Incident Response Playbooks

Extended playbooks for common security incidents. Each follows 5 phases: Contain, Assess, Remediate, Prevent, Document. Use with 007 incident or when responding to any security event.

---

Playbook 1: Data Breach

Severity: CRITICAL Response Time: Immediate (< 15 minutes to begin containment)

Phase 1: Contain

• Identify the source of the breach (compromised credential, vulnerability, insider)
• Revoke compromised credentials immediately (API keys, tokens, passwords)
• Isolate affected systems from the network
• Block the attacker's IP/access path if identifiable
• Preserve forensic evidence (do NOT wipe or restart affected systems yet)

Phase 2: Assess

• Determine what data was exposed (PII, financial, credentials, business data)
• Determine scope: how many users/records affected
• Identify the attack timeline (when it started, when it was detected)
• Review access logs to trace the attacker's actions
• Assess if data was exfiltrated or only accessed

Phase 3: Remediate

• Patch the vulnerability that was exploited
• Force password reset for all affected users
• Rotate all potentially compromised secrets (API keys, DB passwords, certificates)
• Clean malware/backdoors if installed
• Restore from clean backups if data was tampered with

Phase 4: Prevent

• Implement missing access controls identified during the breach
• Add monitoring for the attack pattern used
• Enable encryption at rest for exposed data stores
• Implement DLP (Data Loss Prevention) rules
• Review and restrict access permissions (least privilege)

Phase 5: Document

• Complete incident timeline with timestamps
• Root cause analysis (RCA)
• List of all affected systems and data
• Actions taken and by whom
• Regulatory notifications (LGPD: 72 hours, GDPR: 72 hours)
• User notification if PII was exposed
• Lessons learned and process improvements

Communication Template

Copy
SUBJECT: [CRITICAL] Security Incident - Data Breach Detected

STATUS: Active incident as of {timestamp}
SEVERITY: CRITICAL
INCIDENT ID: INC-{YYYY}-{NNN}

SUMMARY:
A data breach affecting {scope} has been detected. The breach involves
{type of data} from {source system}.

CURRENT ACTIONS:
- Compromised access has been revoked
- Affected systems are isolated
- Investigation is in progress

AFFECTED DATA:
- Type: {PII / financial / credentials / business}
- Records: {approximate count}
- Users: {approximate count}

NEXT STEPS:
- Complete forensic analysis by {ETA}
- Regulatory notification by {deadline}
- User communication by {deadline}

CONTACT: {incident commander} at {contact info}

---

Playbook 2: DDoS / DoS

Severity: HIGH Response Time: < 5 minutes to begin mitigation

Phase 1: Contain

• Confirm it is an attack (not a legitimate traffic spike)
• Activate CDN/WAF DDoS protection (Cloudflare Under Attack Mode, AWS Shield, etc.)
• Enable rate limiting emergency mode (aggressive thresholds)
• Block obvious attack source IPs/ranges at the edge
• Scale infrastructure if possible (auto-scaling groups)
• Enable geo-blocking if attack originates from specific regions

Phase 2: Assess

• Identify attack type (volumetric, protocol, application layer)
• Identify attack source patterns (IP ranges, user agents, request patterns)
• Measure impact on service availability and user experience
• Check if DDoS is a distraction for another attack (data breach, etc.)
• Review resource utilization (CPU, memory, bandwidth, connections)

Phase 3: Remediate

• Implement targeted blocking rules based on attack patterns
• Optimize application to handle increased load (caching, static responses)
• Contact ISP/hosting provider for upstream filtering if needed
• Move critical services behind additional protection layers
• Gradually relax emergency protections as attack subsides

Phase 4: Prevent

• Implement permanent rate limiting with appropriate thresholds
• Deploy CDN with DDoS protection for all public endpoints
• Set up auto-scaling with cost limits
• Create runbooks for common DDoS patterns
• Implement challenge-based protection (CAPTCHA) for sensitive endpoints

Phase 5: Document

• Attack timeline, peak traffic volume, duration
• Attack type and source characteristics
• Service impact (downtime, degraded performance, affected users)
• Mitigation actions and effectiveness
• Cost impact (infrastructure, lost revenue)
• Recommendations for improved resilience

---

Playbook 3: Ransomware

Severity: CRITICAL Response Time: Immediate (< 10 minutes to isolate)

