Incident Response Playbook: Moving from Chaos to Coordination

# Incident Response Playbook: Moving from Chaos to Coordination

A breach is detected at 3 AM. Your SIEM alerts on unusual admin login from a foreign IP. Now what?

Without a playbook, chaos ensues. Engineers spin up forensic copies of compromised systems. Network team isolates the attacker. Legal contacts lawyers. Finance calculates exposure. Everyone communicates via Slack simultaneously. Critical evidence is overwritten. Attacker covers their tracks.

With a playbook, coordination replaces panic. Incident commander activates. Roles are clear. Evidence is preserved. Containment happens in minutes, not hours. Investigation is methodical. Recovery is planned. Lessons are learned and documented.

An incident response playbook is the difference between a 10-hour breach vs. a 3-day breach, and between $500K in damages vs. $5M.

The Incident Response Lifecycle

All incidents follow a pattern. Your playbook operationalizes each phase.

Phase 1: Detection & Alert

Someone detects something suspicious:

SIEM alert (unusual login, data exfiltration pattern)

User report (phishing email, system slowdown)

Third party (ISP notification of botnet traffic, law enforcement tip)

External discovery (security researcher, public breach database)

**Playbook actions:**

Log incident in ticketing system (immutable record, timeline)

Notify on-call incident commander

Assemble incident response team (determine severity first)

Preserve evidence (don't reboot suspected systems; document baseline)

**Key metric:** Time from detection to incident commander notification. Goal: <15 minutes.

Phase 2: Assessment & Triage

Incident commander investigates:

What happened? (What's the suspicious activity?)

When? (When did it start? Is it ongoing?)

Where? (Which systems, users, data affected?)

Severity? (Are critical systems compromised? Is data being exfiltrated?)

**Playbook actions:**

Gather initial evidence (logs, alerts, user reports)

Interview alert originator (What triggered the alert? Is it suspicious or false positive?)

Determine severity (Critical = active breach + data theft; High = contained compromise; Medium = isolated incident; Low = single event, no spread risk)

Activate appropriate response level (Critical = full team + CEO notification; High = core team; Medium = delegated; Low = handled by ticket)

**Key metric:** Time from detection to severity assessment. Goal: <1 hour.

Phase 3: Containment

Stop the attacker. Prevent spread. Preserve evidence.

**Playbook actions by type:**

**Account compromise:**

Reset password immediately

Revoke active sessions

Force re-login with MFA

Check where else credential used

Review account access history (what did attacker access?)

**Malware infection:**

Isolate endpoint from network (unplug network, revoke VPN)

Preserve filesystem (forensic copy before cleanup)

Kill suspicious processes

Block detected malware signatures network-wide

Scan similar systems (same OS, same user accounts)

**Data exfiltration:**

Block outbound connections to destination IP

Revoke cloud storage access tokens

Identify all data accessed

Preserve access logs for forensic analysis

Check if same destination accessed other systems

**Web application compromise:**

Take app offline (or swap to backup instance)

Preserve database state

Revoke administrative accounts

Block attacker's IP network-wide

Identify attack vector (vulnerability, credential, supply chain?)

**Key metric:** Time from detection to containment. Goal: Critical = <1 hour; High = <4 hours.

Phase 4: Investigation & Evidence Collection

Now the forensic work. Preserve chain of custody. Understand the attack chain.

**Playbook actions:**

Forensic imaging of affected systems (disk, memory, logs)

Log analysis (construct timeline: who accessed what, when, from where?)

Artifact analysis (malware, config files, communication patterns)

Threat hunting (check for lateral movement, persistence)

Third-party forensics (if breach is severe, engage external firm)

**Key evidence to preserve:**

System access logs (login/logout times, IPs, MFA use)

File access logs (what data accessed? Modification times?)

Network logs (outbound connections, DNS queries, port usage)

Application logs (database access, API usage)

Malware samples (for analysis by security team or external lab)

**Key metric:** Time from containment to root cause identified. Goal: Critical = <24 hours; High = <5 days.

Phase 5: Eradication

Remove attacker from the environment. Close the entry point.

**Playbook actions:**

Patch vulnerability (if known CVE was exploited)

Remove malware (wipe/reimage compromised endpoints)

Revoke compromised credentials (and reissue new ones)

Remove persistence mechanisms (scheduled tasks, registry keys, backdoors)

Disable attacker account (if human-driven)

Block command-and-control infrastructure (IP blocking, DNS sinkholing)

**Key metric:** Verify eradication. Goal: Rescan all systems post-remediation; confirm no re-infection.

Phase 6: Recovery

Restore systems and data. Verify integrity.

**Playbook actions:**

Restore systems from clean backups (if available)

Monitor for re-infection (EDR alerts, network monitoring)

Gradually restore user access

Verify application functionality (run test suite)

Monitor performance (ensure attacker didn't degrade performance, hide exfiltration)

**Key metric:** Time from eradication to full recovery. Goal: Critical = 24 hours; High = 5 days.

Phase 7: Post-Incident Review

Learn to prevent recurrence.

**Playbook actions:**

Document timeline (every step, every decision)

Identify root cause (how did attacker get in?)

Identify gaps (what alarms didn't fire? What evidence did we miss?)

Determine improvements:

- Detection: What SIEM rule could catch this earlier next time? - Prevention: What patch, config, or control prevented recurrence? - Response: What slowed us down? How do we respond faster?

