Back to Details

incident-response

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Incident Response

事件响应(IR)

Handle security incidents effectively with structured response procedures.
通过结构化响应流程高效处理安全事件。

When to Use This Skill

何时使用此技能

Use this skill when:
  • Responding to an active security incident (breach, malware, unauthorized access)
  • Building incident response playbooks and runbooks
  • Conducting IR tabletop exercises and drills
  • Setting up evidence collection and forensic capabilities
  • Establishing communication protocols for security events
  • Performing post-incident reviews and process improvements
在以下场景中使用此技能:
  • 响应活跃的安全事件(数据泄露、恶意软件、未授权访问)
  • 构建事件响应剧本(playbook)和运行手册(runbook)
  • 开展IR桌面演练和模拟训练
  • 搭建证据收集与取证能力
  • 建立安全事件沟通协议
  • 执行事后复盘与流程优化

Prerequisites

前提条件

  • IR team roster with on-call rotation and escalation paths
  • Secure communication channel (separate from production systems)
  • Forensic workstation with analysis tools installed
  • Evidence storage with chain-of-custody controls
  • Legal counsel contact information
  • Pre-authorized incident response actions documented
  • 包含轮值待命和升级路径的IR团队名单
  • 独立于生产系统的安全沟通渠道
  • 安装了分析工具的取证工作站
  • 具备链状保管控制的证据存储
  • 法律顾问联系方式
  • 已记录的预授权事件响应操作

Incident Response Phases

事件响应阶段

yaml
phases:
  1_preparation:
    - IR team roster and 24/7 contact info
    - Tools and privileged access ready
    - Playbooks documented and tested
    - Evidence collection kit prepared
    - Communication templates drafted

  2_detection:
    - Alert triage and validation
    - Initial assessment and scoping
    - Severity classification
    - Incident ticket creation

  3_containment:
    - Short-term containment (stop bleeding)
    - Evidence preservation (before changes)
    - System isolation (network/host level)
    - Credential rotation if needed

  4_eradication:
    - Root cause analysis
    - Remove threat actor access
    - Patch exploited vulnerabilities
    - Clean compromised systems

  5_recovery:
    - System restoration from clean backups
    - Enhanced monitoring deployment
    - Phased return to production
    - Business continuity verification

  6_lessons_learned:
    - Post-incident review (within 72 hours)
    - Timeline reconstruction
    - Documentation update
    - Process and detection improvements
yaml
phases:
  1_preparation:
    - IR team roster and 24/7 contact info
    - Tools and privileged access ready
    - Playbooks documented and tested
    - Evidence collection kit prepared
    - Communication templates drafted

  2_detection:
    - Alert triage and validation
    - Initial assessment and scoping
    - Severity classification
    - Incident ticket creation

  3_containment:
    - Short-term containment (stop bleeding)
    - Evidence preservation (before changes)
    - System isolation (network/host level)
    - Credential rotation if needed

  4_eradication:
    - Root cause analysis
    - Remove threat actor access
    - Patch exploited vulnerabilities
    - Clean compromised systems

  5_recovery:
    - System restoration from clean backups
    - Enhanced monitoring deployment
    - Phased return to production
    - Business continuity verification

  6_lessons_learned:
    - Post-incident review (within 72 hours)
    - Timeline reconstruction
    - Documentation update
    - Process and detection improvements

Severity Classification

严重程度分级

LevelImpactResponse TimeExamples
Critical (P1)Active data breach, full outage, ransomwareImmediate (< 15 min)Data exfiltration in progress, ransomware spreading
High (P2)Service degraded, potential breach< 1 hourUnauthorized admin access, malware detected
Medium (P3)Limited impact, contained< 4 hoursPhishing compromise (single user), policy violation
Low (P4)Minimal impactNext business dayFailed brute force, blocked scanning activity
级别影响响应时间示例
严重(P1)正在发生的数据泄露、全面停机、勒索软件立即响应(<15分钟)数据正在被窃取、勒索软件扩散
高(P2)服务降级、潜在泄露<1小时未授权管理员访问、检测到恶意软件
中(P3)有限影响、已被遏制<4小时钓鱼攻击(单个用户)、违反政策
低(P4)最小影响下一个工作日暴力破解失败、扫描活动被拦截

Evidence Collection Scripts

证据收集脚本

Linux Evidence Collection

Linux证据收集

bash
#!/bin/bash
bash
#!/bin/bash

linux-evidence-collect.sh - Collect forensic evidence from a Linux host

linux-evidence-collect.sh - Collect forensic evidence from a Linux host

Run with sudo. Preserves evidence with timestamps and hashes.

