IR Training Materials — Secure In Security

Secure In Security — IR Training Materials Cybersecurity & Information Security

Secure In Security

Incident Response
Planning & Execution

IR Cybersecurity Training Program · 2026

Introduction to Incident Response

What Is Incident Response?

Incident Response (IR) is the organized approach to addressing and managing the aftermath of a security breach or cyberattack. The primary goals of IR are to limit damage, reduce recovery time and cost, and preserve evidence for forensic investigation and legal proceedings. A well-executed incident response can be the difference between a contained, manageable event and a catastrophic organizational failure.

Critical Distinction

An ‘event’ is any observable occurrence in a system or network (e.g., a failed login, a file access). An ‘incident’ is an event — or a series of events — that actually or potentially jeopardizes the confidentiality, integrity, or availability of information assets or violates security policies. Not all events are incidents; all incidents begin as events. The judgment call between the two is one of the most important skills in incident response.

Why Incident Response Matters

Every organization with digital assets will experience a security incident. The question is not if — it is when and how well-prepared you are when it happens:

Without a Formal IR Program	With a Mature IR Program
Average breach lifecycle: 277 days (IBM 2024)	Measured and reduced detection-to-containment time
Average breach cost: $4.88 million (IBM 2024)	Organizations with IR teams save avg. $1.49M per incident
Uncontrolled attacker lateral movement	Rapid containment limits blast radius
Destroyed or contaminated forensic evidence	Chain-of-custody evidence preserved for prosecution
Regulatory violations from poor breach notification	Compliant, timely notifications reduce regulatory exposure
Repeated exploitation of same vulnerability	Lessons learned drive systemic improvement

Incident Response Frameworks

Two primary frameworks guide modern IR programs. Organizations typically adopt one as their primary structure and reference the other for supplementary guidance:

Framework	Phases	Best Used For
NIST SP 800-61 Rev 2	1. Preparation 2. Detection & Analysis 3. Containment, Eradication & Recovery 4. Post-Incident Activity	Federal agencies, regulated industries, organizations seeking alignment with NIST RMF
SANS / PICERL	1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons Learned	SOC teams, commercial enterprises, IR consultants — more granular operational guidance

Key IR Terminology

Term	Definition
IoC	Indicator of Compromise — Forensic artifact indicating a system may have been breached (malicious IP, hash of known malware, anomalous registry key)
IoA	Indicator of Attack — Behavioral evidence suggesting an active attack (lateral movement patterns, privilege escalation attempts)
Threat Actor	The individual, group, or nation-state responsible for a malicious cyber activity
TTPs	Tactics, Techniques & Procedures — Behavior patterns of threat actors; codified in MITRE ATT&CK
Attack Vector	The pathway used by an attacker to gain unauthorized access (phishing, unpatched vulnerability, stolen credentials)
Lateral Movement	Techniques used by attackers to progressively move through a network toward high-value targets after initial access
Dwell Time	The length of time an attacker has been present in an environment before detection — the primary metric IR aims to minimize
Chain of Custody	Documented record of who handled evidence, when, and how — essential for legal admissibility
MTTD	Mean Time to Detect — Average time from initial compromise to detection; measures monitoring effectiveness
MTTR	Mean Time to Respond — Average time from detection to initial containment action
Playbook	Pre-defined, step-by-step procedures for responding to a specific type of security incident
War Room	Physical or virtual command center where the IR team coordinates during an active incident

IR Program Structure

The Incident Response Team (IRT)

An effective IR program requires a formally constituted team with clearly defined roles, documented responsibilities, and regular training. The IRT is not solely an IT function — it must span the entire organization.

Role	Reporting To	Key Responsibilities
Incident Commander (IC)	CISO / Executive	Overall incident authority; final decisions on escalation, containment, and communications; activates the IRP
IR Lead (Technical)	Incident Commander	Technical investigation lead; coordinates all security engineering and forensics activities; owns containment and eradication
SOC Analyst / Triage	IR Lead	First responder; initial detection, triage, and escalation; monitors security tooling; preserves initial evidence
Forensics Analyst	IR Lead	Digital evidence collection and analysis; malware reverse engineering; timeline reconstruction
IT Operations Lead	Incident Commander	System isolation, backup validation, infrastructure recovery; network reconfiguration; coordinates with vendors
Legal Counsel	Incident Commander	Regulatory notification obligations; law enforcement liaison; attorney-client privilege considerations; contract review
Communications Lead	Incident Commander	Internal and external messaging; media statements; customer/partner notifications; social media monitoring
HR Representative	Incident Commander	Insider threat investigations; employee interviews; disciplinary actions; union/labor law compliance
Business Unit Liaisons	Incident Commander	Represent affected business units; validate business impact; authorize business-side recovery decisions
External IR Retainer	IR Lead / Legal	Specialized expertise (ransomware, nation-state, OT/ICS); independent investigation; legal defensibility

Best Practice

Retain an external IR firm before you need one. A pre-negotiated IR retainer agreement means no contract negotiation under fire, no onboarding delay, and — critically — the engagement is established under attorney-client privilege when counsel retains the firm, protecting communications from discovery in litigation.

