Phase 1: Preparation and Baseline Establishment

You cannot detect what you cannot see. Most enterprises fail because they lack a complete asset inventory. If you don't know every subdomain and IP address in your attack surface, you are blind. Start by enumerating your external-facing assets. Use the Subdomain Discovery tool to map your perimeter. This isn't a one-time task; automate it weekly.

Asset Inventory and Attack Surface Mapping

Run a continuous discovery process. Your inventory must include every server, container, and cloud function. The command below uses nmap to scan your declared IP ranges, but you should integrate this with your cloud provider's API for dynamic updates.

nmap -sV -O -iL ip_list.txt -oX asset_scan.xml

Baseline Network Traffic Analysis

Establish a baseline of normal traffic patterns. Without this, you are chasing ghosts. Deploy a passive tap or use SPAN ports on your core switches. Capture traffic with tcpdump and analyze it with Zeek (formerly Bro). Your baseline should include typical connection durations, packet sizes, and protocol distributions.

tcpdump -i eth0 -w baseline.pcap -s 0

Logging and Retention Policy

Centralize all logs. If a log exists only on the local filesystem, it might as well not exist. Configure your SIEM to ingest logs from all critical assets. Ensure you retain raw logs for at least 90 days. The following rsyslog configuration forwards all local logs to your SIEM's TCP port 514.


*.* @@siem.example.com:514

Phase 2: Detection Mechanisms and Alert Configuration

Detection is not about volume; it's about fidelity. Tuning your detection rules is the difference between actionable intelligence and alert fatigue. We focus on high-confidence indicators of compromise (IoCs).

SIEM Rule Tuning for High-Fidelity Alerts

Stop relying on generic rules. Write specific rules for your environment. For example, a rule to detect successful logins from impossible travel locations requires your SIEM to parse authentication logs and correlate geolocation data. In Splunk, this looks like:

index=auth sourcetype=linux_secure | iplocation client_ip | stats dc(country) as country_count by user | where country_count > 1

Endpoint Detection and Response (EDR) Deployment

EDR is non-negotiable. Deploy agents on all endpoints and servers. Configure your EDR to alert on process injection, credential dumping, and lateral movement attempts. The following PowerShell command checks for common EDR agent processes, ensuring they are running.

Get-Service -Name "CrowdStrike*", "CarbonBlack*", "SentinelOne*" | Where-Object {$_.Status -ne "Running"}

Network Traffic Analysis (NTA) Rules

NTA rules should focus on protocol anomalies. Detect DNS tunneling by monitoring for unusually long DNS queries or high entropy domain names. A simple Zeek script can flag this.

event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) {
if (|query| > 100) {
NOTICE([$note=DNS::Long_Query, $conn=c, $msg=msg]);
}
}

Phase 3: Initial Triage and Verification

When an alert fires, the clock starts. Your SOC analyst's first job is to verify the alert is not a false positive. This requires rapid access to context.

Alert Triage Workflow

The triage workflow must be documented and practiced. For a suspicious login alert, the analyst should immediately check the user's recent activity, the source IP's reputation, and the time of day. Use the RaSEC URL Analysis Tool to verify any malicious links in the alert details.

Contextual Data Enrichment

Raw alerts are useless. Enrich them with threat intelligence. Your SIEM should automatically query threat intelligence platforms (TIPs) for IP reputation, domain age, and malware associations. The following Python snippet uses a TIP API to enrich an IP address.

import requests

def enrich_ip(ip_address):
url = f"https://api.threatintel.com/ip/{ip_address}"
headers = {"Authorization": "Bearer YOUR_API_KEY"}
response = requests.get(url, headers=headers)
return response.json()


ip = "192.0.2.1"
print(enrich_ip(ip))

False Positive Reduction

Analyze false positives weekly. If a rule generates more than 10 false positives per day, it needs tuning. Document the tuning decision in your SIEM. For example, if a rule triggers on legitimate administrative activity, create an exception for the admin's IP range.

index=network sourcetype=firewall action=blocked src_ip=10.0.0.0/8 | where NOT src_ip="10.0.1.100"

Phase 4: Containment Strategies

Containment is about stopping the bleeding. The goal is to isolate the compromised asset without disrupting business operations. This requires pre-planned playbooks.

