Incident Response Playbook: Responding to Cyber Attacks

Introduction to Incident Response in 2026

Stop treating incident response as a theoretical exercise. In 2026, the kill chain compresses from initial access to encryption or exfiltration in under 18 minutes on average. The "how to respond to a cyber attack" question isn't academic anymore; it's a race against automated malware that pivots faster than human analysts can type. I've watched SOCs fail because they relied on static playbooks while attackers used AI-generated polymorphic payloads. The reality is brutal: if you're not instrumenting your environment for real-time telemetry, you're already compromised. Forget the "assume breach" mantra; assume you're already in the blast radius.

The core problem isn't detection—it's response velocity. Traditional IR cycles take days; modern APTs operate in hours. You need a playbook that's executable, not a PDF. This means integrating toolchains, automating containment, and having pre-staged forensic scripts. I've seen Fortune 500 IR teams spend 48 hours arguing over containment strategy while ransomware encrypted 70% of their backups. The shift in 2026 is toward autonomous response: systems that isolate endpoints without human approval. But that requires trust in your telemetry, which most organizations lack. We'll dissect the mechanics, from memory forensics to protocol-level containment, and provide configs you can deploy today. No fluff, just the raw steps to stay alive.

Preparation: Building Your IR Playbook

Asset Inventory and Mapping

You can't respond to what you don't know exists. Start with comprehensive asset mapping using subdomain discovery to identify shadow IT and forgotten web properties. Run this command to enumerate subdomains passively: subfinder -d yourdomain.com -silent | httpx -status-code -threads 50. Log every IP, service, and dependency. In one engagement, we found a forgotten Jenkins instance exposed to the internet that was the entry point for a supply chain attack. Map your attack surface weekly; automate it with cron jobs. Without this, your playbook is blind.

Next, classify assets by criticality. Use a simple matrix: crown jewels (databases, AD controllers), business-critical (ERP systems), and non-essential (test servers). Tag them in your SIEM with custom fields. For web apps, integrate file upload security checks into your CI/CD pipeline to prevent initial access vectors. This isn't about compliance; it's about knowing where to focus containment efforts when the alert fires at 2 AM.

Playbook Development and Automation

Build playbooks as code, not documents. Use YAML or JSON to define response actions, then execute them via SOAR platforms. Here's a snippet for automated endpoint isolation on detection of suspicious process execution:

playbook: ransomware_containment
triggers:
- event: process_creation
condition: parent_image: "powershell.exe" AND command_line: "Invoke-WebRequest"
actions:
- action: isolate_endpoint
target: "{{host_ip}}"
command: "netsh advfirewall set allprofiles state on && netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound"
- action: snapshot_memory
target: "{{host_ip}}"
command: "winpmem_mini_x64.exe memory.raw"

Test these playbooks quarterly with red team exercises. I've seen teams write perfect playbooks that fail because they didn't account for network segmentation. Integrate platform features for seamless toolchain execution. Opinion: Manual playbooks are obsolete; if you're not automating containment, you're volunteering for breach notification fines.

Toolchain Integration and Telemetry

Your IR stack must include EDR, SIEM, and network taps. Deploy Sysmon with this config to capture process creation and network connections:

powershell


<Image condition="end with">.exe

Forward logs to your SIEM with this rsyslog config: *.* @siem.internal:514. For web apps, use URL discovery to monitor endpoint anomalies. In 2026, telemetry without context is noise; enrich with threat intel feeds. I once audited a SOC that had 10TB of logs but no correlation rules—waste of storage.

Detection: Identifying Cyber Attacks

Anomaly Detection and Baseline Establishment

Detection starts with baselines. Use your SIEM to establish normal behavior for user logins, process executions, and data flows. For example, query Splunk for baseline process creation: index=windows EventCode=4688 | stats count by Image. Deviations trigger alerts. In one case, we detected a lateral movement attempt because a service account started executing mimikatz.exe—an anomaly against its baseline.

Integrate JavaScript reconnaissance for web app detection. Analyze client-side scripts for obfuscation: grep -r "eval(" /var/www/html/. If you find encoded payloads, it's likely a supply chain injection. Opinion: Signature-based detection is dead; behavioral analytics with machine learning models catch 90% of novel attacks, but only if you train them on clean data.

Endpoint and Network Monitoring

Deploy EDR agents with this PowerShell command for silent installation: Invoke-WebRequest -Uri https://edr-agent.internal/install.ps1 -OutFile install.ps1; .\install.ps1 -quiet. Monitor for C2 beacons using network flows. Run tcpdump -i eth0 -w capture.pcap and analyze with Wireshark for DNS exfiltration patterns.