Run with sudo. Preserves evidence with timestamps and hashes.

set -euo pipefail
EVIDENCE_DIR="/evidence/$(hostname)-$(date +%Y%m%d-%H%M%S)" mkdir -p "$EVIDENCE_DIR" LOGFILE="$EVIDENCE_DIR/collection.log"
log() { echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] $*" | tee -a "$LOGFILE"; }
log "Starting evidence collection on $(hostname)" log "Collector: $(whoami)" log "System time: $(date -u)"
set -euo pipefail
EVIDENCE_DIR="/evidence/$(hostname)-$(date +%Y%m%d-%H%M%S)" mkdir -p "$EVIDENCE_DIR" LOGFILE="$EVIDENCE_DIR/collection.log"
log() { echo "[$(date -u +%Y-%m-%dT%H:%M:%SZ)] $*" | tee -a "$LOGFILE"; }
log "Starting evidence collection on $(hostname)" log "Collector: $(whoami)" log "System time: $(date -u)"

System information

System information

log "Collecting system information..." uname -a > "$EVIDENCE_DIR/uname.txt" cat /etc/os-release > "$EVIDENCE_DIR/os-release.txt" uptime > "$EVIDENCE_DIR/uptime.txt" date -u > "$EVIDENCE_DIR/system-time.txt"
log "Collecting system information..." uname -a > "$EVIDENCE_DIR/uname.txt" cat /etc/os-release > "$EVIDENCE_DIR/os-release.txt" uptime > "$EVIDENCE_DIR/uptime.txt" date -u > "$EVIDENCE_DIR/system-time.txt"

Running processes (full command line)

Running processes (full command line)

log "Collecting process list..." ps auxwwf > "$EVIDENCE_DIR/processes.txt" ps -eo pid,ppid,user,args --sort=-pcpu > "$EVIDENCE_DIR/processes-by-cpu.txt"
log "Collecting process list..." ps auxwwf > "$EVIDENCE_DIR/processes.txt" ps -eo pid,ppid,user,args --sort=-pcpu > "$EVIDENCE_DIR/processes-by-cpu.txt"

Network connections

Network connections

log "Collecting network state..." ss -tulnp > "$EVIDENCE_DIR/listening-ports.txt" ss -anp > "$EVIDENCE_DIR/all-connections.txt" ip addr show > "$EVIDENCE_DIR/ip-addresses.txt" ip route show > "$EVIDENCE_DIR/routes.txt" iptables -L -n -v > "$EVIDENCE_DIR/iptables.txt" 2>&1 || true cat /etc/resolv.conf > "$EVIDENCE_DIR/dns-config.txt"
log "Collecting network state..." ss -tulnp > "$EVIDENCE_DIR/listening-ports.txt" ss -anp > "$EVIDENCE_DIR/all-connections.txt" ip addr show > "$EVIDENCE_DIR/ip-addresses.txt" ip route show > "$EVIDENCE_DIR/routes.txt" iptables -L -n -v > "$EVIDENCE_DIR/iptables.txt" 2>&1 || true cat /etc/resolv.conf > "$EVIDENCE_DIR/dns-config.txt"

User activity

User activity

log "Collecting user activity..." last -a > "$EVIDENCE_DIR/login-history.txt" lastb > "$EVIDENCE_DIR/failed-logins.txt" 2>&1 || true who > "$EVIDENCE_DIR/currently-logged-in.txt" w > "$EVIDENCE_DIR/user-activity.txt" cat /etc/passwd > "$EVIDENCE_DIR/passwd.txt" cat /etc/shadow > "$EVIDENCE_DIR/shadow.txt" 2>/dev/null || true cat /etc/group > "$EVIDENCE_DIR/group.txt"
log "Collecting user activity..." last -a > "$EVIDENCE_DIR/login-history.txt" lastb > "$EVIDENCE_DIR/failed-logins.txt" 2>&1 || true who > "$EVIDENCE_DIR/currently-logged-in.txt" w > "$EVIDENCE_DIR/user-activity.txt" cat /etc/passwd > "$EVIDENCE_DIR/passwd.txt" cat /etc/shadow > "$EVIDENCE_DIR/shadow.txt" 2>/dev/null || true cat /etc/group > "$EVIDENCE_DIR/group.txt"

Scheduled tasks

Scheduled tasks

log "Collecting scheduled tasks..." for user in $(cut -f1 -d: /etc/passwd); do crontab -u "$user" -l 2>/dev/null >> "$EVIDENCE_DIR/crontabs.txt" &&
echo "--- $user ---" >> "$EVIDENCE_DIR/crontabs.txt" done ls -la /etc/cron.* > "$EVIDENCE_DIR/cron-dirs.txt" 2>&1
log "Collecting scheduled tasks..." for user in $(cut -f1 -d: /etc/passwd); do crontab -u "$user" -l 2>/dev/null >> "$EVIDENCE_DIR/crontabs.txt" &&
echo "--- $user ---" >> "$EVIDENCE_DIR/crontabs.txt" done ls -la /etc/cron.* > "$EVIDENCE_DIR/cron-dirs.txt" 2>&1

