You will author a complete incident response playbook with severity tiers, role assignments, and per-scenario runbooks mapped to MITRE ATT&CK. By the end you will have a tested process that turns alerts into coordinated response.

Learning Objectives

  • Define severity tiers and response SLAs.
  • Write runbooks for common scenarios mapped to ATT&CK.
  • Validate the playbook with a tabletop exercise.
  • Time: ~12 hours · Difficulty: Advanced · Prereqs: the IR procedures lab.

Architecture Overview

Environment Setup

  • A SIEM or log source for detections.
  • A defined asset inventory and contact list.
  • A chain-of-custody and comms template.

Step-by-Step Execution

01
Define severity tiers and SLAs

Severity drives the path: SEV1 contains first, SEV3 analyzes under monitoring.

# SEV1: active compromise -> isolate within 15 min; SEV3: suspicious -> analyze
02
Write a scenario runbook (brute force, T1110)
nft add rule inet filter input ip saddr 203.0.113.45 drop # containment step
03
Run a tabletop exercise
# exercise: simulated ransomware -> follow SEV1 runbook
detect 9m | contain 14m | review complete | gaps logged: 2

Progress So Far

Testing & Validation

# tabletop pass criteria: detect <15m, containment documented, PIR completed

Run the simulated scenario and confirm each phase meets its SLA and produces evidence. If so, the playbook is validated and ready.

Troubleshooting
  • Unclear ownership: assign a named role per phase (lead, comms, scribe).
  • Slow containment: pre-build isolation scripts so they are one command.
  • No lessons captured: make the post-incident review mandatory.

Extension Ideas

Key Results

  • Authored 4 severity-tiered runbooks mapped to ATT&CK.
  • Validated the process with a tabletop (detect <15 min).
  • Defined named roles for every response phase.
  • Captured 2 improvement gaps for the next revision.