mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-13 19:05:17 +03:00
4.6 KiB
4.6 KiB
Incident Triage with IR Playbooks - Detailed Workflow
Triage Decision Tree
Alert Received
|
v
Is alert from trusted/tuned detection rule?
|-- No --> Check rule logic, verify data source --> Potential false positive
|-- Yes --> Continue
|
v
Does alert match known false positive pattern?
|-- Yes --> Document, close as false positive, tune rule
|-- No --> Continue
|
v
Can indicator be enriched with external threat intel?
|-- Yes --> Enrich with VT, AbuseIPDB, OTX --> Add context
|-- No --> Continue with available data
|
v
What is the incident type?
|-- Malware --> Malware playbook
|-- Phishing --> Phishing playbook
|-- Unauthorized Access --> Access compromise playbook
|-- Data Exfiltration --> Data breach playbook
|-- Ransomware --> Ransomware playbook
|-- DoS/DDoS --> Availability playbook
|-- Insider Threat --> Insider playbook
|
v
Assign severity based on:
- Asset criticality x Threat level x Data sensitivity
|
v
Route to appropriate team with playbook
Severity Assignment Matrix
Impact Score (1-4)
| Score | Asset Criticality | Examples |
|---|---|---|
| 4 | Critical | Domain controllers, production databases, financial systems |
| 3 | High | Email servers, web applications, file servers |
| 2 | Medium | Development systems, internal tools |
| 1 | Low | Test systems, non-production workstations |
Urgency Score (1-4)
| Score | Threat Status | Indicators |
|---|---|---|
| 4 | Active exploitation | Ongoing attack, real-time data loss |
| 3 | Confirmed compromise | Evidence of breach, but not active |
| 2 | Attempted attack | Blocked attack, no evidence of success |
| 1 | Reconnaissance | Scanning, probing, no exploitation attempt |
Final Severity = Impact x Urgency
| Score Range | Severity | Response Time | Escalation |
|---|---|---|---|
| 12-16 | P1 Critical | Immediate (15 min) | CISO + IR Lead + Senior Analysts |
| 8-11 | P2 High | 30 minutes | IR Lead + Available Analysts |
| 4-7 | P3 Medium | 2 hours | Next available analyst |
| 1-3 | P4 Low | 24 hours (business hours) | Queued for analyst review |
Playbook Selection Guide
By Alert Source
| Alert Source | Likely Playbook | Key Triage Actions |
|---|---|---|
| EDR - Malware detection | Malware IR | Check quarantine status, verify family |
| Email gateway - Phishing | Phishing IR | Extract IOCs, check delivery scope |
| SIEM - Authentication anomaly | Account Compromise | Verify account, check lateral movement |
| IDS/IPS - Exploit attempt | Vulnerability Exploitation | Verify patch status, check success |
| DLP - Data transfer | Data Exfiltration | Classify data, verify authorization |
| Cloud - Impossible travel | Cloud Account Compromise | Verify user, check API calls |
By MITRE ATT&CK Tactic
| Tactic | Playbook | Priority |
|---|---|---|
| Initial Access (TA0001) | Perimeter Breach | P1-P2 |
| Execution (TA0002) | Malware/Code Execution | P1-P2 |
| Persistence (TA0003) | Backdoor/Implant | P2 |
| Privilege Escalation (TA0004) | Privilege Escalation | P1 |
| Defense Evasion (TA0005) | Security Tool Bypass | P2 |
| Credential Access (TA0006) | Credential Theft | P1-P2 |
| Discovery (TA0007) | Reconnaissance | P3 |
| Lateral Movement (TA0008) | Lateral Movement | P1 |
| Collection (TA0009) | Data Staging | P2 |
| Exfiltration (TA0010) | Data Breach | P1 |
| Impact (TA0040) | Ransomware/Destruction | P1 |
IOC Enrichment Workflow
Step 1: Automated Enrichment
- Submit IPs to VirusTotal, AbuseIPDB, Shodan
- Submit file hashes to VirusTotal, MalwareBazaar, Hybrid Analysis
- Submit domains to URLScan.io, VirusTotal, PassiveTotal
- Check against internal IOC database and watchlists
Step 2: Context Addition
- Look up asset in CMDB for criticality and owner
- Check user in HR system for role and access level
- Verify network zone and data classification
- Cross-reference with recent threat intelligence reports
Step 3: Correlation
- Search SIEM for related alerts in past 72 hours
- Check if same IOCs appeared in other incidents
- Correlate with ongoing threat campaigns
- Verify if alert is part of a larger attack chain
Triage Documentation Requirements
- Alert details (source, time, raw data)
- Enrichment results (reputation scores, intelligence hits)
- Classification decision (incident type, severity, justification)
- Selected playbook and version
- Assigned team/analyst
- Initial timeline of observed events
- Known affected assets and accounts