Incident Response Runbook

# 1. ISOLATE AFFECTED SYSTEMS IMMEDIATELY
# Disconnect from network (DO NOT SHUT DOWN)
# Physical: Unplug network cable
# Virtual: Disable network adapter

# Windows
Disable-NetAdapter -Name "Ethernet" -Confirm:$false

# Linux
ip link set eth0 down

# 2. Identify affected systems
# Check SIEM/logs for similar activity
# Check backup systems (ensure they're not compromised)

# 3. Alert incident response team
# Send notification to IR team
# Escalate to management immediately

# 1. Prevent spread
# Block C2 domains/IPs at firewall
# Disable user accounts showing compromise
# Isolate network segments if needed

# Windows - Block outbound connections
New-NetFirewallRule -DisplayName "Block Ransomware C2" `
  -Direction Outbound `
  -RemoteAddress 198.51.100.0/24 `
  -Action Block

# 2. Take snapshots/images before remediation
# VM: Create snapshot via hypervisor
# Physical: Image disk if possible
# Preserve evidence for forensics

# 3. Identify ransomware variant
# Submit sample to:
# - VirusTotal
# - Hybrid Analysis
# - ID Ransomware (id-ransomware.malwarehunterteam.com)

# DO NOT pay ransom (FBI recommendation)

# 1. Verify backups are clean
# Scan backup files for malware
# Verify backup integrity
# Test restoration of sample files

# 2. Wipe and rebuild affected systems
# Reinstall OS from known-good media
# Restore from clean backups
# Update and patch before reconnecting

# 3. Reset all credentials
# Force password reset for all users
# Rotate service account passwords
# Regenerate API keys

# 4. Enhance monitoring
# Increase log retention
# Monitor for reinfection
# Watch for lateral movement

# 1. Disable the compromised account
# Active Directory
Disable-ADAccount -Identity username

# Azure AD
Set-AzureADUser -ObjectId user@company.com -AccountEnabled $false

# 2. Revoke all active sessions
# Azure AD
Revoke-AzureADUserAllRefreshToken -ObjectId user@company.com

# 3. Review recent activity
# Azure AD sign-in logs
Get-AzureADAuditSignInLogs -Filter "userPrincipalName eq 'user@company.com'" -Top 50

# Check email activity (Office 365)
Search-MailboxAuditLog -Identity user@company.com -StartDate (Get-Date).AddDays(-7) -ShowDetails

# 1. Check for malicious inbox rules
Get-InboxRule -Mailbox user@company.com

# Remove suspicious rules
Remove-InboxRule -Identity "Rule Name" -Mailbox user@company.com

# 2. Check for email forwarding
Get-Mailbox user@company.com | Select-Object ForwardingAddress, ForwardingSMTPAddress

# Remove forwarding
Set-Mailbox user@company.com -ForwardingAddress $null -ForwardingSMTPAddress $null

# 3. Review sent items
# Check for phishing emails sent from account
# Check for data exfiltration

# 4. Check for file access/downloads
# Review file server logs
# Check cloud storage activity (OneDrive, SharePoint)

# 1. Reset password
Set-ADAccountPassword -Identity username -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "TempP@ssw0rd!" -Force)
Set-ADUser -Identity username -ChangePasswordAtLogon $true

# 2. Re-enable account (after verification)
Enable-ADAccount -Identity username

# 3. Notify user
# Inform user of compromise
# Provide new temporary password
# Require security awareness training

# 4. Monitor account for 30 days
# Watch for unusual activity
# Review login locations
# Check for re-compromise

# 1. Isolate the system
# Disconnect from network (preserve memory)
# Do NOT shut down (loses volatile data)

# 2. Identify the malware
# Check antivirus logs
# Review process list
# Check scheduled tasks/startup items

# Windows
Get-Process | Sort-Object CPU -Descending
Get-ScheduledTask | Where-Object {$_.State -eq "Ready"}
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Run

# Linux
ps aux --sort=-%cpu
crontab -l
cat /etc/cron*/*

# 1. Kill malicious processes
# Windows
Stop-Process -Id PID -Force

# Linux
kill -9 PID

# 2. Block C2 communication
# Add firewall rules to block malicious IPs/domains

# 3. Preserve evidence
# Take memory dump
# Windows (using DumpIt or similar)
.\DumpIt.exe

# Linux
dd if=/dev/mem of=/tmp/memory.dump bs=1M

# Capture running processes
# Windows
Get-Process | Export-Csv C:\temp\processes.csv

# Linux
ps aux > /tmp/processes.txt

# 1. Run full antivirus scan
# Update definitions first
# Run in Safe Mode if possible

# 2. Remove persistence mechanisms
# Delete scheduled tasks
# Remove startup entries
# Check browser extensions
# Review Windows services

# 3. Wipe and rebuild if critical
# Backup user data (scan first)
# Reinstall OS
# Restore from clean backup

# 1. Contain the breach
# Identify the exposure point
# Stop ongoing exfiltration
# Revoke compromised credentials

# 2. Assess scope
# What data was exposed?
# How many records affected?
# Who is impacted (customers, employees)?
# What is the sensitivity of the data?

