✅ First Response Checklist
Чек-листы первоочередных действий для различных типов инцидентов
🔓
Ransomware Attack
CRITICAL
⚡ Критические действия (0-5 минут)
НЕМЕДЛЕННО изолировать infected системы от сети
Отключить затронутые системы от общих папок и backup
Активировать Incident Response Team
🔍 Initial Assessment (5-15 минут)
Идентифицировать ransomware variant (расширение, ransom note)
Определить patient zero и вектор заражения
Оценить масштаб заражения (количество систем)
Проверить backup системы на заражение
🛡️ Containment (15-30 минут)
Блокировать C2 communication (IPs/domains)
Disable affected user accounts
Reset passwords для compromised accounts
Создать forensic images критических систем
📊 Documentation
Screenshot ransom notes и encrypted files
Сохранить samples вредоносного ПО
Document timeline событий
Collect и preserve logs
🎣
Phishing / BEC
HIGH
📧 Email Analysis (0-10 минут)
Получить copy подозрительного email (headers included)
Анализировать sender, subject, SPF/DKIM/DMARC
Extract URLs и attachments для анализа
Check reputation отправителя и URLs
🚨 Immediate Actions (10-20 минут)
Block sender на email gateway
Quarantine/delete emails из всех mailboxes
Block malicious URLs на proxy/firewall
Reset passwords для clicked users
🔍 Investigation (20-30 минут)
Search для similar emails в организации
Identify все affected users
Check для post-compromise activity
Sandbox analysis вложений
🚪
Account Compromise
HIGH
🔒 Immediate Containment (0-5 минут)
Disable compromised account немедленно
Revoke all active sessions и tokens
Block source IPs если известны
Check для privilege escalation
📊 Activity Review (5-15 минут)
Review authentication logs (successful/failed)
Check email activity (sent items, rules)
Review file access и downloads
Look для lateral movement attempts
🔄 Recovery Actions
Reset password и enforce MFA
Review и remove unauthorized access
Check для backdoors (OAuth apps, mail rules)
Notify user и provide guidance
🦠
Malware Detection
MEDIUM
🖥️ Host Isolation (0-10 минут)
Isolate infected host от network
Preserve volatile data (memory, network connections)
Stop suspicious processes если safe
Collect malware samples для analysis
🔍 Malware Analysis
Submit samples to sandbox (VirusTotal, Any.run)
Identify malware family и capabilities
Extract IOCs (hashes, IPs, domains)
Check persistence mechanisms
🌐 Scope Assessment
Search для IOCs across environment
Check network connections для C2
Review lateral movement indicators
Update security controls с IOCs
💥
DDoS Attack
HIGH
🚨 Initial Response (0-5 минут)
Confirm DDoS vs legitimate traffic spike
Identify attack type и targeted services
Activate DDoS protection если available
Notify network team и ISP
⚡ Mitigation (5-15 минут)
Enable rate limiting на edge devices
Block source IPs если identifiable
Implement geo-blocking если applicable
Scale resources если cloud-based
📊 Monitoring
Monitor bandwidth utilization
Track service availability
Capture traffic samples для analysis
Document attack patterns
📊
Data Breach/Exfiltration
CRITICAL
🔴 Immediate Actions (0-10 минут)
Identify и contain источник breach
Block data exfiltration channels
Preserve evidence для investigation
Activate legal и compliance teams
🔍 Scope Determination
Identify what data was accessed/stolen
Determine affected individuals/records
Review data classification (PII, PHI, PCI)
Timeline reconstruction
📋 Compliance & Reporting
Document all findings thoroughly
Prepare breach notification если required
Coordinate с PR для external comms
Report to authorities (GDPR 72h)
⚡ Quick Reference & Commands
🔍
Process Investigation
tasklist /v | findstr suspicious.exe
wmic process where name="malware.exe" get processid,parentprocessid,commandline
Get-Process | Where-Object {$_.Name -like "*suspicious*"}
🌐
Network Connections
netstat -anob | findstr ESTABLISHED
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"}
ss -tupn | grep ESTABLISHED
👤
Account Activity
net user suspicious_user /domain
Get-ADUser -Filter * -Properties LastLogonDate
wevtutil qe Security /q:"*[EventData[Data[@Name='TargetUserName']='username']]"
📋
Log Collection
wevtutil epl Security C:\temp\security.evtx
Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=(Get-Date).AddHours(-24)}
tar -czf logs.tar.gz /var/log/
🔒
Quick Containment
Disable-ADAccount -Identity "username"
netsh advfirewall firewall add rule name="Block_IP" dir=in action=block remoteip=x.x.x.x
Set-ADAccountPassword -Identity username -Reset
💾
Evidence Preservation
FTK Imager для RAM capture
volatility -f memory.dmp imageinfo
dd if=/dev/sda of=/mnt/evidence/disk.img
📞 Когда эскалировать немедленно
🔴 Critical Systems
Domain Controllers compromised
Critical data encryption/deletion
Financial systems affected
Customer data breach confirmed
🎯 Attack Indicators
Active lateral movement observed
Data exfiltration in progress
Privilege escalation successful
Multiple systems compromised
⚡ Business Impact
Service outage affecting customers
Regulatory compliance violation
Potential media/PR impact
Third-party systems affected