File system state

File system state

log "Collecting filesystem state..." find /tmp /var/tmp /dev/shm -type f -ls > "$EVIDENCE_DIR/temp-files.txt" 2>/dev/null find / -name "*.sh" -mtime -7 -ls > "$EVIDENCE_DIR/recent-scripts.txt" 2>/dev/null find / -perm -4000 -type f -ls > "$EVIDENCE_DIR/suid-files.txt" 2>/dev/null find /home -name ".*history" -ls > "$EVIDENCE_DIR/history-files.txt" 2>/dev/null
log "Collecting filesystem state..." find /tmp /var/tmp /dev/shm -type f -ls > "$EVIDENCE_DIR/temp-files.txt" 2>/dev/null find / -name "*.sh" -mtime -7 -ls > "$EVIDENCE_DIR/recent-scripts.txt" 2>/dev/null find / -perm -4000 -type f -ls > "$EVIDENCE_DIR/suid-files.txt" 2>/dev/null find /home -name ".*history" -ls > "$EVIDENCE_DIR/history-files.txt" 2>/dev/null

Loaded kernel modules

Loaded kernel modules

log "Collecting kernel modules..." lsmod > "$EVIDENCE_DIR/kernel-modules.txt"
log "Collecting kernel modules..." lsmod > "$EVIDENCE_DIR/kernel-modules.txt"

Open files

Open files

log "Collecting open files..." lsof -n > "$EVIDENCE_DIR/open-files.txt" 2>/dev/null
log "Collecting open files..." lsof -n > "$EVIDENCE_DIR/open-files.txt" 2>/dev/null

Systemd services

Systemd services

log "Collecting service state..." systemctl list-units --type=service --all > "$EVIDENCE_DIR/services.txt" systemctl list-timers --all > "$EVIDENCE_DIR/timers.txt"
log "Collecting service state..." systemctl list-units --type=service --all > "$EVIDENCE_DIR/services.txt" systemctl list-timers --all > "$EVIDENCE_DIR/timers.txt"

Log preservation

Log preservation

log "Preserving system logs..." tar czf "$EVIDENCE_DIR/var-log.tar.gz" /var/log/ 2>/dev/null
log "Preserving system logs..." tar czf "$EVIDENCE_DIR/var-log.tar.gz" /var/log/ 2>/dev/null

Docker containers (if present)

Docker containers (if present)

if command -v docker &>/dev/null; then log "Collecting Docker state..." docker ps -a > "$EVIDENCE_DIR/docker-containers.txt" docker images > "$EVIDENCE_DIR/docker-images.txt" docker network ls > "$EVIDENCE_DIR/docker-networks.txt" fi
if command -v docker &>/dev/null; then log "Collecting Docker state..." docker ps -a > "$EVIDENCE_DIR/docker-containers.txt" docker images > "$EVIDENCE_DIR/docker-images.txt" docker network ls > "$EVIDENCE_DIR/docker-networks.txt" fi

Kubernetes (if kubectl available)

Kubernetes (if kubectl available)

if command -v kubectl &>/dev/null; then log "Collecting Kubernetes state..." kubectl get pods --all-namespaces > "$EVIDENCE_DIR/k8s-pods.txt" 2>/dev/null kubectl get events --all-namespaces --sort-by=.lastTimestamp > "$EVIDENCE_DIR/k8s-events.txt" 2>/dev/null fi
if command -v kubectl &>/dev/null; then log "Collecting Kubernetes state..." kubectl get pods --all-namespaces > "$EVIDENCE_DIR/k8s-pods.txt" 2>/dev/null kubectl get events --all-namespaces --sort-by=.lastTimestamp > "$EVIDENCE_DIR/k8s-events.txt" 2>/dev/null fi

Hash all evidence files

Hash all evidence files

log "Computing evidence hashes..." find "$EVIDENCE_DIR" -type f ! -name "checksums.sha256" -exec sha256sum {} ; > "$EVIDENCE_DIR/checksums.sha256"
log "Evidence collection complete: $EVIDENCE_DIR" echo "Total files collected: $(find "$EVIDENCE_DIR" -type f | wc -l)"
undefined
log "Computing evidence hashes..." find "$EVIDENCE_DIR" -type f ! -name "checksums.sha256" -exec sha256sum {} ; > "$EVIDENCE_DIR/checksums.sha256"
log "Evidence collection complete: $EVIDENCE_DIR" echo "Total files collected: $(find "$EVIDENCE_DIR" -type f | wc -l)"
undefined

Memory Acquisition

内存获取

bash
#!/bin/bash
bash
#!/bin/bash

memory-capture.sh - Capture volatile memory for forensic analysis

memory-capture.sh - Capture volatile memory for forensic analysis

EVIDENCE_DIR="/evidence/memory-$(hostname)-$(date +%Y%m%d-%H%M%S)" mkdir -p "$EVIDENCE_DIR"
EVIDENCE_DIR="/evidence/memory-$(hostname)-$(date +%Y%m%d-%H%M%S)" mkdir -p "$EVIDENCE_DIR"

