Incident Response Playbook Built on NIST SP 800-61
You will author a complete incident response playbook with severity tiers, role assignments, and per-scenario runbooks mapped to MITRE ATT&CK. By the end you will have a tested process that turns alerts into coordinated response.
Learning Objectives
- Define severity tiers and response SLAs.
- Write runbooks for common scenarios mapped to ATT&CK.
- Validate the playbook with a tabletop exercise.
- Time: ~12 hours · Difficulty: Advanced · Prereqs: the IR procedures lab.
Architecture Overview
graph LR
Alert[Alert] --> Tri{Severity}
Tri -->|SEV1| Iso[Immediate isolation]
Tri -->|SEV3| Mon[Monitored analysis]
Iso --> Erad[Eradicate]
Erad --> Rec[Recover]
Rec --> PIR[Post-incident review]
Environment Setup
- A SIEM or log source for detections.
- A defined asset inventory and contact list.
- A chain-of-custody and comms template.
Step-by-Step Execution
01
Define severity tiers and SLAs
Severity drives the path: SEV1 contains first, SEV3 analyzes under monitoring.
# SEV1: active compromise -> isolate within 15 min; SEV3: suspicious -> analyze02
Write a scenario runbook (brute force, T1110)
nft add rule inet filter input ip saddr 203.0.113.45 drop # containment step03
Run a tabletop exercise
# exercise: simulated ransomware -> follow SEV1 runbook
detect 9m | contain 14m | review complete | gaps logged: 2
Progress So Far
graph LR
A[01 Severity + SLA] -->|done| B[02 Runbooks]
B -->|done| C[03 Tabletop]
style A fill:#1a4a1a,stroke:#00ff00,color:#fff
style B fill:#1a4a1a,stroke:#00ff00,color:#fff
style C fill:#1a4a1a,stroke:#00ff00,color:#fff
Testing & Validation
# tabletop pass criteria: detect <15m, containment documented, PIR completedRun the simulated scenario and confirm each phase meets its SLA and produces evidence. If so, the playbook is validated and ready.
Troubleshooting
- Unclear ownership: assign a named role per phase (lead, comms, scribe).
- Slow containment: pre-build isolation scripts so they are one command.
- No lessons captured: make the post-incident review mandatory.
Extension Ideas
- Automate containment with Python IR Automation.
- Feed detections from the SOC Pipeline.
- Map full coverage with ATT&CK.
Key Results
- Authored 4 severity-tiered runbooks mapped to ATT&CK.
- Validated the process with a tabletop (detect <15 min).
- Defined named roles for every response phase.
- Captured 2 improvement gaps for the next revision.