IR Program Documentation Requirements

Document	Purpose	Review Frequency
Incident Response Plan (IRP)	Master document defining IR program scope, roles, communication flows, and lifecycle phases	Annually + post-major incident
Incident Response Playbooks	Scenario-specific step-by-step procedures for each incident type (ransomware, breach, DDoS, etc.)	Annually + post-exercise
Communication Templates	Pre-drafted internal and external notification messages for rapid deployment during incidents	Annually
Contact & Escalation Directory	All IR team members, external vendors, regulators, and law enforcement with contact details	Quarterly
Asset & Network Inventory	Current, accurate inventory of all systems, networks, and data repositories needed for scoping incidents	Continuously updated
Evidence Collection Procedures	Chain-of-custody forms, forensic acquisition procedures, and evidence storage protocols	Annually
After-Action Report Template	Standardized format for post-incident documentation and lessons-learned capture	Annually

Preparation Activities

Technical Preparation

Deploy and tune a SIEM with documented alert thresholds and escalation rules
Implement EDR on 100% of endpoints with automated isolation capability for confirmed threats
Enable comprehensive logging: authentication events, network flows, DNS queries, PowerShell execution, process creation
Configure centralized, tamper-proof log storage with minimum 12-month retention
Deploy network traffic capture capability at perimeter and critical internal segments
Establish and test out-of-band communication channels (separate from primary IT systems)
Maintain a forensic toolkit: pre-authorized collection tools, write-blockers, forensic storage media
Document and test backup and restore procedures quarterly

Operational Preparation

Conduct IR tabletop exercises at minimum semi-annually; full simulation annually
Train all IR team members on their specific roles and tools — certification encouraged (GCIH, GCFE, GCFA)
Establish relationships with FBI Cyber Division, CISA, and sector-specific ISACs before incidents occur
Test all IR playbooks through exercises — an untested playbook is an untested assumption
Establish war room protocols: primary location, virtual backup, equipment staging, access procedures

Classification & Triage

Incident Severity Levels

Accurate, rapid classification determines the appropriate response intensity and escalation path. Misclassification — in either direction — is costly: over-response wastes resources; under-response allows damage to compound.

Level	Severity	Criteria / Examples	Response Timeline	Escalation Path
SEV 1	CRITICAL	Active ransomware; confirmed data exfiltration; full system compromise; critical infrastructure attack; nation-state intrusion	Immediate — IR team engaged within 15 minutes; war room activated; 24/7 response	IC + CISO + CEO + Board notified within 1 hour; external IR firm activated; legal counsel engaged
SEV 2	HIGH	Confirmed malware on critical system; privileged account compromise; significant unauthorized data access; targeted phishing success	IR team engaged within 1 hour; extended hours response until contained	IC + CISO notified within 2 hours; legal and business unit leads engaged
SEV 3	MEDIUM	Suspicious activity under investigation; single non-critical system compromise; unauthorized access attempt (unconfirmed success)	SOC lead engaged within 4 hours; investigation initiated same day	Security manager notified; escalate to SEV 2 if scope expands
SEV 4	LOW	Policy violation; contained phishing attempt; failed brute-force with no success; informational security alert requiring documentation	Documented and tracked; remediation within 30 days per standard process	Ticketed in IT service management; security team notified

Triage Decision Framework

When an alert fires, the SOC analyst must rapidly assess several dimensions to determine the correct classification:

CONFIRMIs this a true positive? Check for corroborating evidence across multiple log sources before classifying
SCOPEHow many systems, users, or data types are potentially affected? Has lateral movement occurred?
TIMINGWhen did this start? Is the threat still active? Is real-time damage occurring?
IMPACTWhat business processes or data are at risk? Are regulated data types (PII, PHI, PCI) involved?
NOVELTYIs this a known attack pattern or an unknown technique? Novel activity warrants higher caution
CLASSIFYApply severity matrix; assign incident number; open formal incident ticket in tracking system
NOTIFYExecute escalation per severity level; do not delay notification to ‘gather more information’ first

Critical Rule

NEVER downgrade an incident’s severity without documented evidence and supervisor approval. It is always better to over-escalate a SEV 3 to a SEV 2 and stand down than to under-escalate a SEV 1 to a SEV 3 and miss the window for effective containment. Err on the side of severity.

