Advanced Defense (Blue Team)

Incident Detection and Response (IR)

Incident Response (IR) is the structured process for identifying, containing, and eliminating threats before they cause irreversible damage. A well-defined plan reduces MTTR and operational losses.

NIST SP 800-61 lifecycle

Preparation ──► Detection & Analysis ──► Containment ──► Eradication ──► Recovery ──► Lessons learned
      ▲                                                                                      │
      └──────────────────────────────────────────────────────────────────────────────────────┘

1. Preparation

  • Runbooks documented per incident type (ransomware, DDoS, insider threat).
  • Up-to-date contacts: IT, legal, communications, external CERT.
  • Pre-authorized access to backups and snapshots.
  • Tools ready: EDR, packet capture, forensic imaging.

2. Detection and analysis

Alert sources: SIEM, EDR, SOAR, user report.

Initial triage:

Severity classification:
  P1 — Critical: sensitive data exfiltrated, active ransomware, core system compromised
  P2 — High:     confirmed unauthorized access, contained malware
  P3 — Medium:   blocked intrusion attempt, internal scan
  P4 — Low:      false positive, informational event

3. Containment

Short-term containment — stop the immediate bleeding:

# Isolate compromised host (example in internal environment)
# Via EDR: trigger network isolation in console
# Via firewall: block IP in affected segment
iptables -I FORWARD -s 192.168.1.77 -j DROP
iptables -I FORWARD -d 192.168.1.77 -j DROP

Long-term containment — maintain operations while investigating:

  • Segment the isolated host into its own VLAN.
  • Reset compromised credentials immediately.
  • Preserve evidence before any changes (take snapshot/image).

4. Eradication

  • Identify initial vector: phishing, exploit, leaked credential.
  • Remove artifacts: malware, scheduled tasks, backdoors, attacker-created users.
  • Patch exploited vulnerability or remove exposed service.
Eradication checklist:
  [ ] Malware removed and confirmed via EDR
  [ ] Persistence mechanisms deleted (registry, cron, services)
  [ ] Credentials rotated
  [ ] Patch applied
  [ ] Logs preserved for forensics

5. Recovery

  • Restore from trusted backup (verify integrity with hash).
  • Monitor recovered asset for 72h with enhanced rules.
  • Validate service integrity before returning to production.

6. Lessons learned (Post-Mortem)

Meeting within 5 days of closure:

  • Complete incident timeline.
  • What worked, what failed.
  • Corrective actions with owner and deadline.
  • Update runbook with what was learned.

Support tools

PhaseTool
DetectionElastic SIEM, Wazuh, Splunk
ContainmentEDR (CrowdStrike, SentinelOne), Firewall API
ForensicsVolatility, Autopsy, FTK
OrchestrationTheHive, XSOAR, Shuffle