🚨 Incident Response Framework β€” NIST CSF, SANS PICERL, Detection Engineering & Post-Mortem

Panduan komprehensif incident response (IR) yang menyatukan kerangka kerja standar (NIST CSF, SANS PICERL, MITRE ATT&CK), detection engineering lifecycle, playbook execution, forensic acquisition, hingga post-mortem analysis. Nota ini adalah hub sentral yang mengikat semua SOP yang ada di vault ke dalam satu siklus IR yang terstruktur β€” dari preparation hingga lessons learned. Bisa digunakan sebagai acuan untuk SOC tim, blue team drills, dan maturity assessment.

Hubungan ke Vault

Nota ini adalah hub yang mengikat: arp-spoofing-mitigation (containment), forensic-imaging-analysis (acquisition), hpa-exorcism dan systemrescue-recovery (recovery), storage-refurbishing (eradication), endpoint-detection-playbook (triage), blueteam-detection-matrix dan blueteam-vs-enterprise-c2 (detection), malware-analysis-reverse-engineering-playbook (analysis), serta threat-modeling-deepdive dan comprehensive-threat-directory (threat intel). Setiap SOP di vault ini dipetakan ke fase IR tertentu.


Daftar Isi


Foundation

Incident Response β€” Mengapa Perlu Framework?

Tanpa framework, incident response cenderung reaktif, tidak konsisten, dan sulit diukur efektivitasnya. Framework memberikan:

ManfaatDeskripsi
StrukturFase jelas: apa yang dilakukan, kapan, oleh siapa
KonsistensiSetiap incident ditangani dengan proses yang sama
EfisiensiMengurangi waktu pengambilan keputusan (decision fatigue)
AkuntabilitasSetiap tindakan tercatat dan bisa diaudit
ImprovementPost-mortem β†’ feedback loop β†’ perbaikan berkelanjutan
ComplianceMemenuhi persyaratan regulasi (PCI DSS, ISO 27001, GDPR, PBI)

Dua Framework Utama

NIST SP 800-61 Rev. 2 β€” Computer Security Incident Handling Guide

FaseDeskripsiOutput
1. PreparationSiapkan tools, playbook, training, communication planIR plan, toolkit, contact list, SLAs
2. Detection & AnalysisDeteksi, verifikasi, triage, dan analisis awal incidentIncident ticket, severity score, preliminary scope
3. Containment, Eradication & RecoveryIsolasi, bersihkan, dan pulihkan sistemContainment plan, eradication log, recovery timeline
4. Post-Incident ActivityPost-mortem, lessons learned, reportIncident report, action items, updated playbook

SANS PICERL (6 Fase Praktis)

FaseNamaTujuan UtamaWaktu Target
PPreparationSiapkan tools, training, teamBerkelanjutan
IIdentificationDeteksi, triage, tentukan scope & severity<15 menit (severity), <1 jam (scope)
CContainmentIsolasi β€” stop the bleedingShort-term: <30 menit; Long-term: <4 jam
EEradicationHapus root cause, malware, backdoor1-24 jam tergantung severity
RRecoveryKembalikan operasi normal, validasi1-48 jam
LLessons LearnedPost-mortem, update playbook, training1-14 hari pasca-incident

Perbandingan: NIST lebih strategic (cocok untuk management dan compliance), PICERL lebih operational (cocok untuk SOC dan responder).

Severity Classification

LevelWarnaKriteriaContohResponse Time
SEV-1πŸ”΄ CriticalData breach, ransomware, system-wide outage, PII exfiltratedRansomware encrypting file servers<15 menit
SEV-2🟠 HighLateral movement detected, malware outbreak di segmen terbatasEmotet infection di 3 workstation<1 jam
SEV-3🟑 MediumSingle host compromise, phishing success tanpa lateralMalware downloaded (blocked by AV)<4 jam
SEV-4πŸ”΅ LowScanning, probe, phishing attempt gagalPort scan dari external IP<24 jam
SEV-5βšͺ InfoFalse positive, user reported suspicious emailPhishing email reported (no click)Next business day

IR Team Structure (RACI)