Incident Categorization by Type

Incident Category	Common Indicators	Primary IR Concern
Ransomware / Destructive Malware	Encrypted files; ransom note; disabled backups; C2 traffic; mass file renaming	Speed of containment; backup integrity; negotiation decision; regulatory notification
Data Breach / Exfiltration	Large outbound data transfers; access to sensitive repos; unauthorized API calls; dark web alerts	Scope of exposed data; breach notification obligations; legal hold requirements; PR management
Business Email Compromise (BEC)	Impersonated executive emails; fraudulent wire requests; forwarding rules; OAuth grants	Financial transaction reversal; compromised mailbox forensics; vendor/partner notification
Account Takeover / Credential Theft	Impossible travel logins; MFA fatigue attacks; password spray patterns; new device enrollment	Compromised account scope; privilege escalation assessment; password reset cascade
Denial of Service (DDoS)	Traffic volume anomalies; service unavailability; amplification patterns; botnet signatures	Traffic filtering; upstream ISP engagement; failover activation; customer communication
Insider Threat	Unusual data access patterns; after-hours activity; mass downloads before resignation; policy violations	Evidence preservation; HR/legal coordination; access revocation timing; disciplinary process
Supply Chain / Third-Party Compromise	Unexpected software behavior; vendor breach notification; malicious update mechanism; unusual outbound connections	Scope of vendor access; isolation of affected integrations; vendor coordination; regulatory assessment
Advanced Persistent Threat (APT)	Long dwell time; living-off-the-land techniques; targeted spear phishing; C2 over legitimate services	Full environment re-assessment; threat hunt; possible full rebuild; law enforcement engagement

Executing the IR Lifecycle

Phase 1 — Detection & Analysis

Detection is the transition from ‘something happened’ to ‘we know what happened.’ Effective detection requires both technical tooling and skilled human analysis to distinguish true threats from noise.

Detection Sources

Detection Source	Description & Key Signals
SIEM Correlation Rules	Automated detection of known attack patterns from aggregated logs — primary detection mechanism for most organizations
EDR / XDR Alerts	Behavioral endpoint detection; process injection, credential dumping, suspicious script execution, lateral movement
Threat Intelligence Feeds	IoC matching against known malicious IPs, domains, file hashes; TTPs matching against active threat groups
User & Entity Behavior Analytics (UEBA)	Statistical anomaly detection for insider threats; impossible travel; unusual access patterns; data staging
Vulnerability Scanner Findings	Newly discovered critical vulnerabilities in production systems — potential pre-breach exposure requiring emergency patching
Third-Party Notification	Law enforcement, CISA, sector ISAC, or breach monitoring services alerting to organizational compromise
User / Employee Reports	Staff reporting suspicious emails, unexpected system behavior, or observed unauthorized activity
Dark Web Monitoring	Discovery of organizational credentials, data, or attack planning materials on dark web markets or forums

Analysis Procedures

Collect and preserve initial evidence: SIEM alerts, EDR telemetry, relevant log extracts, system memory if malware active
Identify affected systems: hostnames, IPs, users, services — build an initial scope inventory
Establish attack timeline: When did the first IoC appear? What preceded it? What happened immediately after?
Identify attack vector: How did the attacker gain initial access? (phishing, exploit, stolen credentials, supply chain)
Assess lateral movement: Which other systems has the attacker touched? Use authentication logs, network flows, EDR telemetry
Determine attacker objectives: Are they exfiltrating data? Deploying ransomware? Establishing persistence?
Produce a written scope summary before proceeding to containment — undocumented scope leads to incomplete containment

Phase 2 — Containment

Containment stops the bleeding. The goal is to prevent the attacker from doing additional damage while preserving the ability to investigate what has already occurred. Containment decisions involve real business tradeoffs — isolating a system stops the attacker but may also stop the business.

Containment Strategy Selection

Strategy	When to Use	Key Actions
Short-Term Containment	Immediate threat; active attack in progress; risk of further spread imminent	Network isolation of affected systems (VLAN, firewall ACL, EDR kill switch); disable compromised accounts; block malicious IPs/domains at perimeter
System Isolation	Specific systems confirmed compromised; infection scope defined	Remove system from network segment; maintain power if forensic imaging needed; do NOT reboot unless required
Long-Term Containment	Immediate risk reduced; investigation ongoing; business continuity required	Rebuild systems to temporary clean baseline; enhanced monitoring on remaining environment; maintain attacker visibility where safe
Deception / Honeypot	APT suspected; attacker likely has persistent access; need to observe TTPs	Allow limited attacker activity in monitored sandbox environment to gather intelligence — only with legal counsel approval

Do Not Power Off

Unless the system contains active ransomware encryption with no forensic alternative, do NOT power off a compromised system. Volatile memory (RAM) contains critical forensic artifacts: running processes, network connections, encryption keys, malware execution context. Capture memory FIRST before any other action. Powering off destroys this evidence permanently.

Containment Checklist

Document the time and method of every containment action — this becomes your incident timeline
Isolate affected systems at the network level — prefer firewall/ACL changes over physical cable removal
Capture volatile memory (RAM) from critical systems before any shutdown or reboot
Disable or reset all compromised or potentially compromised credentials — not just the obviously affected accounts
Block identified IoCs (IPs, domains, file hashes) at all perimeter and internal security controls
Revoke any OAuth tokens, API keys, or service account credentials associated with the incident
Verify that backup systems are isolated and unaffected before relying on them for recovery
Notify business stakeholders of systems taken offline — set expectations for estimated downtime

Phase 3 — Eradication

Eradication removes the threat from the environment. This phase must be thorough — returning to operations while any remnant of the attacker remains will result in re-compromise, often within hours.

