timeline entry. Their notes become the official incident record and may be subpoenaed. Accuracy is non-negotiable.
This topic extends the Incident Response Simulator from Shield House, adding detailed IRP elements and SOC integration.
Establish incident response capability before incidents occur.
Identify that an incident has occurred and understand its scope.
Stop the incident, remove the threat, and restore operations.
Learn from the incident to improve future response.
Short-term: Immediate actions like network isolation. Long-term: Temporary fixes while permanent solutions are developed. Choose based on business impact vs security risk.
| IR Phase | SOC Responsibility | Key Actions |
|---|---|---|
| Preparation | Alert tuning, playbook feedback | Report false positives, suggest rule improvements |
| Detection | First line of detection | Monitor SIEM, triage alerts, identify incidents |
| Analysis | Initial investigation | Gather context, correlate events, determine scope |
| Containment | Execute containment actions | Isolate hosts, disable accounts (per playbook) |
| Post-Incident | Provide incident data | Export logs, document observations, attend lessons learned |
| Severity | Definition | Escalate To | Timeline |
|---|---|---|---|
| Critical (P1) | Active breach, data exfiltration, ransomware | CSIRT Lead, CISO, Legal | Immediate |
| High (P2) | Confirmed malware, compromised credentials | Tier 2, SOC Manager | Within 15 min |
| Medium (P3) | Suspicious activity, potential compromise | Tier 2 | Within 1 hour |
| Low (P4) | Policy violation, anomaly investigation | SOC Manager (next shift) | Within 24 hours |
Know Your Escalation Path: Before your first incident, memorize who to call for each severity level. During a critical incident, you won't have time to look it up. Most IRPs include an on-call rotation - save those numbers!
Chronological record of events, alerts, and response actions with timestamps.
List of systems, accounts, data involved in the incident.
IPs, domains, hashes, file names, registry keys associated with the incident.
Every response action documented with who, what, when.
Test your understanding of IRP elements. Score 80% or higher to pass.
1. What are the four phases of the NIST incident response lifecycle?
2. What is the purpose of the Preparation phase?
3. A critical (P1) incident is detected. Who should be notified?
4. What activities occur during the Post-Incident phase?
5. What is "short-term containment" in incident response?