incident-response
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseIncident Response
事件响应
Incident response skill for the full lifecycle from initial triage through forensic collection, severity declaration, and escalation routing. This is NOT threat hunting (see threat-detection) or post-incident compliance mapping (see governance/compliance-mapping) — this is about classifying, triaging, and managing declared security incidents.
本技能针对从初始分诊到取证收集、严重等级宣布以及升级路由的完整生命周期提供事件响应能力。注意:这不是威胁狩猎(请参考threat-detection)或事件后合规映射(请参考governance/compliance-mapping)——而是针对已宣布的安全事件进行分类、分诊和管理。
Table of Contents
目录
Overview
概述
What This Skill Does
本技能的功能
This skill provides the methodology and tooling for incident triage and response — classifying security events into typed incidents, scoring severity, filtering false positives, determining escalation paths, and initiating forensic evidence collection under chain-of-custody controls.
本技能为事件分诊与响应提供方法论和工具支持——将安全事件分类为特定类型的事件、评估严重等级、过滤误报、确定升级路径,并在监管链控制下启动取证证据收集。
Distinction from Other Security Skills
与其他安全技能的区别
| Skill | Focus | Approach |
|---|---|---|
| incident-response (this) | Active incidents | Reactive — classify, escalate, collect evidence |
| threat-detection | Pre-incident hunting | Proactive — find threats before alerts fire |
| cloud-security | Cloud posture assessment | Preventive — IAM, S3, network misconfiguration |
| red-team | Offensive simulation | Offensive — test detection and response capability |
| 技能 | 关注点 | 方法 |
|---|---|---|
| incident-response(本技能) | 活跃事件 | 被动响应——分类、升级、收集证据 |
| threat-detection | 事件前狩猎 | 主动防御——在警报触发前发现威胁 |
| cloud-security | 云态势评估 | 预防措施——IAM、S3、网络配置错误修复 |
| red-team | 攻击性模拟 | 攻击测试——检测和响应能力测试 |
Prerequisites
前置条件
A security event must be ingested before triage. Events can come from SIEM alerts, EDR detections, threat intel feeds, or user reports. The triage tool accepts JSON event payloads; see the input schema below.
分诊前必须先接入安全事件。事件可来自SIEM警报、EDR检测、威胁情报源或用户报告。分诊工具接受JSON事件负载;请参阅下方的输入 schema。
Incident Triage Tool
事件分诊工具
The tool classifies events, checks false positives, scores severity, determines escalation, and performs forensic pre-analysis.
incident_triage.pybash
undefinedincident_triage.pybash
undefinedClassify an event from JSON file
从JSON文件分类事件
python3 scripts/incident_triage.py --input event.json --classify --json
python3 scripts/incident_triage.py --input event.json --classify --json
Classify with false positive filtering enabled
启用误报过滤进行分类
python3 scripts/incident_triage.py --input event.json --classify --false-positive-check --json
python3 scripts/incident_triage.py --input event.json --classify --false-positive-check --json
Force a severity level for tabletop exercises
为桌面演练强制设置严重等级
python3 scripts/incident_triage.py --input event.json --severity sev1 --json
python3 scripts/incident_triage.py --input event.json --severity sev1 --json
Read event from stdin
从标准输入读取事件
echo '{"event_type": "ransomware", "host": "prod-db-01", "raw_payload": {}}' |
python3 scripts/incident_triage.py --classify --false-positive-check --json
python3 scripts/incident_triage.py --classify --false-positive-check --json
undefinedecho '{"event_type": "ransomware", "host": "prod-db-01", "raw_payload": {}}' |
python3 scripts/incident_triage.py --classify --false-positive-check --json
python3 scripts/incident_triage.py --classify --false-positive-check --json
undefinedInput Event Schema
输入事件Schema
json
{
"event_type": "ransomware",
"host": "prod-db-01",
"user": "svc_backup",
"source_ip": "10.1.2.3",
"timestamp": "2024-01-15T14:32:00Z",
"raw_payload": {}
}json
{
"event_type": "ransomware",
"host": "prod-db-01",
"user": "svc_backup",
"source_ip": "10.1.2.3",
"timestamp": "2024-01-15T14:32:00Z",
"raw_payload": {}
}Exit Codes
退出码
| Code | Meaning | Required Response |
|---|---|---|
| 0 | SEV3/SEV4 or clean | Standard ticket-based handling |
| 1 | SEV2 — elevated | 1-hour bridge call, async coordination |
| 2 | SEV1 — critical | Immediate 15-minute war room, all-hands |
| 代码 | 含义 | 所需响应 |
|---|---|---|
| 0 | SEV3/SEV4或无风险 | 标准工单处理 |
| 1 | SEV2——高优先级 | 1小时桥接会议、异步协调 |
| 2 | SEV1——严重 | 立即启动15分钟作战室、全员响应 |
Incident Classification
事件分类
Security events are classified into 14 incident types. Classification drives default severity, MITRE technique mapping, and response SLA.