Eradication Activities by Incident Type

Incident Type	Eradication Requirements
Ransomware	Identify and remove all ransomware binaries, persistence mechanisms, and C2 infrastructure; reset ALL domain credentials including service accounts; patch exploited vulnerability before restoration; validate backup integrity before restoration
Data Breach	Identify and close all exfiltration channels; revoke all unauthorized access; remove unauthorized persistence; patch vulnerability; audit all access logs for the scope period
Account Takeover	Reset account credentials; revoke all active sessions and tokens; remove unauthorized forwarding rules, OAuth grants, and device enrollments; enable phishing-resistant MFA
Malware (non-ransomware)	Identify all malware components (dropper, loader, payload, persistence, C2 beacon); remove ALL components; patch exploited vulnerability; verify no other systems infected
Insider Threat	Revoke all system access; preserve evidence for HR/legal proceedings; identify all data exfiltrated or systems accessed; implement data loss prevention controls

Eradication Rule

Never proceed to recovery until you can answer YES to all three questions: (1) Have all attack entry points been identified and closed? (2) Have all attacker tools, backdoors, and persistence mechanisms been removed and verified? (3) Have all compromised credentials been reset — including service accounts and application credentials, not just user accounts?

Phase 4 — Recovery

Recovery restores systems and services to normal operation in a controlled, validated manner. Rushed recovery that reintroduces compromised systems is the most common cause of re-infection.

Recovery Sequencing Principles

Restore from known-good, verified clean backups only — never restore from a backup that was online during the incident window without verification
Restore in dependency order: identity systems first (Active Directory, IAM), then network services, then critical business applications
Deploy enhanced monitoring on all restored systems for minimum 30 days post-recovery
Validate each system before connecting to production network — confirm no residual malware, unauthorized accounts, or configuration changes
Phased reconnection: restore to isolated segment, validate, then connect to production
Obtain business stakeholder sign-off before declaring a system ‘recovered’
Document every recovery action with timestamp, system name, and technician

Post-Recovery Hardening — Before Going Live

Apply all outstanding patches and security updates to restored systems
Enforce MFA on all accounts that will interact with restored systems
Enable enhanced audit logging and forward to SIEM
Reset all service account and application credentials associated with restored systems
Review and remove all unnecessary services, ports, and accounts from restored systems
Confirm backup agent is operational and first backup successfully completed

Scenario-Specific IR Playbooks

Playbooks are pre-defined, step-by-step response procedures for specific incident types. They remove ambiguity during high-stress incidents, ensure nothing is missed, and accelerate response time. Each playbook should be printed or accessible offline in case primary systems are unavailable.

Playbook: Ransomware Attack

Scenario Trigger

Multiple endpoints reporting file encryption activity OR ransom note discovered OR EDR/SIEM alerting on mass file renaming, Volume Shadow Copy deletion, or known ransomware binary execution.

Immediate Actions (0–15 Minutes)

Activate IR team and Incident Commander — declare SEV 1
Identify affected systems using EDR console — determine scope of active encryption
ISOLATE: Disconnect all confirmed and suspected affected systems from the network (firewall ACL, EDR isolation, VLAN change) — do NOT power off
STOP THE SPREAD: Block all outbound C2 communication at perimeter; identify and block malicious domains/IPs
ALERT: Notify CISO, CEO, and Legal within 15 minutes of SEV 1 declaration
PRESERVE EVIDENCE: Capture volatile memory from affected systems before any further action
ASSESS BACKUP STATUS: Immediately verify whether backup infrastructure is online and affected — take offline if unaffected

Short-Term Response (15 Minutes – 4 Hours)

Determine ransomware family: check ransom note, file extension, ID Ransomware database — determines decryptor availability
Assess full scope: identify all affected systems, determine attacker’s entry point, assess how long they had access before encryption began
Identify and reset ALL potentially compromised credentials — assume domain-wide credential compromise in ransomware events
Engage external IR firm and notify cyber insurance provider (required within 24 hours for most policies)
Legal counsel: assess regulatory breach notification obligations based on data types present on affected systems
Begin documentation of encrypted vs. clean systems for recovery planning
Decision point: Is there a known decryptor? If yes, do NOT pay ransom — focus on clean restoration. If no decryptor, consult legal before any ransom discussion

Ransom Payment Decision

Ransom payment does not guarantee decryption — only ~65% of organizations who pay receive working decryptors. Payment may violate OFAC sanctions if attackers are designated entities. Always consult legal counsel before any payment discussion. Focus instead on clean backup restoration, which is faster, cheaper, and more reliable when backups are properly maintained.