Update playbook (lessons learned → procedural changes)

Communicate findings (to relevant teams, executives, board if breach was severe)

**Key metric:** Time from incident close to post-incident review. Goal: <2 weeks. Include > 5 participants.

Incident Response Playbook Template

Here's a minimal template to get started:

```markdown

# Incident Response Playbook

Critical Contacts

Incident Commander: On-call rotation (Slack #oncall)

Security Lead: [name, phone, email]

Network Team Lead: [name, phone, email]

Database Team Lead: [name, phone, email]

Legal: [name, phone, email]

CEO/Board: [name, phone, email] - notify only for critical severity

Severity Levels

CRITICAL: Active breach + data exfiltration + critical systems compromised

- Timeline: <1 hour to containment, <24 hours to eradication - Notification: Full team + CEO + legal + board

HIGH: Active compromise, contained to specific system

- Timeline: <4 hours to containment, <5 days to eradication - Notification: Core team + CISO

MEDIUM: Single event, limited spread risk

- Timeline: <1 day to containment - Notification: Team lead + security

LOW: Single event, no spread risk

- Timeline: No formal response, resolve per ticket - Notification: Security team awareness

Phase 1: Detection & Alert

[ ] Create incident ticket (include alert/report, timestamp, reporter)

[ ] Notify incident commander

[ ] Preserve evidence (don't restart suspected systems)

[ ] Document initial observations

Phase 2: Assessment

[ ] Interview alert originator

[ ] Gather logs from relevant systems

[ ] Determine what, when, where, severity

[ ] Activate incident team per severity level

Phase 3: Containment

[ ] [Account compromise] Reset password, revoke sessions, audit access

[ ] [Malware] Isolate endpoint, preserve forensics, scan network

[ ] [Exfiltration] Block destination IP, audit data access

[ ] [Application breach] Take app offline, revoke accounts, block attacker IP

Phase 4: Investigation

[ ] Forensic imaging (disk, memory, logs)

[ ] Log timeline analysis

[ ] Artifact analysis (malware, configs)

[ ] Threat hunting for lateral movement

[ ] Engage external forensics if critical

Phase 5: Eradication

[ ] Patch vulnerability

[ ] Remove malware/reimage systems

[ ] Revoke compromised credentials

[ ] Remove persistence mechanisms

[ ] Block C2 infrastructure

[ ] Rescan to confirm eradication

Phase 6: Recovery

[ ] Restore from clean backups

[ ] Monitor for re-infection

[ ] Restore user access progressively

[ ] Verify application functionality

[ ] Performance baseline check

Phase 7: Post-Incident Review

[ ] Schedule post-mortem (within 2 weeks)

[ ] Document timeline

[ ] Identify root cause

[ ] Identify detection/prevention/response gaps

[ ] Propose improvements

[ ] Update playbook

[ ] Executive communication (if required)

Evidence Preservation Checklist

[ ] System logs (syslog, Windows event logs, application logs)

[ ] Network logs (firewall, IDS, DNS, proxy)

[ ] Endpoint logs (EDR, antivirus, file system)

[ ] Cloud access logs (IAM, S3 access, database audit logs)

[ ] Memory dump (if malware suspected)

[ ] Filesystem snapshot (forensic image, chain of custody)

Key Contacts & Escalation

[Fill in for your organization] ```

Real-World Response Scenarios

Scenario 1: 3 AM Ransomware Detection

3:15 AM: SIEM alerts on bulk file encryption

3:20 AM: Incident commander notified; severity = CRITICAL

3:25 AM: Endpoint isolated; network team blocks destination IP

3:30 AM: Database team checks backup integrity (available, recent, clean)

4:00 AM: Malware analysis identifies ransomware variant; signature deployed

8:00 AM: Eradication complete; systems restored from backup

No data loss; business recovered same day

**Without playbook:** System rebooted (destroying evidence), backup overwritten, attacker persists, 1 week recovery, ransom paid.

Scenario 2: Compromised Admin Credential

9:00 AM: Admin account used from foreign IP

9:05 AM: Incident commander notified; severity = HIGH

9:10 AM: Credential revoked; active sessions terminated

9:15 AM: Threat hunt for lateral movement (check where else credential used)

9:30 AM: Found 2 lateral moves; those accounts also reset

10:00 AM: Log analysis shows 3-hour window of attacker access; audit what accessed

11:00 AM: Patch identified vulnerability; applied to all systems

2:00 PM: Post-incident review started; controls to prevent recurrence documented

**Without playbook:** Admin manually reviews security logs (days), attackers still in network, lateral movement escalates.

Playbook Maintenance

Your playbook becomes obsolete if not maintained:

**Annual review**: Update contact info, verify escalation procedures still valid

**Post-incident**: Update with lessons learned

**After major changes**: New system deployed, new team member, new compliance requirement

**Tabletop exercise**: Simulate incident quarterly; run through playbook; identify gaps

Integration with Managed Incident Response

Incident response execution requires speed and expertise:

Detection (SIEM monitoring, alert triage)

Containment (network isolation, credential revocation)

Investigation (forensics, log analysis, threat hunting)

Communication (with CEO, legal, board, customers)

Sentos' managed incident response service:

Monitors 24/7 for suspicious activity

Activates playbook immediately when incident detected

Executes containment and investigation

Communicates with your team and leadership

Conducts post-incident review and playbook updates

The Bottom Line

An incident is not a question of _if_, but _when_. The organizations that respond fastest and most systematically minimize damage.

Build your playbook now—before the 3 AM alert. Test it quarterly. Update it regularly. And when breach happens, you'll respond in minutes, not days.