安全事件被分为14种类型。分类决定默认严重等级、MITRE Technique映射和响应SLA。
Incident Taxonomy
事件分类体系
| Incident Type | Default Severity | MITRE Technique | Response SLA |
|---|---|---|---|
| ransomware | SEV1 | T1486 | 15 minutes |
| data_exfiltration | SEV1 | T1048 | 15 minutes |
| apt_intrusion | SEV1 | T1566 | 15 minutes |
| supply_chain_compromise | SEV1 | T1195 | 15 minutes |
| domain_controller_breach | SEV1 | T1078.002 | 15 minutes |
| credential_compromise | SEV2 | T1110 | 1 hour |
| lateral_movement | SEV2 | T1021 | 1 hour |
| malware_infection | SEV2 | T1204 | 1 hour |
| insider_threat | SEV2 | T1078 | 1 hour |
| cloud_account_compromise | SEV2 | T1078.004 | 1 hour |
| unauthorized_access | SEV3 | T1190 | 4 hours |
| policy_violation | SEV3 | N/A | 4 hours |
| phishing_attempt | SEV4 | T1566.001 | 24 hours |
| security_alert | SEV4 | N/A | 24 hours |
| 事件类型 | 默认严重等级 | MITRE Technique | 响应SLA |
|---|---|---|---|
| ransomware(勒索软件) | SEV1 | T1486 | 15分钟 |
| data_exfiltration(数据泄露) | SEV1 | T1048 | 15分钟 |
| apt_intrusion(APT入侵) | SEV1 | T1566 | 15分钟 |
| supply_chain_compromise(供应链攻击) | SEV1 | T1195 | 15分钟 |
| domain_controller_breach(域控制器入侵) | SEV1 | T1078.002 | 15分钟 |
| credential_compromise(凭证泄露) | SEV2 | T1110 | 1小时 |
| lateral_movement(横向移动) | SEV2 | T1021 | 1小时 |
| malware_infection(恶意软件感染) | SEV2 | T1204 | 1小时 |
| insider_threat(内部威胁) | SEV2 | T1078 | 1小时 |
| cloud_account_compromise(云账户泄露) | SEV2 | T1078.004 | 1小时 |
| unauthorized_access(未授权访问) | SEV3 | T1190 | 4小时 |
| policy_violation(违反政策) | SEV3 | N/A | 4小时 |
| phishing_attempt(钓鱼尝试) | SEV4 | T1566.001 | 24小时 |
| security_alert(安全警报) | SEV4 | N/A | 24小时 |
SEV Escalation Triggers
SEV升级触发条件
Any of the following automatically re-declare a higher severity:
| Trigger | New Severity |
|---|---|
| Ransomware note found | SEV1 |
| Active exfiltration confirmed | SEV1 |
| CloudTrail or SIEM disabled | SEV1 |
| Domain controller access confirmed | SEV1 |
| Second system compromised | SEV1 |
| Exfiltration volume exceeds 1 GB | SEV2 minimum |
| C-suite account accessed | SEV2 minimum |
以下任一情况会自动提升严重等级:
| 触发条件 | 新严重等级 |
|---|---|
| 发现勒索软件通知 | SEV1 |
| 确认正在进行数据泄露 | SEV1 |
| CloudTrail或SIEM被禁用 | SEV1 |
| 确认域控制器被访问 | SEV1 |
| 第二个系统被入侵 | SEV1 |
| 泄露数据量超过1GB | 最低SEV2 |
| C-suite账户被访问 | 最低SEV2 |
Severity Framework
严重等级框架
SEV Level Matrix
SEV等级矩阵
| Level | Name | Criteria | Skills Invoked | Escalation Path |
|---|---|---|---|---|
| SEV1 | Critical | Confirmed ransomware; active PII/PHI exfiltration (>10K records); domain controller breach; defense evasion (CloudTrail disabled); supply chain compromise | All skills (parallel) | SOC Lead → CISO → CEO → Board Chair |