Phase 1: Contain

• IMMEDIATELY disconnect affected systems from network (pull cable, disable WiFi)
• Do NOT power off systems (preserves forensic evidence in memory)
• Identify patient zero (first infected system)
• Block lateral movement (disable SMB, RDP between segments)
• Isolate backup systems to prevent encryption
• Alert all employees to disconnect suspicious systems

Phase 2: Assess

• Identify the ransomware variant (check ransom note, file extensions)
• Determine scope: which systems and data are encrypted
• Check if backups are intact and uncompromised
• Assess if data was exfiltrated before encryption (double extortion)
• Check for decryption tools (NoMoreRansom.org)
• Determine entry point (phishing email, RDP brute force, vulnerable software)

Phase 3: Remediate

• If clean backups exist: wipe and restore from backup
• If no backups: evaluate decryption options (public tools, negotiation as last resort)
• Patch the vulnerability that was exploited
• Remove all persistence mechanisms (scheduled tasks, registry keys, services)
• Scan all systems for remaining malware before reconnecting
• Change ALL passwords (domain admin first, then all users)

Phase 4: Prevent

• Implement network segmentation
• Deploy EDR (Endpoint Detection and Response) on all systems
• Disable SMB v1, restrict RDP access
• Implement 3-2-1 backup strategy (3 copies, 2 media types, 1 offsite)
• Air-gapped or immutable backup storage
• Regular backup restoration tests
• Employee phishing awareness training

Phase 5: Document

• Complete attack timeline
• Entry point and propagation method
• Data impact (encrypted, exfiltrated, lost)
• Recovery method and time to recovery
• Financial impact (ransom demand, downtime cost, recovery cost)
• Law enforcement report (recommended)

---

Playbook 4: Supply Chain Compromise

Severity: CRITICAL Response Time: < 30 minutes to assess, < 2 hours to contain

Phase 1: Contain

• Identify the compromised dependency/package/vendor
• Pin to last known good version immediately
• Block outbound connections from affected systems to unknown IPs
• Audit all systems using the compromised component
• Halt all deployments until assessment is complete
• Check if compromised code was executed in production

Phase 2: Assess

• Determine what the malicious code does (data exfiltration, backdoor, crypto-miner)
• Identify affected versions and timeline of compromise
• Check package manager advisories (npm, PyPI, Maven security advisories)
• Review build logs for when compromised version was first introduced
• Scan all artifacts built with the compromised dependency
• Check if secrets/credentials were exposed to the malicious code

Phase 3: Remediate

• Update to patched version or remove dependency
• Rotate all secrets that could have been accessed
• Rebuild and redeploy all affected services from clean sources
• Scan all systems for backdoors or persistence mechanisms
• Audit build pipeline for additional compromises

Phase 4: Prevent

• Implement dependency pinning with lock files
• Enable integrity checking (checksums, signatures)
• Set up automated vulnerability scanning (Dependabot, Snyk, pip-audit)
• Use private package registries with approved packages
• Implement SBOM (Software Bill of Materials)
• Code review for dependency updates
• Monitor for typosquatting attacks on your dependencies

Phase 5: Document

• Compromised component, versions, and timeline
• Impact assessment (systems affected, data exposed)
• Detection method (how was it discovered)
• Remediation actions and verification
• Supply chain security improvements implemented

---

Playbook 5: Insider Threat

Severity: HIGH to CRITICAL Response Time: < 1 hour (balance speed with discretion)

Phase 1: Contain

• Do NOT alert the suspected insider yet
• Engage HR and legal before technical actions
• Increase monitoring on the suspected account (audit logging)
• Restrict access to most sensitive systems without raising suspicion
• Preserve all evidence (logs, emails, file access records)
• Secure backup copies of evidence

Phase 2: Assess

• Review access logs for unusual patterns (off-hours access, bulk downloads)
• Check for unauthorized data transfers (USB, email, cloud storage)
• Review code changes for backdoors or unauthorized modifications
• Assess what data/systems the insider has access to
• Determine if the threat is malicious or negligent
• Involve digital forensics if warranted

Phase 3: Remediate

• Coordinate with HR/legal for appropriate action
• Revoke all access immediately when action is taken
• Change shared credentials the insider had access to
• Review and revoke any API keys/tokens created by the insider
• Audit code changes made by the insider in the last N months
• Check for scheduled tasks, cron jobs, or time bombs