Recovery Sequence

Identify last known-good backup predating attacker’s first presence (not just encryption event)
Restore identity infrastructure (AD, DNS, DHCP) from clean backup to isolated network segment — validate
Restore critical business systems sequentially — validate each before network reconnection
Apply all patches; enforce MFA; reset all service accounts before production reconnection
Conduct full threat hunt to verify no persistence mechanisms remain before declaring environment clean

Playbook: Data Breach / Unauthorized Exfiltration

Scenario Trigger

DLP alert on mass data transfer; SIEM alert on anomalous outbound volume; dark web notification of organizational data for sale; third-party notification of credential/data exposure; employee report of unauthorized access to sensitive repositories.

Immediate Actions

Classify: What type of data was involved? (PII, PHI, financial records, IP, credentials) — drives notification obligations
Scope: How much data? From which systems? Over what time period? Is exfiltration ongoing?
STOP exfiltration: Block identified exfiltration channels at firewall/proxy (upload sites, email, cloud storage, FTP)
Preserve evidence: Capture logs covering the exfiltration window; do not delete or overwrite
Identify source account: Was this an insider, compromised account, or external attacker using stolen credentials?
Notify Legal immediately — regulatory clock starts at the point of discovery, not confirmed breach

Notification Obligations — Quick Reference

Regulation	Trigger	Deadline	Required Content
GDPR (EU/UK)	PII of EU/UK residents	72 hours to supervisory authority; undue delay to individuals	Nature of breach; categories/volume of data; likely consequences; measures taken
HIPAA	Unsecured PHI	60 days to HHS OCR; 60 days to individuals; immediate media if >500 in state	Description; types of PHI; who accessed/acquired; what done to mitigate; steps individuals should take
PCI DSS	Cardholder data	Immediately to payment brand and acquirer	Affected card ranges; timeframe; forensic investigation initiation
State Breach Laws (all 50 US states)	PII of state residents	30–90 days (varies); FL/CO = 30 days; CA/NY = 30 days	Varies — consult legal; generally: nature, types of info, steps taken, contact information
SEC (public companies)	Material cybersecurity incident	4 business days of materiality determination	Nature, scope, timing, material impact; filed on Form 8-K Item 1.05

Playbook: Business Email Compromise (BEC)

Scenario Trigger

Finance team reports unusual wire transfer request from executive; employee reports receiving CEO email from suspicious domain; forwarding rules discovered on executive mailboxes; OAuth application granted broad email permissions.

Immediate Actions

If wire transfer requested but not yet executed: IMMEDIATELY contact financial institution to block or reverse — this window is typically 24–48 hours
If wire already executed: Contact FBI IC3 and your financial institution’s fraud team within hours — recovery probability drops sharply after 72 hours
Identify compromised mailbox(es): audit login history, forwarding rules, OAuth grants, mobile device enrollments
Revoke all active sessions and tokens for the compromised account; reset password; enforce phishing-resistant MFA
Audit 90 days of email activity from the compromised account for additional malicious activity
Search all mailboxes for similar attack patterns — BEC attackers commonly compromise multiple accounts
Identify and notify all recipients of fraudulent emails — internal and external

Digital Forensics in Incident Response

Forensic Principles

Digital forensics in incident response serves dual purposes: understanding the attack to support remediation, and preserving evidence for potential legal proceedings. Every evidence handling decision must be made with both goals in mind from the moment an incident is declared.

Principle	Application in Incident Response
Order of Volatility	Collect most volatile evidence first: RAM → running processes/network connections → temporary files → disk → remote logs → backups
Chain of Custody	Document every person who handles evidence: who, what, when, where, why — any gap destroys admissibility
Minimize Contamination	Work from forensic images, never originals; use write-blockers; document every tool used and action taken
Preserve Authenticity	Use cryptographic hashing (SHA-256) to verify evidence integrity at collection and at every subsequent handling
Document Everything	If it wasn’t documented, it didn’t happen — contemporaneous notes are required; retrospective reconstruction is inadmissible

Evidence Collection — Order of Volatility

Evidence must be collected in order from most volatile (lost on shutdown) to least volatile (survives long-term). This order is non-negotiable — deviating from it permanently destroys evidence that may be critical:

Order	Evidence Type	Collection Method	Why It Matters
1	RAM / Volatile Memory	Magnet RAM Capture, WinPmem, LiME (Linux)	Contains: running malware, decryption keys, active connections, credentials in memory — lost on shutdown
2	Running Processes & Network Connections	tasklist, netstat, ps, ss — capture before isolation	Reveals: malicious processes, active C2 connections, listening services, injected code
3	Temporary Files & Swap Space	Copy %TEMP%, pagefile.sys, /tmp before shutdown	May contain: malware staging files, recovered fragments of volatile memory
4	Disk Image	FTK Imager, dd, dcfldd with write-blocker	Complete bit-for-bit copy of storage media; basis for all subsequent analysis
5	System & Application Logs	Collect locally cached logs before they age out (Windows Event Logs, syslog, application logs)	Attack timeline evidence; often partially overwritten — collect immediately
6	Centralized Logs (SIEM)	Query and export relevant log data with timestamps preserved	Survives system compromise; authoritative record for correlation and timeline
7	Backup & Archived Data	Identify backup snapshots covering the incident window; preserve before overwrite cycles	Allows historical comparison; may contain pre-compromise baseline