RoleTanggung JawabSEV-1SEV-2SEV-3/4
Incident Commander (IC)Decision maker, coordinatorOn-call 24/7LeadLead
SME β€” NetworkNetwork containment, firewallOn-callAvailableAvailable
SME β€” EndpointHost forensics, EDROn-callLeadAvailable
SME β€” CloudCloud IR, IAM, CSPMOn-callAvailableConsult
Legal & ComplianceRegulatory obligation, data breach notificationOn-callConsultAvailable
CommunicationsInternal comms, PROn-callAvailableβ€”
ManagementResource allocation, business decisionsInformedInformedInformed

Technical Deep-Dive

Phase 1 β€” Preparation

IR Toolkit Minimum

☐ Endpoint:
  ☐ Live response: Velociraptor, CyLR (Collection) + EDR agent (CrowdStrike/Defender)
  ☐ Memory acquisition: winpmem, LiME (Linux Memory Extractor)
  ☐ Disk imaging: FTK Imager, dd, Guymager
  ☐ Triage: KAPE (Kroll Artifact Parser and Extractor), Chainsaw, Hayabusa
  ☐ Analysis: Volatility 3, FLOSS, CAPA
  ☐ Timeline: Plaso (log2timeline)

☐ Network:
  ☐ Packet capture: tcpdump, Wireshark, NetworkMiner
  ☐ Flow analysis: zeek (bro), nfdump
  ☐ DNS: dnscap, passive DNS tools
  ☐ Proxy: squid logs, mitmproxy

☐ Cloud:
  ☐ AWS: CloudTrail, GuardDuty, AWS Config
  ☐ Azure: Microsoft Sentinel, Azure Activity Log
  ☐ GCP: Cloud Audit Logs, Security Command Center

☐ SIEM & SOAR:
  ☐ SIEM: Wazuh (OSS), ELK Stack, Splunk, Sentinel
  ☐ SOAR: Shuffle (OSS), Splunk SOAR, Palo Alto XSOAR

☐ Communication:
  ☐ Secure chat: Signal, Slack (with war room)
  ☐ Ticketing: Jira, TheHive (OSS)
  ☐ Documentation: collaborative doc (Google Doc/Confluence dengan access control)

Playbook Template

Setiap playbook harus memiliki format standar:

---
title: "Playbook: Ransomware Response"
id: IR-PB-001
version: 1.2
last_updated: 2026-07-15
severity: SEV-1
phases:
  - identification
  - containment
  - eradication
  - recovery
dependencies:
  - EDR logs
  - Network flow logs
  - Backup system access
trigger: "EDR alert: Ransomware behavior detected"
steps:
  identification:
    - "0-5m: Verify alert β€” is it real or FP?"
    - "5-15m: Determine scope: host, user, encryption type"
    - "15-30m: Check if backup is also encrypted"
  containment:
    - "0-10m: Isolate host (network disconnect or EDR containment)"
    - "10-30m: Block C2 IOCs at firewall/proxy"
    - "30-60m: Disable affected AD accounts"
  eradication:
    - "Reimage affected hosts from known-good image"
    - "Rotate all credentials in scope"
    - "Remove persistence: scheduled tasks, services, registry run keys"
  recovery:
    - "Restore from clean backup (verify timestamp pre-encryption)"
    - "Deploy updated EDR signatures"
    - "Monitor for re-infection for 48 hours"
  lessons_learned:
    - "Root cause analysis: how did initial access occur?"
    - "Gap analysis: what detection/prevention failed?"
---

Phase 2 β€” Identification

Sumber Deteksi

SumberContoh AlertKecepatanFalse Positive Rate
EDRBehavioral detection, process injection, LSASS accessReal-timeMedium
SIEMCorrelation rule β€” multiple failed logon + successNear real-timeMedium-High
NetworkDNS sinkhole hit, C2 beacon patternReal-timeLow
CloudGuardDuty, IAM anomaly, S3 public accessReal-timeLow-Medium
User reportPhishing report, unusual behaviorManualMedium
3rd partyTakedown notice, threat intel feedHours-daysLow
Threat huntingHypothesis-driven searchProactiveVariable

Triage β€” Diamond Model

Setiap incident harus dipetakan ke Diamond Model untuk memahami konteks:

                Adversary
                   β–²
                  / \
                 /   \
                /     \
               /       \
          Infrastructure ◄─────── Capability
               \       /
                \     /
                 \   /
                  \ /
                   β–Ό
                Victim
Sisi DiamondPertanyaan Kunci
AdversarySiapa? Known group? Motivasi? TTPs?
CapabilityApa yang digunakan? Malware, exploit, phishing?
InfrastructureIP, domain, C2 server? Hosting provider?
VictimSiapa yang terkena dampak? Data apa yang terekspos?

