responding-to-security-incidents

# Responding To Security Incidents

## Overview

Guide the full NIST SP 800-61 incident response lifecycle: detection, containment, eradication, recovery, and post-incident analysis. Classify incidents by type (ransomware, data breach, DDoS, credential compromise, insider threat) and severity, then coordinate evidence preservation, threat containment, and root-cause investigation.

## Prerequisites

- System and application logs accessible in `${CLAUDE_SKILL_DIR}/logs/` (auth logs, web server logs, database access logs)
- Network traffic captures (PCAP) or SIEM alert exports available
- Incident response team contact information and escalation paths documented
- Backup systems operational and recovery procedures tested
- Write permissions for incident documentation in `${CLAUDE_SKILL_DIR}/incidents/`
- Forensic tools available: Volatility (memory), Autopsy/FTK Imager (disk), tcpdump/Wireshark (network)

## Instructions

1. **Classify the incident**: determine type (ransomware, data breach, DDoS, phishing, insider threat), assign severity (Critical/High/Medium/Low), and record initial detection timestamp and method.
2. **Scope affected systems**: identify all compromised hosts, user accounts, data stores, and network segments. Map the blast radius.
3. **Preserve evidence before any changes**: capture memory dumps (`volatility -f memdump.raw imageinfo`), create disk images, export running process lists (`ps auxf`), and snapshot network connection state (`ss -tulnp`).
4. **Collect log evidence**: gather authentication logs (successful and failed), application error logs, firewall/IDS alerts, DNS query logs, and proxy server logs. Store originals in `${CLAUDE_SKILL_DIR}/incidents/evidence/`.
5. **Contain the threat**: isolate affected systems from the network, disable compromised accounts, block malicious IPs at the firewall, and revoke compromised API keys or tokens.
6. **Investigate and reconstruct timeline**: identify initial access vector, map lateral movement, determine data exfiltration scope, locate persistence mechanisms (cron jobs, startup scripts, web shells), and document all IOCs (IPs, hashes, domains, file paths).
7. **Eradicate the threat**: remove malware and backdoors, patch exploited vulnerabilities, reset all potentially compromised credentials, and update firewall rules.
8. **Recover operations**: restore from verified clean backups, rebuild compromised systems from hardened images, validate system integrity, and monitor for reinfection with heightened alerting.
9. **Document the incident**: produce a comprehensive report at `${CLAUDE_SKILL_DIR}/incidents/incident-YYYYMMDD-HHMM.md` containing executive summary, detailed timeline, root cause analysis, IOC list, and lessons learned.
10. **Create remediation backlog**: list all follow-up actions (patch gaps, monitoring improvements, policy changes) with owners and deadlines.

See `${CLAUDE_SKILL_DIR}/references/implementation.md` for the seven-phase implementation workflow.

## Output

- **Incident Report**: `${CLAUDE_SKILL_DIR}/incidents/incident-YYYYMMDD-HHMM.md` with timeline, root cause, IOCs, and impact assessment
- **IOC List**: machine-readable indicators (IP addresses, file hashes, domains, YARA rules)
- **After-Action Review**: lessons learned, process gaps, and recommended improvements
- **Remediation Backlog**: prioritized follow-up tasks with owners and deadlines

## Error Handling

| Error | Cause | Solution |
|-------|-------|----------|
| Critical logs missing from `${CLAUDE_SKILL_DIR}/logs/` | Log rotation, deletion, or attacker tampering | Work with available data; note gaps; improve logging retention for future incidents |
| System state modified before evidence collection | First responder made changes before forensic capture | Document contamination; collect remaining evidence; prioritize network and SIEM logs |
| Attacker still has active access during investigation | Ongoing compromise detected | Prioritize containment over investigation; implement emergency network isolation |
| Permission denied accessing system memory | Insufficient forensic tool privileges | Escalate to obtain root/admin access; fall back to available log and network data |
| Backups encrypted or corrupted by ransomware | Attacker targeted backup infrastructure | Identify offline/air-gapped backups; assess rebuild-from-scratch feasibility |

## Examples

- "Credential stuffing detected. Use logs in `${CLAUDE_SKILL_DIR}/logs/` to triage the incident, scope affected accounts, and propose containment steps."
- "Create an incident response plan for a suspected data breach: list evidence to collect, containment actions, and notification requirements."
- "Investigate a web shell found at `/var/www/html/uploads/cmd.php`. Trace the initial access vector, identify persistence mechanisms, and produce an IOC list."

## Resources

- NIST SP 800-61r2 Computer Security Incident Handling Guide: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
- SANS Incident Handler's Handbook: https://www.sans.org/white-papers/33901/
- CISA Incident Response Guide: https://www.cisa.gov/incident-response
- Volatility Framework (memory forensics): https://www.volatilityfoundation.org/
- Autopsy (disk forensics): https://www.autopsy.com/
- `${CLAUDE_SKILL_DIR}/references/errors.md` -- full error handling reference
- `${CLAUDE_SKILL_DIR}/references/examples.md` -- additional usage examples
- https://intentsolutions.io