Incident Response Procedures

IntermediateSecurity
NIST IR FrameworkSplunkAlienVault

Objective

Hands-on practice with incident response procedures techniques.

Tools & Technologies

  • NIST IR Framework
  • Splunk
  • AlienVault

Key Commands

journalctl --since='1 hour ago'
last -n 50
ss -tunp
netstat -an | grep ESTABLISHED

Lab Steps

01
IR Lifecycle

Understand the NIST phases: Preparation, Detection, Containment, Eradication, Recovery.

02
Initial Triage

Quickly assess scope and severity of a suspected incident.

03
Containment

Isolate affected systems while preserving evidence.

04
Documentation

Record timeline, actions taken, and findings for the incident report.

Challenges Encountered

  • Acting too quickly without documentation loses forensic evidence
  • Containment that destroys evidence hampers root cause analysis

Key Takeaways

  • Time-stamped notes are critical — write everything down as you go
  • Chain of custody must be maintained for legal proceedings