Using LiME (Linux Memory Extractor)

Using LiME (Linux Memory Extractor)

if [ -f /lib/modules/$(uname -r)/extra/lime.ko ]; then insmod /lib/modules/$(uname -r)/extra/lime.ko "path=$EVIDENCE_DIR/memory.lime format=lime" echo "Memory captured with LiME" fi
if [ -f /lib/modules/$(uname -r)/extra/lime.ko ]; then insmod /lib/modules/$(uname -r)/extra/lime.ko "path=$EVIDENCE_DIR/memory.lime format=lime" echo "Memory captured with LiME" fi

Alternative: /proc/kcore (partial, but always available)

Alternative: /proc/kcore (partial, but always available)

cp /proc/kcore "$EVIDENCE_DIR/kcore" 2>/dev/null
cp /proc/kcore "$EVIDENCE_DIR/kcore" 2>/dev/null

Capture /proc/meminfo for context

Capture /proc/meminfo for context

cat /proc/meminfo > "$EVIDENCE_DIR/meminfo.txt"
cat /proc/meminfo > "$EVIDENCE_DIR/meminfo.txt"

Hash the memory dump

Hash the memory dump

sha256sum "$EVIDENCE_DIR"/* > "$EVIDENCE_DIR/checksums.sha256"
undefined
sha256sum "$EVIDENCE_DIR"/* > "$EVIDENCE_DIR/checksums.sha256"
undefined

AWS Evidence Collection

AWS证据收集

bash
#!/bin/bash
bash
#!/bin/bash

aws-evidence-collect.sh - Collect evidence from compromised AWS resources

aws-evidence-collect.sh - Collect evidence from compromised AWS resources

INCIDENT_ID="${1:?Usage: $0 <incident-id>}" INSTANCE_ID="${2:?Usage: $0 <incident-id> <instance-id>}" EVIDENCE_BUCKET="s3://incident-evidence-${AWS_ACCOUNT_ID}" EVIDENCE_PREFIX="${INCIDENT_ID}/$(date +%Y%m%d-%H%M%S)"
echo "=== AWS Evidence Collection ===" echo "Incident: $INCIDENT_ID" echo "Instance: $INSTANCE_ID"
INCIDENT_ID="${1:?Usage: $0 <incident-id>}" INSTANCE_ID="${2:?Usage: $0 <incident-id> <instance-id>}" EVIDENCE_BUCKET="s3://incident-evidence-${AWS_ACCOUNT_ID}" EVIDENCE_PREFIX="${INCIDENT_ID}/$(date +%Y%m%d-%H%M%S)"
echo "=== AWS Evidence Collection ===" echo "Incident: $INCIDENT_ID" echo "Instance: $INSTANCE_ID"

Snapshot EBS volumes

Snapshot EBS volumes

echo "Creating EBS snapshots..." VOLUMES=$(aws ec2 describe-volumes
--filters "Name=attachment.instance-id,Values=${INSTANCE_ID}"
--query 'Volumes[].VolumeId' --output text)
for vol in $VOLUMES; do SNAP_ID=$(aws ec2 create-snapshot
--volume-id "$vol"
--description "IR Evidence - ${INCIDENT_ID} - ${vol}"
--tag-specifications "ResourceType=snapshot,Tags=[{Key=IncidentId,Value=${INCIDENT_ID}},{Key=Purpose,Value=forensic-evidence}]"
--query 'SnapshotId' --output text) echo " Snapshot created: $SNAP_ID for volume $vol" done
echo "Creating EBS snapshots..." VOLUMES=$(aws ec2 describe-volumes
--filters "Name=attachment.instance-id,Values=${INSTANCE_ID}"
--query 'Volumes[].VolumeId' --output text)
for vol in $VOLUMES; do SNAP_ID=$(aws ec2 create-snapshot
--volume-id "$vol"
--description "IR Evidence - ${INCIDENT_ID} - ${vol}"
--tag-specifications "ResourceType=snapshot,Tags=[{Key=IncidentId,Value=${INCIDENT_ID}},{Key=Purpose,Value=forensic-evidence}]"
--query 'SnapshotId' --output text) echo " Snapshot created: $SNAP_ID for volume $vol" done

Capture instance metadata

Capture instance metadata

echo "Capturing instance metadata..." aws ec2 describe-instances --instance-ids "$INSTANCE_ID" \
"/tmp/${INCIDENT_ID}-instance-describe.json" aws s3 cp "/tmp/${INCIDENT_ID}-instance-describe.json"
"${EVIDENCE_BUCKET}/${EVIDENCE_PREFIX}/instance-describe.json"
echo "Capturing instance metadata..." aws ec2 describe-instances --instance-ids "$INSTANCE_ID" \
"/tmp/${INCIDENT_ID}-instance-describe.json" aws s3 cp "/tmp/${INCIDENT_ID}-instance-describe.json"
"${EVIDENCE_BUCKET}/${EVIDENCE_PREFIX}/instance-describe.json"

