🚨 Security Incident Response Plan¶
📞 Contact Tree¶
Severity: CRITICAL
├─ Notify: CTO (immediate call)
├─ Assemble: Security team + Engineering lead
├─ Escalate: Legal team + PR team
└─ Timeline: < 1 hour
Severity: HIGH
├─ Notify: Engineering lead + Security lead
├─ Assemble: Core security team
└─ Timeline: < 4 hours
Severity: MEDIUM
├─ Notify: Security lead
├─ Assemble: Relevant team members
└─ Timeline: < 24 hours
Severity: LOW
├─ Notify: Via ticket system
├─ Assign: Team member
└─ Timeline: Next business day
🔴 Severity Classification¶
CRITICAL¶
- Active data breach with confirmed exfiltration
- Ransomware/malware in production
- Certificate compromise (private key stolen)
- Authentication system compromised
- Remote code execution vulnerability actively exploited
- Mass user account compromise
HIGH¶
- Unpatched critical vulnerability (CVSS >= 9.0)
- Unauthorized access to sensitive systems
- Insider threat detected
- DDoS attack impacting service
- Source code leak
- Single user account compromise with privileges
MEDIUM¶
- Unpatched high vulnerability (CVSS 7.0-8.9)
- Failed intrusion attempt (blocked)
- Suspicious activity detected
- Minor data exposure (non-sensitive)
- Credential stuffing attempt
- Malware detected but contained
LOW¶
- Unpatched medium vulnerability (CVSS < 7.0)
- Security misconfiguration
- Policy violation
- Security tool alert (false positive confirmed)
- Expired certificate (non-production)
🔄 Response Steps¶
Phase 1: Contain (Hour 0)¶
Immediate Actions (within 15 minutes): - [ ] Activate incident response team - [ ] Start incident log (all actions timestamped) - [ ] Preserve evidence (logs, memory dumps, network captures) - [ ] Isolate affected systems (network segmentation) - [ ] Take snapshots for forensics
Within 1 Hour: - [ ] Identify scope of compromise - [ ] Revoke compromised credentials - [ ] Block attack vectors (firewall rules, WAF rules) - [ ] Enable additional logging/monitoring - [ ] Establish communication channel for team
# Isolate server
sudo iptables -A INPUT -j DROP
sudo iptables -A OUTPUT -j DROP
sudo iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT # Allow internal forensics
# Snapshot for forensics
sudo lvm snapshot /dev/vg0/root -n root_snapshot
# Collect volatile data
ps aux > /forensics/processes.txt
netstat -anp > /forensics/connections.txt
cat /proc/meminfo > /forensics/meminfo.txt
Phase 2: Assess (Hour 1-4)¶
Scope Assessment: - [ ] What systems are affected? - [ ] What data was accessed? - [ ] How did attackers gain access? - [ ] When did breach occur? (timeline) - [ ] Are attackers still present? - [ ] What is the attack objective?
Data Impact Analysis: - [ ] User data compromised? (Count, PII fields) - [ ] Financial data compromised? - [ ] Intellectual property accessed? - [ ] Authentication tokens stolen? - [ ] Customer audio files accessed?
Technical Analysis:
# Check for persistence mechanisms
crontab -l
cat /etc/crontab
ls -la /etc/cron.*
systemctl list-units --type=service
# Check for backdoors
find / -name "*.so" -mtime -7
lsof -i
netstat -antp
# Check for unusual processes
ps auxf | grep -v "^\[" | less
# Check file modifications
find /var/www -mtime -1 -ls
find /etc -mtime -1 -ls
# Check logs
zgrep -i "failed\|error\|alert" /var/log/syslog*
grep -i "invalid user" /var/log/auth.log
Notification Assessment: - [ ] Legal notification required? (data breach laws) - [ ] Regulatory notification required? (GDPR, CCPA) - [ ] User notification required? - [ ] Timeline for notifications (varies by jurisdiction)
Phase 3: Communicate (Hour 4-24)¶
Internal Stakeholders: - [ ] Executive team briefing (facts, not speculation) - [ ] Engineering team update (technical details) - [ ] Customer support prep (FAQs, talking points) - [ ] Legal team involvement - [ ] PR team prepared
External Communication (if required): - [ ] Affected users (email template below) - [ ] Regulatory authorities (GDPR: 72 hours) - [ ] Law enforcement (FBI, IC3) - [ ] Security community (responsible disclosure) - [ ] Press (if public interest)
Communication Principles: - Transparency without speculation - Facts only, no attribution until confirmed - Timeline of events - Actions taken - User actions required - Support contact information
Phase 4: Remediate (Day 1-7)¶
Short-term (24-48 hours): - [ ] Patch vulnerability - [ ] Reset all affected credentials - [ ] Review and update access controls - [ ] Deploy additional monitoring - [ ] Emergency release (if needed) - [ ] Verify containment
Medium-term (Week 1): - [ ] Full system audit - [ ] Review all code changes (backdoors?) - [ ] Update security policies - [ ] Additional security controls - [ ] Third-party security assessment - [ ] User re-authentication
Long-term (Week 2+): - [ ] Architecture changes - [ ] Process improvements - [ ] Training for team - [ ] Update incident response plan - [ ] Implement preventive controls
# Emergency patching
git pull
cmake -DSECURITY_HARDENING=ON ..