Chain of Custody Procedures

Label all evidence media with: case number, item number, description, date/time collected, collector name
Calculate and document SHA-256 hash of all digital evidence at time of collection
Complete chain of custody form for each item: date, time, person transferring, person receiving, purpose
Store physical evidence in locked, access-controlled evidence room with access log
Store digital evidence on dedicated, isolated forensic systems — never on production infrastructure
Verify hash integrity each time evidence is accessed — document any discrepancy immediately
Maintain evidence until legal counsel advises it is safe to destroy — typically minimum 7 years for litigation hold

Forensic Tools Reference

Tool Category	Common Tools	Primary Use Case
Memory Forensics	Volatility 3, Magnet RAM Capture, WinPmem	Analyze captured RAM for malware artifacts, injected code, credentials, network connections
Disk Forensics	Autopsy, FTK Imager, X-Ways Forensics	Disk imaging, deleted file recovery, timeline analysis, artifact extraction
Network Forensics	Wireshark, Zeek, NetworkMiner, Moloch	Packet analysis, protocol dissection, C2 traffic identification, data exfiltration evidence
Log Analysis	Splunk, Elastic SIEM, Chainsaw, LogParser	Log correlation, timeline construction, IoC hunting across large log datasets
Malware Analysis	Cuckoo Sandbox, Any.run, IDA Pro, Ghidra	Dynamic and static malware analysis; capability identification; IoC extraction
Endpoint Investigation	Velociraptor, CrowdStrike Falcon, CarbonBlack	Rapid enterprise-wide artifact collection; threat hunting; remote forensics at scale
Timeline Analysis	Plaso / log2timeline, SIFT Workstation	Super-timeline construction correlating artifacts across multiple evidence sources

Communications Management

Incident communications are a critical and often underestimated component of incident response. Poor communications can turn a contained technical incident into a PR crisis, a regulatory violation, or a legal liability. Every communication during an active incident must be deliberate, accurate, and authorized.

Communications Principles

Designate a single Communications Lead — no one else speaks to external parties during an incident
All external communications must be reviewed by Legal Counsel before release
Assume all electronic communications may be discoverable — use measured, factual language; avoid speculation
Internal communications should operate on a need-to-know basis until scope is determined
Use out-of-band communication channels when primary systems may be compromised (personal phone, secure messaging app)
Never communicate incident details over potentially compromised channels (corporate email, Slack, Teams)
Document all communications: who said what, to whom, when — this becomes your communications timeline

Stakeholder Communication Matrix

Stakeholder	Trigger for Notification	Timeline	Communication Owner
CISO / C-Suite	SEV 1 or SEV 2 incident	Within 1–2 hours	Incident Commander
Board / Audit Committee	SEV 1 incident; material breach	Within 24–48 hours	CISO / CEO
Legal Counsel	Any incident with regulatory or litigation potential	Immediately on SEV 1–2	Incident Commander
Cyber Insurance Provider	Any suspected or confirmed breach	Within 24 hours (policy requirement)	Legal / Risk Officer
Affected Employees	Internal systems compromised; credentials exposed; required actions	Within hours of scope determination	HR / Comms Lead
Customers / Partners	Their data potentially exposed; service disruption	Per contractual and legal obligations	Comms Lead + Legal
Regulatory Bodies	Regulated data involved (PII, PHI, PCI, financial)	Per regulation (72h GDPR; 60d HIPAA; 4d SEC)	Legal Counsel
Law Enforcement (FBI/CISA)	Criminal activity; ransomware; nation-state	As soon as practicable	Legal Counsel + Exec
Media / Press	Public impact; media inquiries	Only when legally required or strategically necessary	Communications Lead (approved statement only)

Communication Templates

Internal Initial Notification (SEV 1)

Subject: Security Incident Alert — SEV 1 — [Date/Time]

DISTRIBUTION: [IC, CISO, CEO, Legal, IT Lead, Comms Lead]

INCIDENT SUMMARY: At approximately [TIME] on [DATE], [brief factual description of what was detected]. This has been classified as a SEV 1 incident.

CURRENT STATUS: [Containment actions taken / investigation underway / systems isolated]. The IR team is actively responding.

IMMEDIATE ACTIONS REQUIRED: [Any required immediate actions for recipients — e.g., ‘Do not use corporate email. Use [alternate channel] for all communications until further notice.’]

DO NOT DISCUSS THIS INCIDENT outside this distribution list until further guidance is issued by the Communications Lead.

Next update: Within [X] hours. Contact: [Incident Commander name and out-of-band contact number]

External Customer Notification (Data Breach)

Subject: Important Security Notice Regarding Your Account

Dear [Customer Name],

We are writing to inform you of a security incident that may have affected information associated with your account. We take the protection of your information seriously and want to provide you with accurate information about what happened and the steps we are taking.