| SEV2 | High | Confirmed unauthorized access to sensitive systems; credential compromise with elevated privileges; lateral movement confirmed; ransomware indicators without confirmed execution | triage + containment + forensics | SOC Lead → CISO |
| SEV3 | Medium | Suspected unauthorized access (unconfirmed); malware detected and contained; single account compromise (no priv escalation) | triage + containment | SOC Lead → Security Manager |
| SEV4 | Low | Security alert with no confirmed impact; informational indicator; policy violation with no data risk | triage only | L3 Analyst queue |
| 等级 | 名称 | 判定标准 | 调用技能 | 升级路径 |
|---|---|---|---|---|
| SEV1 | 严重 | 确认勒索软件;活跃的PII/PHI泄露(>10000条记录);域控制器入侵;防御规避(CloudTrail禁用);供应链攻击 | 所有技能(并行) | SOC主管 → CISO → CEO → 董事会主席 |
| SEV2 | 高 | 确认敏感系统被未授权访问;高权限凭证泄露;确认横向移动;存在勒索软件迹象但未确认执行 | 分诊 + 遏制 + 取证 | SOC主管 → CISO |
| SEV3 | 中 | 疑似未授权访问(未确认);检测到恶意软件并已遏制;单个账户泄露(无权限提升) | 分诊 + 遏制 | SOC主管 → 安全经理 |
| SEV4 | 低 | 无确认影响的安全警报;信息性指标;无数据风险的政策违反 | 仅分诊 | L3分析师队列 |
False Positive Filtering
误报过滤
The triage tool applies five filters before escalating to prevent false positive inflation.
分诊工具应用五种过滤器,避免误报导致的升级泛滥。
False Positive Filter Types
误报过滤类型
| Filter | Description | Example Pattern |
|---|---|---|
| CI/CD agent activity | Known build/deploy agents flagged as anomalies | jenkins, github-actions, circleci, gitlab-runner |
| Test environment tagging | Assets tagged as non-production | test-, staging-, dev-, sandbox- |
| Scheduled job patterns | Expected batch processes triggering alerts | cron, scheduled_task, batch_job, backup_ |
| Whitelisted identities | Explicitly approved service accounts | svc_monitoring, svc_backup, datadog-agent |
| Scanner activity | Known security scanners and vulnerability tools | nessus, qualys, rapid7, aws_inspector |
A confirmed false positive suppresses escalation and logs the suppression reason for audit purposes. Recurring false positives from the same source should be tuned out at the detection layer, not filtered repeatedly at triage.
| 过滤器 | 描述 | 示例模式 |
|---|---|---|
| CI/CD代理活动 | 已知构建/部署代理被标记为异常 | jenkins, github-actions, circleci, gitlab-runner |
| 测试环境标记 | 标记为非生产环境的资产 | test-, staging-, dev-, sandbox- |
| 定时任务模式 | 预期的批处理流程触发警报 | cron, scheduled_task, batch_job, backup_ |
| 白名单身份 | 明确批准的服务账户 | svc_monitoring, svc_backup, datadog-agent |
| 扫描器活动 | 已知安全扫描器和漏洞工具 | nessus, qualys, rapid7, aws_inspector |
确认的误报会抑制升级,并记录抑制原因用于审计。同一来源的重复误报应在检测层进行调整,而非在分诊层反复过滤。
Forensic Evidence Collection
取证证据收集
Evidence collection follows the DFRWS six-phase framework and the principle of volatile-first acquisition.
