Security Incident Preparation

Intermediate Security
NIST SP 800-61playbooksSplunkIR toolkitevidence handling

Objective

Prepare for security incidents by building playbooks, assembling an IR toolkit, and establishing baseline documentation.

Tools & Technologies

  • NIST SP 800-61
  • playbooks
  • Splunk
  • IR toolkit
  • evidence handling

Key Commands

splunk search 'index=main | stats count by host'
lynis audit system
aide --init
journalctl --since '24 hours ago' > baseline.log

Architecture Overview

flowchart LR subgraph NIST IR Lifecycle PREP[1. Preparation] --> DETECT[2. Detection\n& Analysis] DETECT --> CONTAIN[3. Containment\nEradication] CONTAIN --> RECOVER[4. Recovery] RECOVER --> LESSONS[5. Post-Incident\nActivity] LESSONS --> PREP end style PREP fill:#1a1a2e,stroke:#00d4ff,color:#e0e0e0 style DETECT fill:#1a1a2e,stroke:#ffd700,color:#ffd700 style CONTAIN fill:#1a1a2e,stroke:#ff4444,color:#ff4444

Step-by-Step Process

01
Build an IR Toolkit

Assemble tools needed during incident response.

# Essential IR tools
sudo apt install -y \
  tcpdump wireshark-common \
  volatility3 binwalk \
  sleuthkit autopsy \
  lynis aide

# Create baseline hashes of system binaries
aid --init
md5sum /bin/* /usr/bin/* > /secure/baseline_hashes.txt
02
Write Playbooks

Document response procedures for common incident types.

# Playbook structure for each incident type:
# 1. Detection criteria (what triggers this playbook)
# 2. Initial triage steps
# 3. Containment actions
# 4. Evidence collection commands
# 5. Communication template
# 6. Recovery steps
# 7. Lessons learned questions
03
Establish Baselines

Know what 'normal' looks like to identify anomalies.

# Network baseline
ss -tunp > /secure/baseline_ports_$(date +%Y%m%d)

# Process baseline
ps auxf > /secure/baseline_procs_$(date +%Y%m%d)

# User accounts
getent passwd > /secure/baseline_users

# Scheduled tasks
crontab -l > /secure/baseline_cron

Challenges & Solutions

  • Playbooks stored only on compromised system may be inaccessible during incident
  • Baseline must be taken on a known-good system

Key Takeaways

  • The best time to prepare is before an incident occurs
  • Write-protect baseline files to prevent attacker tampering