Incident response framework based on NIST SP 800-61: preparation, detection, containment, eradication and recovery.
| Phase | Key Actions |
|---|---|
| 1. Preparation | CSIRT team, SIEM, runbooks, backups |
| 2. Detection | Triage: ps, netstat, last, find modified files |
| 3. Containment | Isolate system, block attacker IP, capture evidence |
| 4. Eradication | Remove malware, patch CVE, delete unauthorized accounts |
| 5. Recovery | Restore clean backup, monitor intensively |
| 6. Lessons Learned | Post-mortem report within 2 weeks |