证据收集遵循DFRWS六阶段框架和“易失性优先获取”原则。
DFRWS Six Phases
DFRWS六阶段
| Phase | Activity | Priority |
|---|---|---|
| Identification | Identify what evidence exists and where | Immediate |
| Preservation | Prevent modification — write-block, snapshot, legal hold | Immediate |
| Collection | Acquire evidence in order of volatility | Immediate |
| Examination | Technical analysis of collected evidence | Within 2 hours |
| Analysis | Interpret findings in investigative context | Within 4 hours |
| Presentation | Produce findings report with chain of custody | Before incident closure |
| 阶段 | 活动 | 优先级 |
|---|---|---|
| 识别 | 确定证据存在的位置和类型 | 立即 |
| 保存 | 防止修改——写保护、快照、法律保留 | 立即 |
| 收集 | 按易失性顺序获取证据 | 立即 |
| 检查 | 对收集的证据进行技术分析 | 2小时内 |
| 分析 | 在调查背景下解读发现 | 4小时内 |
| 呈现 | 生成包含监管链的调查报告 | 事件关闭前 |
Volatile Evidence — Collect First
易失性证据——优先收集
- Live memory (RAM dump) — lost on reboot
- Running processes and open network connections (,
netstat)ps - Logged-in users and active sessions
- System uptime and current time (for timeline anchoring)
- Environment variables and loaded kernel modules
- 实时内存(RAM转储)——重启后丢失
- 运行进程和开放网络连接(、
netstat)ps - 登录用户和活跃会话
- 系统运行时间和当前时间(用于时间线锚定)
- 环境变量和加载的内核模块
Chain of Custody Requirements
监管链要求
Every evidence item must be recorded with:
- SHA-256 hash at acquisition time
- Acquisition timestamp in UTC with timezone offset
- Tool provenance (FTK Imager, Volatility, dd, AWS CloudTrail export)
- Investigator identity
- Transfer log (who had custody and when)
每个证据项必须记录:
- 获取时的SHA-256哈希值
- UTC时间戳及时区偏移
- 工具来源(FTK Imager、Volatility、dd、AWS CloudTrail导出)
- 调查人员身份
- 转移日志(保管人及时间)
Escalation Paths
升级路径
By Severity
按严重等级
| Severity | Immediate Contact | Bridge Call | External Notification |
|---|---|---|---|
| SEV1 | SOC Lead + CISO (15 min) | Immediate war room | Legal + PR standby; regulatory notification per deadline table |
| SEV2 | SOC Lead (30 min async) | 1-hour bridge | Legal notification if PII involved |
| SEV3 | Security Manager (4 hours) | Async only | None unless scope expands |
| SEV4 | L3 Analyst queue (24 hours) | None | None |
| 严重等级 | 立即联系人 | 桥接会议 | 外部通知 |
|---|---|---|---|
| SEV1 | SOC主管 + CISO(15分钟内) | 立即启动作战室 | 法务 + PR待命;按截止时间表进行监管通知 |
| SEV2 | SOC主管(30分钟内异步) | 1小时桥接会议 | 若涉及PII则通知法务 |
| SEV3 | 安全经理(4小时内) | 仅异步 | 除非范围扩大,否则无需通知 |
| SEV4 | L3分析师队列(24小时内) | 无 | 无 |
By Incident Type
按事件类型
| Incident Type | Primary Escalation | Secondary |
|---|---|---|
| Ransomware / APT | CISO + CEO | Board if data at risk |
| PII/PHI breach | Legal + CISO | Regulatory body (per deadline table) |
| Cloud account compromise | Cloud security team | CISO |
| Insider threat | HR + Legal + CISO | Law enforcement if criminal |
| Supply chain | CISO + Vendor management | Board |
| 事件类型 | 主要升级对象 | 次要升级对象 |
|---|---|---|
| 勒索软件 / APT | CISO + CEO | 若数据面临风险则通知董事会 |
| PII/PHI泄露 | 法务 + CISO | 监管机构(按截止时间表) |
| 云账户泄露 | 云安全团队 | CISO |
| 内部威胁 | HR + 法务 + CISO | 若涉及犯罪则通知执法部门 |
| 供应链攻击 | CISO + 供应商管理 | 董事会 |
Regulatory Notification Obligations
监管通知义务
The notification clock starts at incident declaration, not at investigation completion.