Network Segmentation and Isolation

Isolate the compromised host at the network level. If the host is virtual, snapshot it first for forensics. Then, apply a firewall rule to block all inbound and outbound traffic except for your management network. Use iptables on Linux hosts or Windows Firewall with Advanced Security.

iptables -A INPUT -s  -j DROP
iptables -A OUTPUT -d  -j DROP

Account and Credential Revocation

Immediately revoke all sessions and reset passwords for compromised accounts. If the attacker has dumped credentials, assume they have access to all services using those credentials. Use a privileged access management (PAM) solution to rotate keys and secrets.


Revoke-AzureADUserAllRefreshToken -ObjectId "user@example.com"

Containment Playbook Execution

Your containment playbook should be a checklist, not a paragraph. For a ransomware outbreak, the playbook might include: 1) Disconnect the affected VLAN, 2) Disable the compromised account, 3) Notify the incident response team. Execute it methodically.

Phase 5: Eradication and Remediation

Eradication is the process of removing the attacker's presence from your environment. This is not just about deleting malware; it's about closing the entry point.

Root Cause Analysis

Identify the initial access vector. Was it a phishing email, a vulnerable web application, or a misconfigured cloud storage bucket? Use forensic artifacts to trace the attack back to its origin. The following command extracts the creation time of files in a directory, which can help identify the malware's drop time.

ls -lt /path/to/suspicious/dir | head -n 20

Malware Removal and System Hardening

Remove the malware and patch the vulnerability. If the malware is a fileless attack, you may need to re-image the system. For file-based malware, use your EDR's removal tool. After removal, harden the system by applying CIS benchmarks.


systemctl disable telnet.service
systemctl disable ftp.service

Credential Rotation and Secret Management

Rotate all credentials that may have been exposed. This includes service accounts, API keys, and database passwords. Use a secrets management tool like HashiCorp Vault to automate this process.

vault write auth/approle/role/secret-role secret_id_ttl=24h token_num_uses=10

Phase 6: Ransomware-Specific Response

Ransomware attacks require a specialized response due to the encryption of data and the extortion demand. The primary goal is to restore operations without paying the ransom.

Ransomware Identification and Isolation

Identify the ransomware strain using file extensions, ransom notes, or hash values. Isolate the infected systems immediately to prevent spread. Use your EDR to query for files with suspicious extensions across the network.

Get-ChildItem -Path \\network_share -Recurse -Include *.encrypted, *.locked -ErrorAction SilentlyContinue

Backup Integrity and Recovery

Verify the integrity of your backups before restoration. Use the Payload Forge tool to test your backup restoration process in a sandbox environment. Ensure backups are immutable and stored offline.


rsync -avz /backup/path /test/restore/path

Negotiation and Legal Considerations

Do not negotiate with attackers without consulting legal counsel. The decision to pay should involve the CISO, legal team, and executive leadership. Document all communications with the attacker.

Phase 7: Threat Intelligence Integration

Threat intelligence is not a feed; it's a process. Integrate threat intelligence into your detection and response workflows to stay ahead of attackers.

TIP Integration with SIEM

Integrate your Threat Intelligence Platform (TIP) with your SIEM to automatically block known malicious IPs and domains. Use STIX/TAXII feeds to ingest intelligence. The following configuration in your SIEM (e.g., Splunk) sets up a lookup for malicious IPs.


[Malicious IP Blocklist]
search = | inputlookup malicious_ips.csv | eval action="block"

Automated IoC Hunting

Automate the hunting for IoCs across your environment. Use your SIEM to search for known malicious hashes, IPs, and domains. The following Python script queries your SIEM for a specific hash.

import splunklib.client as client

service = client.connect(host='siem.example.com', port=8089, username='admin', password='password')
search_query = 'index=endpoint file_hash="malicious_hash"'
job = service.jobs.create(search_query)

Share anonymized threat intelligence with industry peers and ISACs. This collective defense approach improves everyone's security posture. Use platforms like MISP to share IoCs.

Phase 8: Forensic Analysis and Evidence Collection

Forensic analysis is critical for understanding the attack and supporting legal action. Evidence must be collected in a forensically sound manner.