WHAT HAPPENED: [Factual, plain-language description of the incident. No technical jargon. Approved by legal.]

WHAT INFORMATION WAS INVOLVED: [Specific data types — only what is confirmed affected. Do not speculate.]

WHAT WE ARE DOING: [Actions taken to address the incident and prevent future occurrences.]

WHAT YOU CAN DO: [Specific recommended actions for affected individuals — password reset, credit monitoring, etc.]

If you have questions, please contact our dedicated response line at [phone/email]. We sincerely apologize for any concern this may cause.

[Authorized Signatory Title] │ [Organization Name]

Post-Incident Activities

After-Action Review and Report (AAR)

The After-Action Review is one of the highest-value activities in incident response — and the one most frequently skipped under the pressure of returning to normal operations. A rigorous AAR is how organizations improve; without it, the same incidents recur.

AAR Requirements

Conduct within 72 hours of incident closure — while details are fresh in participants’ memories
Mandatory attendees: all IR team members who participated; optional: affected business unit leaders
Facilitated by the IR Program Owner or a neutral facilitator — not the Incident Commander (to avoid defensiveness)
Blameless culture: the goal is systemic improvement, not individual accountability (separate HR proceedings handle that)
Produce a written AAR report within 7 days; distribute to CISO and relevant stakeholders
All improvement actions from the AAR must be entered into the organization’s tracking system with owners and deadlines
Update the IR Plan, affected playbooks, and detection rules within 30 days of the AAR

AAR Discussion Framework — Five Key Questions

Question	What to Address
What did we intend to happen?	What did the IR plan and playbooks call for? What were our assumed capabilities and response timelines?
What actually happened?	Factual timeline of the incident and response. Where did actual events diverge from expectations?
Why were there differences?	Root cause analysis of gaps: missing tools, unclear procedures, communication failures, skill deficits, documentation inaccuracies
What went well?	Effective practices to codify and replicate. What prevented worse outcomes? What tools or procedures worked as expected?
What do we improve?	Specific, assigned, time-bound actions to address identified gaps. What plan/playbook updates are needed?

IR Metrics & Key Performance Indicators

IR program effectiveness must be measured quantitatively. The following KPIs should be tracked, trended, and reported to leadership quarterly:

KPI	Measurement	Target	Trend
Mean Time to Detect (MTTD)	Avg. hours from initial compromise to detection	< 24 hours	Decreasing ↓
Mean Time to Respond (MTTR) — Initial Containment	Avg. hours from detection to first containment action	< 4h SEV 1; < 24h SEV 2	Decreasing ↓
Mean Time to Recover (MTTK)	Avg. days from incident declaration to systems restored	SEV 1: < 7 days; SEV 2: < 3 days	Decreasing ↓
False Positive Rate	% of alerts investigated that are not true incidents	< 20%	Decreasing ↓
Incidents Detected Internally	% detected by internal controls vs. external notification	≥ 85% internally	Increasing ↑
Playbook Coverage Rate	% of incident types with a tested, current playbook	100% of high-frequency types	Increasing ↑
Regulatory Notification Compliance	% of breach notifications meeting statutory deadlines	100%	Stable at 100%
AAR Action Item Closure Rate	% of AAR improvement actions closed within target date	≥ 90% on-time	Increasing ↑

Threat Intelligence Integration

Extract all IoCs from the incident: IPs, domains, file hashes, registry keys, email subjects, URLs — publish to SIEM and threat intel platform
Document attacker TTPs in MITRE ATT&CK format and update detection rules to alert on those specific techniques
Share anonymized indicators with sector ISACs and trusted peer organizations — the security community is a collective defense
Update threat models and risk register to reflect any newly discovered attack vectors or threat actor capabilities
Review and update all relevant playbooks to incorporate lessons learned about attacker behavior

Quick Reference — IR Key Terms

Term	Definition
Incident	An event that jeopardizes the confidentiality, integrity, or availability of information assets or violates security policy
IoC	Indicator of Compromise — forensic artifact suggesting a system has been breached (malicious IP, file hash, registry key)
IoA	Indicator of Attack — behavioral evidence of an active or in-progress attack (lateral movement, privilege escalation)
TTPs	Tactics, Techniques & Procedures — how threat actors operate; codified in MITRE ATT&CK framework
Dwell Time	Time between initial compromise and detection — primary metric IR aims to minimize
MTTD	Mean Time to Detect — average time from compromise to detection
MTTR	Mean Time to Respond — average time from detection to initial containment
Chain of Custody	Documented record of all evidence handlers; required for legal admissibility
Order of Volatility	Evidence collection sequence: RAM → processes → temp files → disk → logs → backups
Containment	Actions to prevent further damage while preserving forensic evidence
Eradication	Complete removal of the threat: malware, persistence, backdoors, and closed attack vectors
Playbook	Pre-defined step-by-step response procedures for a specific incident type
War Room	Physical or virtual command center for IR team coordination during active incidents
BEC	Business Email Compromise — social engineering attack impersonating executives to authorize fraudulent transfers
Lateral Movement	Attacker techniques to progress through a network from initial access to high-value targets
NIST SP 800-61	NIST Computer Security Incident Handling Guide — primary federal IR standard (4 phases)
SANS PICERL	SANS IR lifecycle: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
AAR	After-Action Review — post-incident structured analysis to drive continuous improvement

Master Incident Response Checklist

This checklist covers the full IR lifecycle. Each phase should be checked off in sequence. All actions require a timestamp and responsible party documented in the incident tracking system.