make -j$(nproc)
ctest
sudo systemctl stop audioservice
sudo cp build/audioservice /usr/local/bin/
sudo systemctl start audioservice
# Rotate all secrets
./scripts/rotate_all_secrets.sh
./scripts/invalidate_all_sessions.sh
# Deploy new certificates
./scripts/deploy_new_certs.sh
Phase 5: Post-Mortem (Week 1-2)¶
Root Cause Analysis: - [ ] How did incident occur? (technical details) - [ ] Why was it not detected earlier? - [ ] Why did existing controls fail? - [ ] Timeline of events (minute-by-minute) - [ ] Cost of incident (time, money, reputation)
Lessons Learned: - [ ] What went well? - [ ] What went poorly? - [ ] What would we do differently? - [ ] What signals did we miss?
Action Items: - [ ] Process improvements - [ ] Technical improvements - [ ] Training needs - [ ] Tool acquisitions - [ ] Policy updates
Report Distribution: - Internal team (full details) - Executive team (summary) - Board (if significant) - Regulatory (if required) - Users (summary, if breach)
📋 Communication Templates¶
Internal Alert Template¶
Subject: SECURITY INCIDENT - [Severity Level] - [Brief Description]
Incident ID: INC-YYYY-MM-DD-001
Severity: [CRITICAL/HIGH/MEDIUM/LOW]
Status: [Investigating/Contained/Resolved]
Discovered: [Timestamp]
Reported by: [Name/System]
SUMMARY:
[Brief description of what happened]
IMPACT:
- Systems affected: [List]
- Data affected: [Type and approximate count]
- Service impact: [Outage/degradation/none]
- User impact: [Count/percentage]
CURRENT STATUS:
- Contained: [Yes/No]
- Root cause identified: [Yes/No/In progress]
- Attackers still present: [Yes/No/Unknown]
ACTIONS TAKEN:
1. [Action with timestamp]
2. [Action with timestamp]
3. [Action with timestamp]
NEXT STEPS:
1. [Action and owner]
2. [Action and owner]
ETA FOR RESOLUTION:
[Best estimate]
INCIDENT COMMANDER:
[Name and contact]
Next update in: [Time]
External User Notification (Data Breach)¶
Subject: Important Security Notice - [Company Name]
Dear [User],
We are writing to inform you of a security incident that may have affected your account.
WHAT HAPPENED:
On [Date], we discovered that an unauthorized party gained access to [system/database]. We immediately took action to secure our systems and began an investigation.
YOUR INFORMATION:
Based on our investigation, the following information may have been accessed:
- [Data field 1]
- [Data field 2]
- [Data field 3]
[NOT accessed: passwords (encrypted), payment information, etc.]
WHAT WE'RE DOING:
- We have secured the vulnerability
- We are working with cybersecurity experts
- We have notified law enforcement
- We are implementing additional security measures
WHAT YOU SHOULD DO:
1. Change your password immediately: [Link]
2. Enable two-factor authentication: [Link]
3. Monitor your account for unusual activity
4. Be alert for phishing emails (we will never ask for your password)
5. Consider credit monitoring if financial data affected
We take the security of your information seriously and sincerely apologize for this incident.
