Incident Response Plan (IRP)

100% cybersecurity doesn't exist. Sooner or later, defenses will fall. The Incident Response Plan (IRP) defines exactly what to do when that happens to minimize impact, expel the attacker, and recover operations. We use the industry-standard SANS Institute (PICERL) framework.

The 6 Phases of Incident Response (PICERL)

1. Preparation

90% of incident response success relies on this phase. You cannot defend what you don't know exists.

• Asset Inventory: What servers and data do we have?
• Centralized Logging (SIEM): Configure log retention. If attacked without logs, you are blind.
• Playbooks: Step-by-step guides for specific threats (e.g., Ransomware Playbook).

2. Identification (Detection)

The moment alarms trigger (EDR alerts, SIEM rules, or users reporting anomalies).

# Common alert triage:
- Impossible travel logins.
- Base64 encoded PowerShell execution.
- Midnight outbound traffic spikes (Exfiltration).

3. Containment

Stop the bleeding. GOLDEN RULE: Do not power off the infected machine! Powering it off destroys RAM memory where malware hides keys and active processes.

• Short-term containment: Isolate the server from the network (unplug cable, apply strict VLAN/Firewall rules) to stop lateral movement, but keep it powered on for forensics (DFIR).
• Long-term containment: Change compromised admin passwords, revoke session tokens.

4. Eradication

Remove the root cause and backdoors left by the attacker.

# Typical eradication tasks:
- Delete persistence mechanisms (Cron jobs, Run registry keys).
- Remove unauthorized user accounts.
- Patch the exploited vulnerability.

5. Recovery

Carefully return systems to production.

• Restore from clean offline backups.
• Intensively monitor the network for 48 hours to ensure the attacker is truly gone.

6. Lessons Learned

Write a post-mortem report: What happened? Why? What did we do right/wrong? How do we prevent it next month?