Phase 4: Prevent

• Implement Data Loss Prevention (DLP) tools
• Enforce least-privilege access across the organization
• Regular access reviews (quarterly minimum)
• Implement user behavior analytics (UBA)
• Offboarding checklist with comprehensive access revocation
• Background checks for roles with sensitive access

Phase 5: Document

• Complete timeline of insider actions
• Data/systems accessed or compromised
• Evidence collected and chain of custody
• HR/legal actions taken
• Access control improvements implemented

---

Playbook 6: Credential Stuffing

Severity: HIGH Response Time: < 30 minutes to begin mitigation

Phase 1: Contain

• Detect the attack (spike in failed logins, multiple accounts from same IPs)
• Enable aggressive rate limiting on login endpoints
• Block attacking IP ranges at WAF/CDN level
• Enable CAPTCHA on login forms
• Temporarily lock accounts with multiple failed attempts

Phase 2: Assess

• Determine how many accounts were successfully compromised
• Identify the source of credential lists (check haveibeenpwned.com)
• Review compromised accounts for unauthorized actions
• Check if attackers accessed sensitive data or made changes
• Assess financial impact (fraudulent transactions, data access)

Phase 3: Remediate

• Force password reset on all compromised accounts
• Notify affected users with guidance to use unique passwords
• Reverse any unauthorized actions (transactions, settings changes)
• Block known compromised credential pairs
• Invalidate all active sessions for affected accounts

Phase 4: Prevent

• Implement MFA (multi-factor authentication), push to all users
• Deploy credential stuffing detection (rate + pattern analysis)
• Check passwords against breach databases on registration/change
• Implement progressive delays on failed login attempts
• Device fingerprinting and anomaly detection
• Bot detection on authentication endpoints

Phase 5: Document

• Attack timeline, volume, and success rate
• Number of compromised accounts and impact
• Source IP analysis
• Detection method and time to detection
• User communications sent
• Authentication security improvements

---

Playbook 7: API Abuse

Severity: MEDIUM to HIGH Response Time: < 1 hour

Phase 1: Contain

• Identify the abusive client (API key, IP, user account)
• Rate limit or throttle the abusive client specifically
• If data scraping: block the client and return generic errors
• If financial abuse: freeze the account pending review
• Preserve request logs for analysis

Phase 2: Assess

• Determine the type of abuse (scraping, brute force, fraud, free tier abuse)
• Quantify the impact (cost, data exposed, service degradation)
• Review if the abuse exploited a legitimate API or a vulnerability
• Check ToS violations
• Determine if automated (bot) or manual

Phase 3: Remediate

• Revoke the abusive client's API keys
• Block abusive patterns (specific endpoints, request signatures)
• If vulnerability-based: patch the vulnerability
• If scraping: implement anti-bot measures
• If fraud: reverse fraudulent transactions, report to legal

Phase 4: Prevent

• Implement per-client rate limiting with appropriate tiers
• Add request cost tracking (weighted rate limiting for expensive endpoints)
• Deploy bot detection (fingerprinting, behavior analysis)
• Implement API usage quotas and billing
• Add anomaly detection on API usage patterns
• Review API design for abuse vectors (pagination, filtering, bulk endpoints)

Phase 5: Document

• Abuse type, method, and timeline
• Impact (financial, data, service)
• Client identification and evidence
• Actions taken (blocking, revocation)
• API security improvements implemented

---

General Communication Template

Use this template for any incident type:

Copy
SUBJECT: [{SEVERITY}] Security Incident - {Brief Description}

STATUS: {Active / Contained / Resolved}
SEVERITY: {CRITICAL / HIGH / MEDIUM / LOW}
INCIDENT ID: INC-{YYYY}-{NNN}
DETECTED: {timestamp}
INCIDENT COMMANDER: {name}

SUMMARY:
{2-3 sentences describing what happened, what is affected, and current status.}

IMPACT:
- Systems: {affected systems}
- Data: {type of data affected, approximate scope}
- Users: {number of affected users}
- Business: {business impact description}

CURRENT STATUS:
- Phase: {Contain / Assess / Remediate / Prevent / Document}
- Actions completed: {list}
- Actions in progress: {list}

NEXT UPDATE: {timestamp for next status update}
CONTACT: {incident commander contact}

---

Severity Classification Reference