Steps
- Declare the incident and assign severity based on scope and data sensitivity
- Assemble the response team and open a secure communication channel
- Preserve volatile evidence: memory dumps, running processes, active network connections
- Capture and secure logs from affected systems, firewalls, and identity providers
- Isolate affected systems from the network to prevent lateral movement
- Identify the root cause and full scope of compromise across accounts and systems
- Contain the threat by revoking compromised credentials, blocking IoCs, and resetting sessions
- Eradicate attacker persistence: remove malware, backdoors, scheduled tasks, and unauthorized accounts
- Restore affected systems from known-clean backups and apply missing patches or configuration fixes
- Verify that recovery is complete and no attacker access paths remain
- Document the incident timeline, actions taken, and evidence collected in the case management system
- Conduct a post-incident review and update detection rules, playbooks, and controls based on findings
When to use
Activate this playbook whenever there is confirmed or high-confidence evidence of unauthorized access, data exfiltration, malware execution, or system compromise.