Capture security group rules

Capture security group rules

SG_IDS=$(aws ec2 describe-instances --instance-ids "$INSTANCE_ID"
--query 'Reservations[].Instances[].SecurityGroups[].GroupId' --output text) for sg in $SG_IDS; do aws ec2 describe-security-group-rules --filters "Name=group-id,Values=${sg}"
> "/tmp/${INCIDENT_ID}-sg-${sg}.json" aws s3 cp "/tmp/${INCIDENT_ID}-sg-${sg}.json"
"${EVIDENCE_BUCKET}/${EVIDENCE_PREFIX}/sg-${sg}.json" done
SG_IDS=$(aws ec2 describe-instances --instance-ids "$INSTANCE_ID"
--query 'Reservations[].Instances[].SecurityGroups[].GroupId' --output text) for sg in $SG_IDS; do aws ec2 describe-security-group-rules --filters "Name=group-id,Values=${sg}"
> "/tmp/${INCIDENT_ID}-sg-${sg}.json" aws s3 cp "/tmp/${INCIDENT_ID}-sg-${sg}.json"
"${EVIDENCE_BUCKET}/${EVIDENCE_PREFIX}/sg-${sg}.json" done

Collect CloudTrail events for the instance

Collect CloudTrail events for the instance

echo "Collecting CloudTrail events..." aws cloudtrail lookup-events
--lookup-attributes "AttributeKey=ResourceName,AttributeValue=${INSTANCE_ID}"
--start-time "$(date -d '7 days ago' -u +%Y-%m-%dT%H:%M:%SZ)" \
"/tmp/${INCIDENT_ID}-cloudtrail.json" aws s3 cp "/tmp/${INCIDENT_ID}-cloudtrail.json"
"${EVIDENCE_BUCKET}/${EVIDENCE_PREFIX}/cloudtrail.json"
echo "Collecting CloudTrail events..." aws cloudtrail lookup-events
--lookup-attributes "AttributeKey=ResourceName,AttributeValue=${INSTANCE_ID}"
--start-time "$(date -d '7 days ago' -u +%Y-%m-%dT%H:%M:%SZ)" \
"/tmp/${INCIDENT_ID}-cloudtrail.json" aws s3 cp "/tmp/${INCIDENT_ID}-cloudtrail.json"
"${EVIDENCE_BUCKET}/${EVIDENCE_PREFIX}/cloudtrail.json"

Collect VPC flow logs

Collect VPC flow logs

echo "Collecting VPC flow logs..." ENI_ID=$(aws ec2 describe-instances --instance-ids "$INSTANCE_ID"
--query 'Reservations[].Instances[].NetworkInterfaces[0].NetworkInterfaceId' --output text) aws ec2 describe-flow-logs --filter "Name=resource-id,Values=${ENI_ID}" \
"/tmp/${INCIDENT_ID}-flow-logs.json" aws s3 cp "/tmp/${INCIDENT_ID}-flow-logs.json"
"${EVIDENCE_BUCKET}/${EVIDENCE_PREFIX}/flow-logs-config.json"
echo "Collecting VPC flow logs..." ENI_ID=$(aws ec2 describe-instances --instance-ids "$INSTANCE_ID"
--query 'Reservations[].Instances[].NetworkInterfaces[0].NetworkInterfaceId' --output text) aws ec2 describe-flow-logs --filter "Name=resource-id,Values=${ENI_ID}" \
"/tmp/${INCIDENT_ID}-flow-logs.json" aws s3 cp "/tmp/${INCIDENT_ID}-flow-logs.json"
"${EVIDENCE_BUCKET}/${EVIDENCE_PREFIX}/flow-logs-config.json"

Isolate the instance (move to quarantine security group)

Isolate the instance (move to quarantine security group)

echo "Isolating instance..." QUARANTINE_SG=$(aws ec2 create-security-group
--group-name "quarantine-${INCIDENT_ID}"
--description "Quarantine SG for incident ${INCIDENT_ID}"
--vpc-id "$(aws ec2 describe-instances --instance-ids "$INSTANCE_ID"
--query 'Reservations[].Instances[].VpcId' --output text)"
--query 'GroupId' --output text)
echo "Isolating instance..." QUARANTINE_SG=$(aws ec2 create-security-group
--group-name "quarantine-${INCIDENT_ID}"
--description "Quarantine SG for incident ${INCIDENT_ID}"
--vpc-id "$(aws ec2 describe-instances --instance-ids "$INSTANCE_ID"
--query 'Reservations[].Instances[].VpcId' --output text)"
--query 'GroupId' --output text)