# 3. Preserve evidence
# Don't delete logs
# Take system snapshots
# Document timeline
# Secure forensic copies

# 1. Notify legal team immediately
# Breach may have legal implications
# Attorney-client privilege for communications

# 2. Determine notification requirements
# GDPR: 72 hours to notify regulator
# HIPAA: 60 days to notify affected individuals
# State breach laws: Varies by state
# PCI-DSS: Notify card brands immediately

# 3. Prepare notifications
# Regulatory notifications
# Customer notifications
# Public disclosure (if required)
# Credit monitoring offers (if applicable)

# 4. Engage third parties
# Forensics firm
# Legal counsel
# PR firm
# Insurance provider (cyber insurance)

-- Database breach investigation
-- Check access logs
SELECT * FROM audit_log
WHERE timestamp > '2024-11-01'
AND user NOT IN (SELECT username FROM authorized_users);

-- Check for data export
SELECT * FROM query_log
WHERE query LIKE '%SELECT%'
AND rows_returned > 1000;

-- Identify affected records
SELECT customer_id, ssn, credit_card
FROM customers
WHERE customer_id IN (SELECT DISTINCT customer_id FROM breach_access_log);

# 1. Remediate vulnerability
# Patch systems
# Fix configuration errors
# Implement additional controls

# 2. Enhanced monitoring
# Increase log retention
# Deploy additional detection
# Monitor for misuse of breached data

# 3. Strengthen security
# Implement data encryption
# Enhance access controls
# Review security policies
# Mandatory security training

# 1. Confirm DDoS attack
# Check traffic patterns
netstat -an | grep SYN_RECV | wc -l

# Check bandwidth usage
iftop -i eth0

# Review firewall/IPS logs
tail -f /var/log/firewall.log | grep DROP

# 2. Identify attack type
# SYN flood
# UDP flood
# HTTP flood
# DNS amplification

# 1. Engage DDoS mitigation service
# Cloudflare
# AWS Shield
# Akamai Prolexic
# Radware

# 2. Implement rate limiting
# Limit connections per IP

# nginx
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
limit_req zone=one burst=20;

# iptables
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# 3. Block attack sources
# Null-route attacking IPs
ip route add blackhole 198.51.100.0/24

# Firewall blocks
iptables -A INPUT -s 198.51.100.0/24 -j DROP

# 4. Communicate with ISP
# Request upstream filtering
# Provide attack details
# Request additional bandwidth if needed

# Incident Report: [Incident ID]

**Incident Summary:**
- Date/Time: 2024-11-02 14:30 EST
- Severity: High (Sev 2)
- Incident Type: Ransomware Attack
- Status: Resolved
- Duration: 6 hours

**Incident Timeline:**
- 14:30 - Initial detection (user report)
- 14:35 - IR team activated
- 14:40 - Affected systems isolated
- 15:00 - Scope identified (5 workstations)
- 15:30 - Containment achieved
- 17:00 - Systems rebuilt from backup
- 18:30 - Systems back online
- 20:30 - Incident closed

**Root Cause:**
Phishing email with malicious attachment opened by user.
Lack of email filtering allowed attachment through.
User clicked on macro-enabled document.

**Impact Assessment:**
- Systems Affected: 5 workstations
- Users Impacted: 5 employees
- Data Loss: None (restored from backup)
- Downtime: 4 hours per workstation
- Estimated Cost: $10,000 (labor + recovery)

**Actions Taken:**
1. Isolated affected systems
2. Identified ransomware variant (Ryuk)
3. Blocked C2 domains at firewall
4. Rebuilt systems from clean images
5. Restored user data from backups
6. Reset user passwords
7. Enhanced email filtering

**Lessons Learned:**
- Email filtering insufficient
- User training needed
- Backup process worked well
- IR team response time good
- Need better EDR solution

**Recommendations:**
1. Implement advanced email filtering (Priority: High)
2. Deploy EDR solution (Priority: High)
3. Conduct phishing simulation training (Priority: Medium)
4. Review and update backup procedures (Priority: Medium)
5. Implement network segmentation (Priority: Low)

**Follow-up Actions:**
- [x] Systems restored and operational
- [x] Users can resume work
- [ ] Email filtering upgraded (Due: 2024-11-15)
- [ ] EDR solution deployed (Due: 2024-12-01)
- [ ] User training scheduled (Due: 2024-11-30)
- [ ] Security review completed (Due: 2024-12-15)