For web attacks, use SSTI payload generator to test detection rules. Inject a test payload: {{7*7}} and verify your WAF logs the attempt. I've seen teams miss server-side template injection because their logs didn't capture request bodies. Network monitoring must include TLS decryption; without it, you're blind to encrypted C2.

Threat Hunting and Proactive Searches

Hunt actively, don't wait for alerts. Use KQL in Azure Sentinel for hunts like: SecurityEvent | where EventID == 4624 | where LogonType == 10 | summarize count by Account. For privilege escalation, integrate privilege escalation pathfinder to map potential paths. Run it against your AD dump: python privesc.py --ad-data ad_dump.json.

In 2026, ransomware trends 2026 show increased use of double extortion—encrypt and threaten data leak. Hunt for data staging: find / -name "*.zip" -mtime -1 2>/dev/null. I once led a hunt that uncovered a APT group using RDP over SSH tunnels; they'd been in for months. Proactive hunts reduce dwell time by 70%.

Initial Response: Triage and Containment

Triage: Prioritizing Alerts

Triage isn't about volume; it's about impact. Use this command to filter SIEM alerts by severity: jq '.alerts[] | select(.severity > 7)' alerts.json. Prioritize based on asset criticality from your inventory. For web incidents, use AI security chat for rapid analysis—log in to query: "Analyze this log for C2 indicators: [paste log]". It accelerates triage by 50%.

In one ransomware case, we triaged 500 alerts in 10 minutes by focusing on encryption processes. Don't chase false positives; validate with this PowerShell snippet: Get-Process | Where-Object {$_.Path -like "*ransom*"} | Select-Object Name, CPU.

Containment Strategies

Contain immediately: isolate the host, block IPs, and revoke sessions. For network containment, use this iptables rule: iptables -A INPUT -s -j DROP. For endpoints, deploy this via EDR: Invoke-Command -ComputerName -ScriptBlock { netsh advfirewall set allprofiles state on }.

Use out-of-band helper for evidence collection without alerting the attacker. Example: python oob_helper.py --collect-logs --target --output forensics.zip. Opinion: Containment should be aggressive—better to over-isolate than let lateral spread. I've seen teams hesitate, costing them the entire subnet.

Evidence Preservation

Preserve volatile data first. Use Volatility for memory analysis: vol.py -f memory.raw --profile=Win10x64 pslist. Capture network state: netstat -anob > netstat.txt. For disk forensics, image with dd if=/dev/sda of=evidence.img bs=4M. Store in a secure, air-gapped location. In 2026, cloud IR requires snapshotting VMs: aws ec2 create-snapshot --volume-id vol-12345.

Eradication: Removing Threats

Root Cause Analysis

Eradication starts with finding the root cause. Use SAST analyzer for code review if the breach originated from a web app. Scan your repo: semgrep --config=auto /path/to/code. For memory dumps, analyze with Volatility: vol.py -f memory.raw --profile=Win10x64 malfind.

I once traced a breach to a compromised CI/CD pipeline; the root cause was a malicious dependency. Run npm audit or pip check routinely. Opinion: Most eradication fails because teams patch symptoms, not causes. If you don't fix the initial vector, attackers return.

Threat Removal and Patching

Remove malware with EDR isolation and AV scans. For persistent threats, delete scheduled tasks: schtasks /delete /tn "MaliciousTask" /f. Patch vulnerabilities using this Ansible playbook:

- hosts: all
tasks:
- name: Apply security patches
apt:
update_cache: yes
upgrade: dist

For web apps, test with DOM XSS analyzer post-eradication: python dom_xss.py --url https://app.internal. In ransomware cases, ensure backups are clean before restoration.

Validation and Hardening

Validate eradication with red team tests. Use payload generator to simulate re-infection: python payload_forge.py --type ransomware --test. Harden systems: disable unnecessary services, enforce least privilege. For JWTs, use JWT token analyzer to check for weak secrets.

Recovery: Restoring Operations

Backup Restoration and Validation

Restore from immutable backups. Use this command to verify backup integrity: sha256sum backup.tar.gz. For cloud backups, test restoration in an isolated environment: aws s3 cp s3://bucket/backup.tar.gz . && tar -xzf backup.tar.gz. In 2026, ransomware trends 2026 include targeting backups; use air-gapped or WORM storage.