Quarantine SG: deny all inbound, allow outbound only to evidence bucket

Quarantine SG: deny all inbound, allow outbound only to evidence bucket

aws ec2 modify-instance-attribute
--instance-id "$INSTANCE_ID"
--groups "$QUARANTINE_SG"
echo "Instance isolated with quarantine SG: $QUARANTINE_SG" echo "Evidence stored at: ${EVIDENCE_BUCKET}/${EVIDENCE_PREFIX}/"
undefined
aws ec2 modify-instance-attribute
--instance-id "$INSTANCE_ID"
--groups "$QUARANTINE_SG"
echo "Instance isolated with quarantine SG: $QUARANTINE_SG" echo "Evidence stored at: ${EVIDENCE_BUCKET}/${EVIDENCE_PREFIX}/"
undefined

Forensics Commands Reference

取证命令参考

bash
undefined
bash
undefined

--- Disk forensics ---

--- Disk forensics ---

Create forensic image of a disk

Create forensic image of a disk

dd if=/dev/sda of=/evidence/disk.img bs=4M status=progress sha256sum /evidence/disk.img > /evidence/disk.img.sha256
dd if=/dev/sda of=/evidence/disk.img bs=4M status=progress sha256sum /evidence/disk.img > /evidence/disk.img.sha256

Mount forensic image read-only

Mount forensic image read-only

mount -o ro,loop,noexec /evidence/disk.img /mnt/forensic
mount -o ro,loop,noexec /evidence/disk.img /mnt/forensic

Find recently modified files

Find recently modified files

find /mnt/forensic -type f -mtime -3 -ls | sort -k11
find /mnt/forensic -type f -mtime -3 -ls | sort -k11

Find files by owner

Find files by owner

find /mnt/forensic -user www-data -type f -newer /tmp/reference-time -ls
find /mnt/forensic -user www-data -type f -newer /tmp/reference-time -ls

--- Log analysis ---

--- Log analysis ---

Search auth logs for brute force

Search auth logs for brute force

grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn | head -20
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn | head -20

Search for privilege escalation

Search for privilege escalation

grep -E "(sudo|su[)" /var/log/auth.log | grep -v "session opened"
grep -E "(sudo|su[)" /var/log/auth.log | grep -v "session opened"

Search web logs for attack patterns

Search web logs for attack patterns

grep -iE "(union.*select|<script|../|%00)" /var/log/nginx/access.log
grep -iE "(union.*select|<script|../|%00)" /var/log/nginx/access.log

Timeline analysis with find

Timeline analysis with find

find / -newermt "2025-01-15 00:00" ! -newermt "2025-01-16 00:00" -ls 2>/dev/null | sort -k9
find / -newermt "2025-01-15 00:00" ! -newermt "2025-01-16 00:00" -ls 2>/dev/null | sort -k9

--- Network forensics ---

--- Network forensics ---

Capture network traffic

Capture network traffic

tcpdump -i eth0 -w /evidence/capture.pcap -c 100000
tcpdump -i eth0 -w /evidence/capture.pcap -c 100000

Analyze pcap for suspicious connections

Analyze pcap for suspicious connections

tcpdump -r /evidence/capture.pcap -nn 'dst port 4444 or dst port 8888 or dst port 1337'
tcpdump -r /evidence/capture.pcap -nn 'dst port 4444 or dst port 8888 or dst port 1337'

Check for DNS tunneling

Check for DNS tunneling

tcpdump -r /evidence/capture.pcap -nn 'udp port 53' | awk '{print $NF}' | sort | uniq -c | sort -rn | head -20
tcpdump -r /evidence/capture.pcap -nn 'udp port 53' | awk '{print $NF}' | sort | uniq -c | sort -rn | head -20

--- Malware analysis ---

--- Malware analysis ---

Check file for known malware hashes

Check file for known malware hashes

sha256sum suspicious_file
sha256sum suspicious_file

Compare against VirusTotal: https://www.virustotal.com

Compare against VirusTotal: https://www.virustotal.com

Strings analysis

Strings analysis

strings suspicious_file | grep -iE "(http|ftp|ssh|password|key|token)"
strings suspicious_file | grep -iE "(http|ftp|ssh|password|key|token)"

Check for packed/obfuscated binaries

Check for packed/obfuscated binaries

file suspicious_file readelf -h suspicious_file 2>/dev/null
undefined
file suspicious_file readelf -h suspicious_file 2>/dev/null
undefined

Communication Templates

沟通模板

Initial Notification (Internal)

