Incident Response

Overview

Incident response (IR) is the structured process for detecting, containing, and recovering from security incidents. This section follows the SANS PICERL incident response lifecycle: preparation, identification, containment, eradication, recovery, and lessons learned. Two common incident types — ransomware and phishing — are covered with dedicated playbooks.

Topics

• IR Preparation — building an IR program, team structure, playbooks, communication plans, and tooling
• Identification — detecting incidents, initial triage, scoping, and evidence preservation
• Containment — short-term and long-term containment strategies for hosts, accounts, and networks
• Eradication — removing threat actor access, cleaning persistence, and verifying elimination
• Recovery — restoring systems, validating integrity, monitoring for reinfection, and lessons learned
• Ransomware Response — ransomware-specific playbook covering detection, containment, decryption, and recovery
• Phishing Incident Response — phishing-specific playbook covering email analysis, credential reset, and user notification

SANS PICERL Incident Response Lifecycle

┌─────────────┐    ┌────────────────┐    ┌──────────────┐    ┌──────────────┐
│ Preparation │───>│ Identification │───>│ Containment  │───>│ Eradication  │
└─────────────┘    └────────────────┘    └──────────────┘    └──────────────┘
                                                                     │
                  ┌─────────────────┐    ┌──────────────┐            │
                  │ Lessons Learned │<───│   Recovery   │<───────────┘
                  └─────────────────┘    └──────────────┘