For more information, please visit: [URL]
If you have questions, contact us:
- Email: security@audiolab.com
- Phone: [Number] (Mon-Fri 9am-5pm)
[Company Name] Security Team
Regulatory Notification (GDPR)¶
Subject: Personal Data Breach Notification - [Company Name]
To: [Data Protection Authority]
From: [Data Protection Officer]
Date: [Within 72 hours of discovery]
1. DESCRIPTION OF BREACH:
- Date/time discovered: [Timestamp]
- Nature of breach: [Description]
- Type of data: [Categories]
2. DATA SUBJECTS AFFECTED:
- Approximate number: [Count]
- Categories: [Users, employees, etc.]
3. LIKELY CONSEQUENCES:
[Risk assessment of impact on data subjects]
4. MEASURES TAKEN:
- Immediate: [Actions]
- Preventive: [Future measures]
5. DATA PROTECTION OFFICER CONTACT:
Name: [Name]
Email: [Email]
Phone: [Phone]
[Detailed report attached]
🛠️ Incident Response Tools¶
Evidence Collection¶
#!/bin/bash
# Quick evidence collection script
INCIDENT_ID="INC-$(date +%Y%m%d-%H%M%S)"
EVIDENCE_DIR="/forensics/${INCIDENT_ID}"
mkdir -p "${EVIDENCE_DIR}"
cd "${EVIDENCE_DIR}"
# System state
uname -a > system_info.txt
uptime > uptime.txt
ps auxf > processes.txt
lsof > open_files.txt
netstat -anp > network_connections.txt
# User activity
w > logged_in_users.txt
last -100 > recent_logins.txt
lastb > failed_logins.txt
# File changes (last 7 days)
find / -mtime -7 -type f > recent_file_changes.txt 2>/dev/null
# Logs
cp -r /var/log ./logs/
# Network captures (run for 5 minutes)
timeout 300 tcpdump -i any -w network_capture.pcap &
# Memory dump (if available)
if command -v lime &> /dev/null; then
lime /dev/ram0 memory_dump.lime
fi
# Create archive
cd ..
tar czf "${INCIDENT_ID}.tar.gz" "${INCIDENT_ID}"
sha256sum "${INCIDENT_ID}.tar.gz" > "${INCIDENT_ID}.tar.gz.sha256"
echo "Evidence collected: ${EVIDENCE_DIR}"
echo "Archive: ${INCIDENT_ID}.tar.gz"
Automated Response Actions¶
#!/usr/bin/env python3
# Automated incident response actions
import logging
import datetime
class IncidentResponse:
def __init__(self, incident_id):
self.incident_id = incident_id
self.log = logging.getLogger(__name__)
def isolate_user(self, user_id):
"""Disable user account and invalidate sessions"""
# Disable account
# Invalidate all sessions
# Log action
self.log.info(f"Isolated user {user_id}")
def block_ip(self, ip_address):
"""Add IP to firewall blocklist"""
# Add to WAF
# Add to firewall
# Log action
self.log.info(f"Blocked IP {ip_address}")
def rotate_credentials(self, service):
"""Rotate service credentials"""
# Generate new credentials
# Update service config
# Invalidate old credentials
# Log action
self.log.info(f"Rotated credentials for {service}")
def enable_enhanced_logging(self):
"""Enable detailed logging"""
# Increase log level
# Enable audit logging
# Log action
self.log.info("Enhanced logging enabled")
📊 Incident Tracking¶
Incident Log Template¶
| Timestamp | Action | Actor | Result | Notes |
|---|---|---|---|---|
| 2024-01-01 10:30 | Incident detected | SIEM Alert | - | Unusual login pattern |
| 2024-01-01 10:35 | Team assembled | Security Lead | Success | Core team on call |
| 2024-01-01 10:40 | System isolated | DevOps | Success | Network segmented |
| 2024-01-01 10:50 | Evidence collected | Security Analyst | Success | Logs preserved |
Metrics to Track¶
- Detection Time: Time from incident to detection
- Response Time: Time from detection to containment
- Resolution Time: Time from detection to full resolution
- Cost: Financial impact
- User Impact: Number of users affected
- Data Impact: Volume of data compromised
🔒 Access to Incident Data¶
- Incident Commander: Full access
- Security Team: Full access
- Engineering Lead: Read access
- Executive Team: Summary access
- External Parties: Approved access only
📅 Regular Drills¶
- Quarterly: Tabletop exercise
- Annually: Full simulation
- After major changes: Process validation
Plan Version: 1.0 Last Updated: [Date] Last Drill: [Date] Next Review: [Date] Owner: Security Team