初始通知(内部)

markdown
undefined
markdown
undefined

Security Incident Notification

安全事件通知

Incident ID: INC-YYYY-NNNN Severity: [Critical/High/Medium/Low] Status: Active - Investigating Time Detected: YYYY-MM-DD HH:MM UTC Reported By: [Name/System]
事件ID: INC-YYYY-NNNN 严重程度: [严重/高/中/低] 状态: 活跃 - 正在调查 检测时间: YYYY-MM-DD HH:MM UTC 报告人: [姓名/系统]

Summary

摘要

[1-2 sentence description of what was detected]
[1-2句话描述检测到的内容]

Impact Assessment

影响评估

  • Systems affected: [list]
  • Data at risk: [type and scope]
  • Users impacted: [count/scope]
  • Business impact: [description]
  • 受影响系统: [列表]
  • 风险数据: [类型和范围]
  • 受影响用户: [数量/范围]
  • 业务影响: [描述]

Current Actions

当前行动

  • Evidence preservation in progress
  • Containment measures being applied
  • IR team assembled
  • 证据保留中
  • 遏制措施实施中
  • IR团队已集结

Next Update

下次更新

Expected at: YYYY-MM-DD HH:MM UTC
预计时间: YYYY-MM-DD HH:MM UTC

Incident Commander

事件指挥官

[Name] - [Contact info]
undefined
[姓名] - [联系方式]
undefined

Stakeholder Update

利益相关方更新

markdown
undefined
markdown
undefined

Incident Update - INC-YYYY-NNNN

事件更新 - INC-YYYY-NNNN

Update #: N Time: YYYY-MM-DD HH:MM UTC Severity: [unchanged/upgraded/downgraded] Status: [Investigating/Contained/Eradicating/Recovering/Resolved]
更新编号: N 时间: YYYY-MM-DD HH:MM UTC 严重程度: [未变更/升级/降级] 状态: [调查中/已遏制/根除中/恢复中/已解决]

Progress Since Last Update

上次更新后的进展

  • [Bullet points of actions taken]
  • [已采取行动的要点]

Current Understanding

当前认知

  • Root cause: [Known/Under investigation]
  • Scope: [Expanded/Unchanged/Reduced]
  • Threat actor: [If applicable]
  • 根本原因: [已知/调查中]
  • 范围: [扩大/未变更/缩小]
  • 威胁 actor: [如适用]

Active Containment Measures

活跃遏制措施

  • [List of measures in place]
  • [已实施的措施列表]

Next Steps

下一步计划

  • [Planned actions with ETA]
  • [带预计时间的计划行动]

Decisions Needed

需要决策

  • [If any decisions required from leadership]
undefined
  • [如需要领导层做出的决策]
undefined

External Breach Notification (if required)

外部泄露通知(如需要)

markdown
undefined
markdown
undefined

Notice of Data Security Incident

数据安全事件通知

Dear [Customer/Partner],
We are writing to inform you of a security incident that we detected on [date]. Upon discovery, we immediately activated our incident response procedures and engaged external cybersecurity experts.
尊敬的[客户/合作伙伴]:
我们在此告知您,我们于[日期]检测到一起安全事件。发现后,我们立即启动了事件响应流程,并聘请了外部网络安全专家。

What Happened

事件详情

[Brief, factual description]
[简短、事实性描述]

What Information Was Involved

涉及信息

[Types of data affected]
[受影响的数据类型]

What We Are Doing

我们的行动

[Remediation steps taken and planned]
[已采取和计划采取的补救措施]

What You Can Do

您可以采取的行动

[Recommended actions for affected parties]
[建议受影响方采取的措施]

Contact Information

联系方式

For questions, please contact: [dedicated contact/hotline]
[Company Name] [Date]
undefined
如有疑问,请联系: [专属联系人/热线]
[公司名称] [日期]
undefined

IR Playbook: Compromised Credentials

IR剧本:凭证泄露

yaml
playbook: compromised-credentials
trigger: "Alert indicating credential theft, brute force success, or credential dump"

steps:
  1_validate:
    - Confirm the alert is not a false positive
    - Identify which credentials are compromised
    - Determine scope (single user, service account, API key)

  2_contain:
    - Disable compromised accounts immediately
    - Revoke active sessions and tokens
    - Rotate API keys and service account credentials
    - Block source IP if identified
    commands:
      - "aws iam update-login-profile --user-name USER --password-reset-required"
      - "aws iam delete-access-key --user-name USER --access-key-id AKIAXXXX"
      - "aws iam deactivate-mfa-device --user-name USER --serial-number ARN"
      - "kubectl delete secret compromised-secret -n NAMESPACE"

  3_investigate:
    - Review CloudTrail/audit logs for the compromised identity
    - Identify all actions taken with compromised credentials
    - Check for persistence (new keys, roles, backdoors)
    - Determine initial compromise vector (phishing, leak, breach)

  4_eradicate:
    - Remove any backdoors or persistence mechanisms
    - Rotate all credentials that may have been exposed
    - Update access policies to enforce MFA
    - Patch credential storage if vault/secret manager was compromised