Initial Triage Checklist (15 Menit)

☐ Verifikasi alert: cek log mentah, bukan sekedar alert summary
☐ Tentukan SEV level (1-5 berdasarkan dampak bisnis)
☐ Screenshot: timeline event, indicators, affected hosts
☐ Assign Incident Commander
☐ Notify stakeholders (sesuai RACI matrix)
☐ Create war room (secure chat + document)
☐ Open ticket with incident timeline
☐ Jika SEV-1: paging tree β€” semua on-call

Phase 3 β€” Containment

Containment Strategies per Skenario

SkenarioShort-Term ContainmentLong-Term Containment
Ransomware (single host)Network isolation + EDR kill processReimage host from known-good image
Ransomware (network-wide)Disable AD accounts + block SMB outbound + firewall blockRestore from backup + rotate all credentials
C2 BeaconNetwork block C2 IP/domain at firewallForensik host β†’ remove persistence β†’ reimage
Data exfiltration (in progress)Block outbound traffic to unknown IPs + revoke IAM keysIAM audit + S3 bucket policy lockdown
Phishing credential theftForce password reset + revoke session tokensMFA enrollment for all affected + investigation
Insider threatSuspend AD account + revoke access + preserve evidenceHR + Legal involved, forensic imaging
DDoSBlackhole routing + scrubbing centerWAF + rate limiting + CDN failover
Supply chain compromiseDisconnect affected vendor integrationsVendor risk assessment + alternative vendor

Containment Commands β€” Quick Reference

Linux:

# Kill process
kill -9 $(pgrep -f malicious_process)
 
# Network isolation (iptables)
iptables -A INPUT -s 0.0.0.0/0 -j DROP
iptables -A OUTPUT -d 0.0.0.0/0 -j DROP
 
# Remove SSH key persistence
rm -rf ~/.ssh/authorized_keys

Windows:

# Kill process
Stop-Process -Name "malicious" -Force
 
# Network isolation (Windows Firewall)
New-NetFirewallRule -Direction Outbound -RemoteAddress 0.0.0.0/0 -Block -Profile Any
 
# Disable AD account
Disable-ADAccount -Identity "compromised_user"

Chain of Custody

Setiap evidence yang dikumpulkan harus memiliki chain of custody:

FieldIsi
Evidence IDE-001
DescriptionMemory dump host CORP-WKS-045
SourceIP 10.0.45.22, hostname CORP-WKS-045
Acquired byJ. Analyst (SOC Lead)
Date/Time2026-07-15 14:30 UTC
Methodwinpmem_x64.exe mem.dmp
Hash (MD5)a1b2c3d4e5f6…
Hash (SHA256)f9e8d7c6b5a4…
LocationNAS://cases/IR-2026-007/evidence/
Transfer logFile copied via rsync to NAS at 14:35 UTC
Handover toA. Forensics Analyst (15:00 UTC, signed)

Phase 4 β€” Eradication

Eradication berarti menghilangkan root cause dari lingkungan β€” bukan hanya mengembalikan sistem ke state operational.

Root CauseEradication Action
Malware dropperReimage host, clean all shared drives
Weak credentialForce password reset + enable MFA
Unpatched vulnerabilityApply patch + verify other hosts same vulnerability
MisconfigurationFix config + IaC policy update + CSPM rule
PhishingBlock sender domain + training + email security rule
InsiderRevoke access + HR action + forensic preservation
Supply chainRemove vendor integration + incident report to vendor

Phase 5 β€” Recovery

Recovery adalah mengembalikan operasi dengan aman β€” bukan sekedar restore:

Recovery Checklist:
☐ Restore from clean backup (validated timestamp pre-compromise)
☐ Verify integrity: scan with updated signatures
☐ Network monitoring: enable extra logging on recovered hosts
☐ User access: restore with MFA + least privilege
☐ Validation: run security scan (SAST/DAST/SCA)
☐ Monitoring: enhanced monitoring for 48-72 hours post-recovery
☐ Stakeholder comms: status update "operasi normal kembali"
☐ Business verification: confirm key metrics (transactions, uptime, latency)

Phase 6 β€” Lessons Learned (Post-Mortem)

Post-mortem harus dilakukan dalam 1-14 hari setelah incident β€” semakin cepat semakin baik, detail masih segar.