| Framework | Incident Type | Deadline | Penalty |
|---|---|---|---|
| GDPR (EU 2016/679) | Personal data breach | 72 hours after discovery | Up to 4% global revenue |
| PCI-DSS v4.0 | Cardholder data breach | 24 hours to acquirer | Card brand fines |
| HIPAA (45 CFR 164) | PHI breach (>500 individuals) | 60 days after discovery | Up to $1.9M per violation category |
| NY DFS 23 NYCRR 500 | Cybersecurity event | 72 hours to DFS | Regulatory sanctions |
| SEC Rule (17 CFR 229.106) | Material cybersecurity incident | 4 business days after materiality determination | SEC enforcement |
| CCPA / CPRA | Breach of sensitive PI | Without unreasonable delay | AG enforcement; private right of action |
| NIS2 (EU 2022/2555) | Significant incident (essential services) | 24-hour early warning; 72-hour notification | National authority sanctions |
Operational rule: If scope is unclear at declaration, assume the most restrictive applicable deadline and confirm scope within the first response window.
Full deadline reference:
references/regulatory-deadlines.md通知时钟从事件宣布时开始计算,而非调查完成时。
| 框架 | 事件类型 | 截止时间 | 处罚 |
|---|---|---|---|
| GDPR (EU 2016/679) | 个人数据泄露 | 发现后72小时 | 最高全球收入的4% |
| PCI-DSS v4.0 | 持卡人数据泄露 | 24小时内通知收单机构 | 卡品牌罚款 |
| HIPAA (45 CFR 164) | PHI泄露(>500人) | 发现后60天 | 每类违规最高190万美元 |
| NY DFS 23 NYCRR 500 | 网络安全事件 | 72小时内通知DFS | 监管制裁 |
| SEC Rule (17 CFR 229.106) | 重大网络安全事件 | 确定重大性后4个工作日 | SEC执法 |
| CCPA / CPRA | 敏感个人信息泄露 | 无不合理延迟 | 总检察长执法;私人诉讼权 |
| NIS2 (EU 2022/2555) | 重大事件(关键服务) | 24小时预警;72小时通知 | 国家机构制裁 |
操作规则: 若事件宣布时范围不明确,假设适用最严格的截止时间,并在首个响应窗口内确认范围。
完整截止时间参考:
references/regulatory-deadlines.mdWorkflows
工作流
Workflow 1: Quick Triage (15 Minutes)
工作流1:快速分诊(15分钟)
For single alert requiring classification before escalation decision:
bash
undefined针对需先分类再决定是否升级的单个警报:
bash
undefined1. Classify the event with false positive filtering
1. 启用误报过滤对事件进行分类
python3 scripts/incident_triage.py --input alert.json
--classify --false-positive-check --json
--classify --false-positive-check --json
python3 scripts/incident_triage.py --input alert.json
--classify --false-positive-check --json
--classify --false-positive-check --json
2. Review severity, escalation_path, and false_positive_flag in output
2. 查看输出中的severity、escalation_path和false_positive_flag字段
3. If severity = sev1 or sev2, page SOC Lead immediately
3. 若严重等级为sev1或sev2,立即通知SOC主管
4. If false_positive_flag = true, document and close
4. 若false_positive_flag为true,记录并关闭事件
**Decision**: Exit code 2 = SEV1 war room now. Exit code 1 = SEV2 bridge call within 30 minutes.
**决策**:退出码2 = 立即启动SEV1作战室。退出码1 = 30分钟内召开SEV2桥接会议。Workflow 2: Full Incident Response (SEV1)
工作流2:完整事件响应(SEV1)
T+0 Detection arrives (SIEM alert, EDR, user report)
T+5 Classify with incident_triage.py --classify --false-positive-check
T+10 If SEV1: page CISO, open war room, start regulatory clock
T+15 Initiate forensic collection (volatile evidence first)
T+15 Containment assessment (parallel with forensics)
T+30 Human approval gate for any containment action
T+45 Execute approved containment
T+60 Assess containment effectiveness, brief Legal if PII/PHI scope
T+4h Final forensic evidence package, dwell time estimate
T+8h Eradication and recovery plan
T+72h Regulatory notification submission (if GDPR/NIS2 triggered)bash
undefinedT+0 检测到事件(SIEM警报、EDR、用户报告)
T+5 使用incident_triage.py --classify --false-positive-check进行分类
T+10 若为SEV1:通知CISO,启动作战室,开始监管时钟
T+15 启动取证收集(优先收集易失性证据)
T+15 遏制评估(与取证并行)
T+30 任何遏制行动需经人工批准
T+45 执行已批准的遏制措施
T+60 评估遏制效果,若涉及PII/PHI范围则通知法务
T+4h 最终取证证据包,估算驻留时间
T+8h 根除和恢复计划
T+72h 提交监管通知(若触发GDPR/NIS2)bash
undefinedFull classification with forensic context
结合取证上下文进行完整分类
python3 scripts/incident_triage.py --input incident.json
--classify --false-positive-check --severity sev1 --json > incident_triage_output.json
--classify --false-positive-check --severity sev1 --json > incident_triage_output.json
python3 scripts/incident_triage.py --input incident.json
--classify --false-positive-check --severity sev1 --json > incident_triage_output.json
--classify --false-positive-check --severity sev1 --json > incident_triage_output.json
Forensic pre-analysis
取证预分析
python3 scripts/incident_triage.py --input incident.json --json |
jq '.forensic_findings, .chain_of_custody_steps'
jq '.forensic_findings, .chain_of_custody_steps'
undefinedpython3 scripts/incident_triage.py --input incident.json --json |
jq '.forensic_findings, .chain_of_custody_steps'
jq '.forensic_findings, .chain_of_custody_steps'
undefinedWorkflow 3: Tabletop Exercise Simulation
工作流3:桌面演练模拟
Simulate incidents at specific severity levels without real events:
bash
undefined在无真实事件的情况下模拟特定严重等级的事件:
bash
undefinedSimulate SEV1 ransomware incident
模拟SEV1勒索软件事件
echo '{"event_type": "ransomware", "host": "prod-db-01", "user": "svc_backup"}' |
python3 scripts/incident_triage.py --classify --severity sev1 --json
python3 scripts/incident_triage.py --classify --severity sev1 --json
echo '{"event_type": "ransomware", "host": "prod-db-01", "user": "svc_backup"}' |
python3 scripts/incident_triage.py --classify --severity sev1 --json
python3 scripts/incident_triage.py --classify --severity sev1 --json
Simulate SEV2 credential compromise
模拟SEV2凭证泄露事件
echo '{"event_type": "credential_compromise", "user": "admin_user", "source_ip": "203.0.113.5"}' |
python3 scripts/incident_triage.py --classify --false-positive-check --json
python3 scripts/incident_triage.py --classify --false-positive-check --json
echo '{"event_type": "credential_compromise", "user": "admin_user", "source_ip": "203.0.113.5"}' |
python3 scripts/incident_triage.py --classify --false-positive-check --json
python3 scripts/incident_triage.py --classify --false-positive-check --json
Verify escalation paths for all 14 incident types
验证所有14种事件类型的升级路径
for type in ransomware data_exfiltration credential_compromise lateral_movement; do
echo "{"event_type": "$type"}" | python3 scripts/incident_triage.py --classify --json
done
---for type in ransomware data_exfiltration credential_compromise lateral_movement; do
echo "{"event_type": "$type"}" | python3 scripts/incident_triage.py --classify --json
done
---Anti-Patterns
反模式
- Starting the notification clock at investigation completion — Regulatory clocks (GDPR 72 hours, PCI 24 hours) start at discovery, not investigation completion. Declaring late exposes the organization to maximum penalties even if the incident itself was minor.