  5_recover:
    - Issue new credentials with MFA enforced
    - Restore access with least-privilege review
    - Monitor new credentials for abnormal usage

  6_improve:
    - Add detection for initial compromise vector
    - Review credential management policies
    - Update security awareness training if phishing was involved
yaml
playbook: compromised-credentials
trigger: "Alert indicating credential theft, brute force success, or credential dump"

steps:
  1_validate:
    - Confirm the alert is not a false positive
    - Identify which credentials are compromised
    - Determine scope (single user, service account, API key)

  2_contain:
    - Disable compromised accounts immediately
    - Revoke active sessions and tokens
    - Rotate API keys and service account credentials
    - Block source IP if identified
    commands:
      - "aws iam update-login-profile --user-name USER --password-reset-required"
      - "aws iam delete-access-key --user-name USER --access-key-id AKIAXXXX"
      - "aws iam deactivate-mfa-device --user-name USER --serial-number ARN"
      - "kubectl delete secret compromised-secret -n NAMESPACE"

  3_investigate:
    - Review CloudTrail/audit logs for the compromised identity
    - Identify all actions taken with compromised credentials
    - Check for persistence (new keys, roles, backdoors)
    - Determine initial compromise vector (phishing, leak, breach)

  4_eradicate:
    - Remove any backdoors or persistence mechanisms
    - Rotate所有可能暴露的凭证
    - Update access policies to enforce MFA
    - Patch credential storage if vault/secret manager was compromised

  5_recover:
    - Issue new credentials with MFA enforced
    - Restore access with least-privilege review
    - Monitor new credentials for abnormal usage

  6_improve:
    - Add detection for initial compromise vector
    - Review credential management policies
    - Update security awareness training if phishing was involved

Troubleshooting

故障排除

ProblemCauseSolution
Evidence collection script failsInsufficient permissionsRun with sudo/root; pre-authorize IR accounts
Cannot access compromised systemSystem encrypted by ransomwareUse offline disk imaging; restore from backups
Logs are missing or tamperedAttacker cleared logsCheck centralized log aggregator; restore from log backups
Cannot determine incident scopeInsufficient loggingEnable CloudTrail, VPC flow logs, audit logging for future
Stakeholders demanding immediate answersPressure to resolve quicklyFollow IR process; provide regular updates; avoid speculation
False positive triggered full IRDetection rules too sensitiveTune alerting thresholds; add validation step before escalation
Evidence integrity questionedNo chain of custodyHash all evidence immediately; document who accessed what and when
问题原因解决方案
证据收集脚本执行失败权限不足使用sudo/root运行;预授权IR账户
无法访问受感染系统系统被勒索软件加密使用离线磁盘镜像;从备份恢复
日志丢失或被篡改攻击者清除了日志检查集中式日志聚合器;从日志备份恢复
无法确定事件范围日志不足启用CloudTrail、VPC流量日志、审计日志以备未来使用
利益相关方要求立即答复快速解决的压力遵循IR流程;定期提供更新;避免猜测
误触发完整IR流程检测规则过于敏感调整告警阈值;在升级前添加验证步骤
证据完整性受到质疑无链状保管立即对所有证据做哈希;记录谁在何时访问了什么

Best Practices

最佳实践

  • Pre-define and practice playbooks with tabletop exercises quarterly
  • Maintain separate, secure communication channels for IR (not email or Slack on corporate infra)
  • Always preserve evidence before making changes to compromised systems
  • Establish chain of custody for all collected evidence
  • Engage legal counsel early in any potential data breach
  • Conduct blameless post-incident reviews within 72 hours
  • Update detection rules and playbooks based on lessons learned
  • Pre-authorize common IR actions so responders can act without delay
  • Keep an IR "go bag" with tools, credentials, and documentation ready
  • Test backup restoration procedures regularly (not just backup creation)
  • 预定义剧本并每季度通过桌面演练进行实践
  • 为IR维护独立的安全沟通渠道(不使用企业基础设施上的邮件或Slack)
  • 在对受感染系统做任何更改前,始终保留证据
  • 为所有收集的证据建立链状保管
  • 在任何潜在数据泄露事件中尽早联系法律顾问
  • 在72小时内开展无责事后复盘
  • 根据经验教训更新检测规则和剧本
  • 预授权常见IR操作,以便响应者无需等待即可行动
  • 准备好包含工具、凭证和文档的IR"应急包"
  • 定期测试备份恢复流程(不仅是备份创建)

Related Skills

相关技能

  • audit-logging - Log analysis
  • alerting-oncall - Alert management
  • security-automation - Automated response workflows
  • threat-modeling - Proactive threat identification
  • audit-logging - 日志分析
  • alerting-oncall - 告警管理
  • security-automation - 自动化响应工作流
  • threat-modeling - 主动威胁识别