Integrate DAST scanner during recovery to scan restored apps: zap-cli quick-scan --self-contained --start-options "-config api.key=12345" https://restored-app.internal. I've seen recovery fail because backups contained the malware—always scan first.

Service Restoration and Monitoring

Bring services online gradually. Monitor with this Prometheus config:

scrape_configs:
- job_name: 'restored_services'
static_configs:
- targets: ['restored-host:9100']

Use HTTP headers checker to validate web app security post-recovery: curl -I https://app.internal | grep -i "X-Frame-Options". Opinion: Recovery isn't done until you've verified no backdoors. Test with full penetration post-restoration.

Post-Recovery Testing

Conduct load testing and security scans. For web apps, use DOM XSS analyzer again. Ensure all logs are retained for 90 days. In one recovery, we found a dormant backdoor during testing—caught it before it reactivated.

Ransomware-Specific Response

Initial Detection and Containment

Ransomware in 2026 uses AI to evade detection. Detect via file entropy analysis: python -c "import math; data=open('suspicious.exe','rb').read(); print(math.sqrt(sum((x-sum(data)/len(data))**2 for x in data)/len(data)))". If entropy > 7.5, it's likely encrypted. Contain by isolating the network segment: ip link set eth0 down.

Use payload generator to test your defenses: python payload_forge.py --type ransomware --simulate. Opinion: Paying ransoms is idiocy; it funds more attacks. I've negotiated with groups—they always demand more.

Decryption and Data Recovery

Never pay; use tools like Emsisoft Decryptor. For custom ransomware, reverse engineer with IDA Pro: idaq64.exe ransomware.exe. Preserve encrypted files for future decryption. In one case, we cracked the encryption by analyzing the key generation algorithm.

Prevention of Re-Infection

Harden against double extortion. Monitor for data exfiltration with DLP rules: index=network dest_ip!=internal | where bytes_out > 1000000. Integrate threat intel on ransomware groups. Post-incident, rotate all credentials and keys.

Insider Threat Detection and Prevention

Behavioral Analytics

Insiders are harder to detect; they have legitimate access. Use UEBA to baseline user behavior: index=auth | stats avg(logon_duration) by user. Flag anomalies like off-hours access. Integrate JWT token analyzer to detect token misuse: python jwt_analyzer.py --token --secret .

In one case, a disgruntled employee exfiltrated data via USB; we caught it with USB device logging. Opinion: MFA doesn't stop insiders; it just adds a step. Monitor data flows, not just logins.

Access Controls and Monitoring

Implement zero-trust: segment networks, enforce just-in-time access. Use this Kubernetes config for pod isolation:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress

For web apps, audit with file upload security to prevent insider uploads of malicious files. Run regular access reviews: aws iam generate-credential-report.

Investigation and Response

When an insider is suspected, preserve evidence without alerting them. Use out-of-band helper for covert collection. Interview discreetly; legal counsel involved early. I've terminated insiders based on log evidence alone—no confession needed.

Communication and Reporting

Internal Communication

During an incident, use a dedicated Slack channel with this webhook config: curl -X POST -H 'Content-type: application/json' --data '{"text":"Containment achieved"}' https://hooks.slack.com/services/.... Keep updates concise: "Triage complete, 3 hosts isolated." Avoid jargon; executives need facts.

External Reporting

For breaches, notify regulators within 72 hours. Use this template for reports: {"incident_id": "IR-2026-001", "affected_systems": ["host1", "host2"], "containment_status": "complete"}. Link to security blog for public disclosure examples. Opinion: Transparency builds trust; hiding breaches erodes it.

Stakeholder Updates

Tailor messages: technical for engineers, business impact for C-suite. Use documentation for playbook references. In one incident, clear communication prevented a stock drop.

Post-Incident Analysis and Lessons Learned

Root Cause and Timeline Reconstruction

Reconstruct the timeline with logs: jq '.events[] | select(.timestamp > "2026-01-01")' audit.log. Use Volatility for memory timeline: vol.py -f memory.raw --profile=Win10x64 timeliner. Identify gaps: Did detection fail? Was containment delayed?

Lessons Learned and Playbook Updates

Update playbooks based on findings. If ransomware evaded detection, add entropy checks. For insider threats, enhance monitoring. Run a tabletop exercise: python tabletop.py --scenario ransomware. Opinion: Most post-incident reports are shelfware; make them actionable with code changes.

Metrics and Improvement

Track MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond). Aim for <1 hour detection, <4 hours containment. Use pricing plans to justify tool investments. In 2026, continuous improvement is non-negotiable; stagnation equals compromise.