Volatile Data Collection

Collect volatile data first, as it is lost on reboot. This includes RAM, running processes, and network connections. Use tools like volatility for memory analysis and netstat for network connections.


dd if=/dev/mem of=/forensics/memory.dump bs=1M

Disk Imaging and Chain of Custody

Create a bit-for-bit image of the compromised disk. Use dd or dcfldd for this. Maintain a chain of custody log for all evidence.

dd if=/dev/sda of=/forensics/disk_image.img bs=4M conv=noerror,sync

Log Analysis and Timeline Reconstruction

Reconstruct the attack timeline by correlating logs from multiple sources. Use tools like log2timeline or plaso to automate this process.

plaso -o timeline.plaso -w /forensics/disk_image.img

Phase 9: Post-Incident Review and Reporting

The post-incident review is where you learn from your mistakes. This is not a blame game; it's a process improvement exercise.

Lessons Learned Session

Conduct a lessons learned session within 48 hours of incident resolution. Involve all stakeholders, including IT, security, legal, and executive leadership. Document what went well and what did not.

Incident Report Generation

Generate a detailed incident report for executive leadership and regulators. The report should include the timeline, impact, root cause, and remediation steps. Use the following template structure.


- **Date**: [Date]
- **Affected Systems**: [List]
- **Root Cause**: [Description]
- **Remediation**: [Actions Taken]

Process Improvement and Playbook Updates

Update your incident response playbooks based on the lessons learned. If a step was missed during containment, add it to the checklist. If a tool was ineffective, replace it.

Phase 10: Advanced Detection Techniques

Basic detection rules are insufficient against advanced threats. You need advanced techniques to detect stealthy attacks.

Behavioral Analytics and UEBA

User and Entity Behavior Analytics (UEBA) detects anomalies in user behavior. Deploy UEBA to identify insider threats and compromised accounts. The following query in your SIEM detects a user accessing sensitive data outside business hours.

index=access_logs user=* | where hour > 18 OR hour < 6 | stats count by user, resource

Deception Technology

Deploy decoys and honeypots to lure attackers. This gives you early warning and intelligence on their tactics. Use the Privilege Escalation Pathfinder to identify attack paths that lead to high-value assets.

Machine Learning for Anomaly Detection

Use machine learning models to detect anomalies in network traffic or user behavior. Train models on your baseline data to identify deviations. The following Python code uses scikit-learn to detect outliers in network traffic.

from sklearn.ensemble import IsolationForest
import numpy as np


X = np.array([[1500], [1500], [1500], [1500], [5000]])
clf = IsolationForest().fit(X)
print(clf.predict(X))

Phase 11: Automation and Orchestration

Automation reduces response time and human error. Orchestrate your tools to work together seamlessly.

SOAR Playbooks for Incident Response

Security Orchestration, Automation, and Response (SOAR) platforms can automate containment and eradication. Create playbooks for common incidents like phishing or ransomware. Use the AI Security Chat to automate incident analysis (requires login).

Automated Evidence Collection

Automate the collection of forensic evidence. When an alert fires, your SOAR playbook should automatically capture a memory dump and disk image.


ssh user@compromised_host "dd if=/dev/mem of=/tmp/memory.dump bs=1M"

Integration with Threat Intelligence Platforms

Automate the ingestion of IoCs from TIPs into your SIEM and EDR. This ensures that new threats are blocked immediately.

Phase 12: Compliance and Legal Considerations

Compliance and legal requirements dictate how you handle data breaches. Failure to comply can result in fines and legal action.

Regulatory Reporting Requirements

Know your reporting obligations. For example, GDPR requires notification within 72 hours of discovering a breach. Document your response timeline to prove compliance.

Data Privacy and Protection

Ensure that forensic analysis does not violate data privacy laws. Anonymize personal data in logs and reports. Use encryption for stored forensic data.

Legal Hold and eDiscovery

Place a legal hold on all evidence related to the incident. This prevents deletion of logs or files that may be needed for litigation. Use your SIEM's retention policies to enforce this.

For more details on incident response, visit our Security Blog and Documentation.

Data Breach Detection & Response: Step-by-Step Protocol