- Containing before collecting volatile evidence — Rebooting or isolating a system destroys RAM, running processes, and active connections. Forensic collection of volatile evidence must happen in parallel with containment, never after.
- Skipping false positive verification before escalation — Escalating every alert to SEV1 degrades SOC credibility and causes alert fatigue. Always run false positive filters before paging the CISO.
- Undocumented incident command decisions — Every decision made during a SEV1, including decisions made under uncertainty, must be logged in the evidence chain with timestamp and rationale. Undocumented decisions cannot be defended in regulatory investigations.
- Treating incident closure as investigation completion — Incidents are closed when eradication and recovery are complete, not when the investigation is done. The forensic report and regulatory submissions may continue after operational closure.
- Single-source classification — Classifying an incident from a single data source (one SIEM alert) without corroborating evidence frequently leads to misclassification. Collect at least two independent signals before declaring SEV1.
- Bypassing human approval gates for containment — Automated containment actions (network isolation, credential revocation) taken without human approval can cause production outages, destroy evidence, and create liability. Human approval is non-negotiable for all mutating containment actions.
- 在调查完成后启动通知时钟——监管时钟(GDPR 72小时、PCI 24小时)从发现时开始计算,而非调查完成时。延迟宣布会使组织面临最高处罚,即使事件本身并不严重。
- 在收集易失性证据前进行遏制——重启或隔离系统会销毁RAM、运行进程和活跃连接。易失性证据的取证收集必须与遏制并行进行,绝不能在之后。
- 升级前跳过误报验证——将所有警报升级为SEV1会降低SOC可信度并导致警报疲劳。在通知CISO前必须始终运行误报过滤器。
- 未记录事件指挥决策——SEV1期间做出的每个决策,包括不确定情况下的决策,必须在证据链中记录时间戳和理由。未记录的决策无法在监管调查中辩护。
- 将事件关闭视为调查完成——事件在根除和恢复完成后关闭,而非调查完成时。取证报告和监管提交可能在业务关闭后继续进行。
- 单一来源分类——仅从单一数据源(一个SIEM警报)对事件进行分类,而无佐证证据,经常导致错误分类。宣布SEV1前至少收集两个独立信号。
- 绕过人工批准进行遏制——未经人工批准的自动遏制行动(网络隔离、凭证吊销)可能导致生产中断、销毁证据并产生责任。所有变更性遏制行动必须经过人工批准,这是不可协商的。
Cross-References
交叉引用
| Skill | Relationship |
|---|---|
| threat-detection | Confirmed hunting findings escalate to incident-response for triage and classification |
| cloud-security | Cloud posture findings (IAM compromise, S3 exposure) may trigger incident classification |
| red-team | Red team findings validate detection coverage; confirmed gaps become hunting hypotheses |
| security-pen-testing | Pen test vulnerabilities exploited in the wild escalate to incident-response for active incident handling |
| 技能 | 关系 |
|---|---|
| threat-detection | 确认的狩猎发现会升级至incident-response进行分诊和分类 |
| cloud-security | 云态势发现(IAM泄露、S3暴露)可能触发事件分类 |
| red-team | 红队发现验证检测覆盖范围;确认的漏洞成为狩猎假设 |
| security-pen-testing | 渗透测试中发现的漏洞在野外被利用时,会升级至incident-response进行活跃事件处理 |