Incident Response Playbook
A field-tested incident response framework that transforms chaotic security incidents into structured, repeatable processes. This playbook covers the full IR lifecycle — from detection through containment, eradication, recovery, and post-mortem — with specific procedures for ransomware, phishing, insider threats, DDoS, and data breaches. Includes communication templates, forensic evidence checklists, severity classification matrices, and executive briefing formats that work under real pressure.
Key Features
- Attack-Specific Runbooks — Step-by-step procedures for ransomware, phishing/BEC, SQL injection, credential stuffing, insider threat, DDoS, and supply chain compromise.
- Severity Classification Matrix — Four-tier system (SEV-1 through SEV-4) with escalation triggers, SLAs, and staffing.
- Communication Templates — Pre-drafted messages for executives, legal, customers, regulators, and media.
- Forensic Evidence Checklist — Chain-of-custody procedures, volatile data collection order, and log preservation.
- Post-Mortem Framework — Blameless retrospective template with 5 Whys and action item tracking.
- Automated Triage Scripts — Python scripts for IOC collection and network connection analysis.
Quick Start
# Extract the playbook
unzip incident-response-playbook.zip
cd incident-response-playbook/
# Run the initial triage script on a potentially compromised host
python3 scripts/triage_collector.py --host 10.0.1.50 --output triage_report.json
# Generate a blank incident ticket
python3 scripts/incident_ticket.py --severity SEV-2 --type ransomware --lead "YOUR_NAME"
Triage Collector Script
import subprocess
import json
import time
import socket
import logging
from pathlib import Path
from typing import Any
logger = logging.getLogger(__name__)
class TriageCollector:
"""Collect volatile forensic data from a target system."""
COLLECTION_ORDER = ["network_connections", "running_processes", "logged_in_users", "scheduled_tasks"]
def __init__(self, output_dir: str = "./triage_output"):
self.output_dir = Path(output_dir)
self.output_dir.mkdir(parents=True, exist_ok=True)
self.hostname = socket.gethostname()
self.collection_time = time.strftime("%Y%m%d_%H%M%S")
def collect_all(self) -> dict[str, Any]:
"""Collect all volatile data in forensic priority order."""
results: dict[str, Any] = {"hostname": self.hostname, "collection_time": self.collection_time, "artifacts": {}}
for artifact in self.COLLECTION_ORDER:
collector = getattr(self, f"_collect_{artifact}", None)
if collector:
try:
results["artifacts"][artifact] = collector()
except Exception as e:
results["artifacts"][artifact] = {"error": str(e)}
output_file = self.output_dir / f"triage_{self.hostname}_{self.collection_time}.json"
output_file.write_text(json.dumps(results, indent=2))
return results
def _collect_network_connections(self) -> list[str]:
result = subprocess.run(["ss", "-tunap"], capture_output=True, text=True, timeout=30)
return result.stdout.strip().splitlines()
def _collect_running_processes(self) -> list[str]:
result = subprocess.run(["ps", "auxww"], capture_output=True, text=True, timeout=30)
return result.stdout.strip().splitlines()
Architecture / How It Works
┌──────────────────────────────────────────────────────────┐
│ INCIDENT LIFECYCLE │
│ │
│ Detection ──► Triage ──► Containment ──► Eradication │
│ │ │ │ │ │
│ ▼ ▼ ▼ ▼ │
│ Alert Rules Severity Isolation Root Cause │
│ SIEM/IDS Matrix Playbooks Analysis │
│ │
│ Recovery ──► Post-Mortem ──► Improvement │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ Restoration 5-Whys Backlog │
│ Validation Timeline Updates │
└──────────────────────────────────────────────────────────┘
Usage Examples
Severity Classification
severity_matrix:
SEV-1:
description: "Critical — active data exfiltration or ransomware spreading"
response_time: "15 minutes"
war_room: true
executive_notification: true
examples: ["Active ransomware", "Confirmed PII breach", "Attack-caused outage"]
SEV-2:
description: "High — confirmed compromise, contained but not eradicated"
response_time: "1 hour"
war_room: true
examples: ["Compromised admin creds", "Contained malware", "Successful phishing"]
SEV-3:
description: "Medium — suspicious activity requiring investigation"
response_time: "4 hours"
war_room: false
examples: ["Unusual outbound traffic", "Brute-force attempts"]
SEV-4:
description: "Low — policy violation or security hygiene issue"
response_time: "Next business day"
examples: ["Expired SSL cert", "Unauthorized software"]
Executive Communication Template
from string import Template
EXECUTIVE_BRIEF = Template("""
SECURITY INCIDENT BRIEFING — $severity
Incident ID: $incident_id | Status: $status | Time: $timestamp
WHAT HAPPENED: $what_happened
IMPACT: Systems: $systems_affected | Data at risk: $data_at_risk
CURRENT ACTIONS: $current_actions
NEXT UPDATE: $next_update_time | Commander: $incident_commander
""")
Configuration
| Parameter | Default | Description |
|---|---|---|
escalation.sev1_notify |
["ciso", "cto", "legal"] |
Who gets SEV-1 alerts |
escalation.sev2_notify |
["security_lead"] |
Who gets SEV-2 alerts |
triage.auto_isolate_sev1 |
true |
Auto-quarantine on SEV-1 |
forensics.preserve_days |
90 |
Days to retain forensic evidence |
postmortem.deadline_days |
5 |
Days after resolution to complete retrospective |
communication.legal_review |
true |
Require legal sign-off on external comms |
Best Practices
- Practice before you need it — Run tabletop exercises quarterly. An untested playbook is just a document.
- Collect volatile data first — Memory, network connections, running processes. Disk can wait; RAM cannot.
- Preserve the chain of custody — Hash all evidence files immediately. Document who touched what and when.
- Communicate early, update often — Silence during an incident breeds panic. Even "no new information" is an update.
- Never blame in post-mortems — Focus on system failures and process gaps, not individual mistakes.
Troubleshooting
| Problem | Cause | Fix |
|---|---|---|
| Triage script hangs on remote host | SSH timeout or firewall blocking | Use --timeout 30 flag; verify network path to target |
| Forensic hashes don't match | Evidence file was modified after collection | Re-collect from original source; use write-blockers for disk images |
| Stakeholders not receiving alerts | Notification config points to wrong channel | Verify escalation.*_notify entries match your alerting system IDs |
| Post-mortem action items never completed | No owner or deadline assigned | Use the built-in tracker with assignee and due date fields |
This is 1 of 9 resources in the Security Engineer Pro toolkit. Get the complete [Incident Response Playbook] with all files, templates, and documentation for $39.
Or grab the entire Security Engineer Pro bundle (9 products) for $119 — save 30%.
Top comments (0)