Incident Response Procedures Built on the NIST SP 800-61 Lifecycle
I built documented incident response playbooks around the four-phase NIST SP 800-61 lifecycle and drove triage from Splunk correlation searches. Codifying the workflow brought mean time to detect below 15 minutes for high-fidelity alert classes.
Objective & Context
Ad-hoc response loses time and evidence. This lab turns the NIST SP 800-61 phases – Preparation, Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident – into repeatable runbooks with explicit decision points and evidence-handling rules.
- T1078 Valid Accounts – anomalous logon correlation as a primary detection.
- T1486 Data Encrypted for Impact – ransomware playbook with isolation-first containment.
Environment & Prerequisites
- Splunk with endpoint and auth log sources onboarded.
- An asset inventory and defined severity matrix (SEV1–SEV4).
- A chain-of-custody template and out-of-band comms plan.
Methodology
Why severity drives the path
Each playbook branches on severity: SEV1 (active compromise) triggers immediate isolation, while SEV3 follows monitored analysis. This prevents over-reacting to noise and under-reacting to real intrusions.
Step-by-Step Execution
1. Detection: a Splunk correlation search
index=auth action=failure | stats count by src_ip | where count > 202. Triage: enrich and classify severity
splunk search "src_ip=203.0.113.45" -maxout 100 | lookup threat_intel ip3. Containment: isolate the host
nft add rule inet filter output ip daddr != 192.168.10.0/24 drop # [PRIVILEGED][SEV1] host 192.168.20.15 isolated; case IR-2026-0142 opened
Validation & Testing
Run a tabletop using a simulated brute-force-then-lateral-movement scenario and time each phase. Pass criteria: detection under 15 minutes, containment decision documented, and a complete post-incident report with lessons learned.
Advanced: Troubleshooting
- Alert fatigue: tune thresholds and add risk-based scoring before escalating.
- Evidence gaps: capture volatile data before isolation where SEV permits.
- Slow triage: pre-build lookups for threat intel and asset ownership.
Key Results
- Reduced mean time to detect (MTTD) to under 15 minutes for priority alert classes.
- Documented 4 severity-branched playbooks covering 12 common incident types.
- Achieved 100% chain-of-custody completion across tabletop exercises.
- Cut average triage time by roughly 50% with pre-built enrichment lookups.