✓	Action	Owner
Detection & Analysis
☐	Alert received and initial triage completed — true positive confirmed	SOC Analyst
☐	Incident severity classified (SEV 1–4) using classification matrix	SOC Lead
☐	Incident ticket opened in tracking system with initial details	SOC Analyst
☐	Incident Commander notified and activated	SOC Lead
☐	Affected systems, users, and data identified — initial scope documented	IR Lead
☐	Attack vector and timeline established	IR Lead / Forensics
☐	Out-of-band communications channel established	IC / Comms Lead
Containment
☐	Volatile memory (RAM) captured before any system changes	Forensics
☐	Affected systems isolated from network (document method and time)	IT / IR Lead
☐	Malicious IPs, domains, and file hashes blocked at all perimeter controls	IT / IR Lead
☐	Compromised credentials disabled / reset	IT / IAM Team
☐	Backup systems verified unaffected and taken offline for protection	IT Lead
☐	Business stakeholders notified of system outages — ETR communicated	IC / Comms Lead
Notifications
☐	CISO and executive leadership notified per severity matrix	IC
☐	Legal Counsel engaged	IC
☐	Cyber insurance provider notified (within 24 hours)	Legal / Risk
☐	Regulatory notification assessment completed by Legal	Legal Counsel
☐	Law enforcement notification decision made (document rationale)	Legal / CISO
Eradication
☐	All malware, backdoors, and persistence mechanisms identified and removed	IR Lead / Forensics
☐	Root vulnerability patched or mitigated on all affected systems	IT Security
☐	ALL credentials reset — including service accounts and application credentials	IT / IAM Team
☐	Threat hunt completed — no residual attacker presence confirmed	IR Lead
Recovery
☐	Backup integrity verified — restoration source confirmed clean	IT Lead
☐	Systems restored in dependency order — identity first, then critical apps	IT Lead
☐	Each restored system validated before network reconnection	IR Lead / IT
☐	Enhanced monitoring deployed on all restored systems	IT Security / SOC
☐	Business stakeholders sign off on each restored system	Business Unit Leads
☐	Incident officially closed and documented in tracking system	IC
Post-Incident
☐	After-Action Review conducted within 72 hours of closure	IR Program Owner
☐	AAR report written and distributed within 7 days	IR Program Owner
☐	Improvement actions entered into tracking system with owners and deadlines	IR Program Owner
☐	IR Plan and relevant playbooks updated within 30 days	IR Program Owner
☐	IoCs extracted and operationalized in SIEM and threat intel platform	SOC / Threat Intel

Emergency Contact Directory Template

Maintain this directory in both encrypted digital form and printed hard copy. Review and update quarterly. Hard copy must be stored in a location accessible if primary systems are offline.

Role / Organization	Name	Primary Phone	Alternate Phone
Incident Commander
CISO
CEO / Executive Sponsor
Legal Counsel (Internal)
External Legal Counsel (IR)
External IR Firm (Retainer)
Cyber Insurance — Incident Hotline
IT Operations Lead
Communications Lead
HR Lead
FBI Cyber Division — 24/7	N/A	1-855-292-3937	tips.fbi.gov
CISA 24/7 Hotline	N/A	1-888-282-0870	report@cisa.dhs.gov
US-CERT (Infrastructure)	N/A	1-888-282-0870	soc@us-cert.gov
IC3 (Internet Crime)	N/A	N/A	ic3.gov

Recommended Resources & Training

NIST SP 800-61 Rev 2 — Computer Security Incident Handling Guide (free at csrc.nist.gov)
SANS ICS515 — ICS Active Defense and Incident Response (for operational technology environments)
CISA Ransomware Response Checklist — cisa.gov/stopransomware
MITRE ATT&CK Framework — attack.mitre.org (adversary TTPs knowledge base)
GIAC Certified Incident Handler (GCIH) — recommended certification for IR team members
GIAC Certified Forensic Analyst (GCFA) — recommended for forensics team members
Magnet Forensics Free Tools — magnetforensics.com/free-tools
Volatility Foundation — volatilityfoundation.org (open-source memory forensics framework)
ID Ransomware — id-ransomware.malwarehunterteam.com (identify ransomware family from ransom note)
Mandiant / Google Threat Intelligence — mandiant.com (threat actor profiles and IR guidance)