Post-Mortem Template

# Post-Mortem Incident IR-2026-007
 
## Metadata
 
- **Incident ID:** IR-2026-007
- **Severity:** SEV-1 (Critical)
- **Date:** 2026-07-15
- **Duration:** 3h 24m (14:30 - 17:54 UTC)
- **Report Author:** J. Analyst
- **Response Team:** 5 persons (IC, Endpoint, Network, Cloud, Legal)
 
## Timeline
 
| Time (UTC) | Event                                                    |
| ---------- | -------------------------------------------------------- |
| 14:30      | EDR alert: Ransomware behavior detected on CORP-WKS-045  |
| 14:32      | IC assigned, severity upgraded to SEV-1                  |
| 14:35      | Host network-isolated                                    |
| 14:40      | Block C2 IP at firewall                                  |
| 14:50      | Memory + disk imaging started                            |
| 15:10      | IC determines: single host, no lateral movement detected |
| 15:30      | EDR scans all endpoints β€” 0 additional detections        |
| 16:00      | Containment confirmed successful                         |
| 16:30      | Forensic analysis: initial access via phishing email     |
| 17:00      | Host reimaged from known-good ISO                        |
| 17:30      | User credentials rotated + MFA enforced                  |
| 17:54      | Recovery verified β€” host back in production              |
 
## Root Cause Analysis
 
### Teknis
 
- **Initial Access:** Spear-phishing email dengan malicious Excel macro
- **Execution:** PowerShell download cradle β†’ .NET assembly loaded in memory (fileless)
- **Persistence:** Scheduled task "OneDrive Sync" setiap 30 menit
- **Impact:** Single host encrypted (files di %USERPROFILE%), tidak ada network share terenkripsi
 
### Process
 
- Email security rule tidak menangkap phishing karena sender domain legitimate (compromised vendor account)
- User tidak melaporkan email (trained? no β€” user belum training phishing dalam 6 bulan)
 
## Action Items
 
| ID    | Action                                                        | Owner          | Due Date   | Status         |
| ----- | ------------------------------------------------------------- | -------------- | ---------- | -------------- |
| AI-01 | Update email security rule: block macro from external senders | Email Sec Team | 2026-07-20 | βœ… Done        |
| AI-02 | Mandatory phishing training untuk semua user                  | HR + IT Sec    | 2026-08-01 | 🟑 In Progress |
| AI-03 | Deploy ASR rule: block Office child process creation          | Endpoint Team  | 2026-07-18 | βœ… Done        |
| AI-04 | Update ransomware playbook (IR-PB-001)                        | IR Lead        | 2026-07-25 | πŸ”΄ Not Started |
 
## Metrics
 
| Metric                                  | Value                                |
| --------------------------------------- | ------------------------------------ |
| Time to detection (from initial access) | 24 minutes                           |
| Time to containment                     | 20 minutes                           |
| Time to eradication                     | 1h 30m                               |
| Time to recovery                        | 3h 24m                               |
| Business impact                         | None (single host, no customer data) |
| False positives                         | 0 (alert was accurate)               |

IR Metrics Penting

MetricTargetRumus
MTTD (Mean Time to Detect)<30 menit untuk SEV-1Total waktu deteksi / jumlah incident
MTTC (Mean Time to Contain)<1 jam untuk SEV-1Total waktu containment / jumlah incident
MTTE (Mean Time to Eradicate)<4 jam untuk SEV-1Total waktu eradication / jumlah incident
MTTR (Mean Time to Recover)<8 jam untuk SEV-1Total waktu recovery / jumlah incident
False Positive Rate<30% dari all alertsTotal FP / total alerts
Post-mortem completion100% untuk SEV-1/2 dalam 7 hariRata-rata hari penyelesaian

Advanced

Detection Engineering Lifecycle

Detection engineering adalah proses sistematis untuk menulis, menguji, dan memelihara detection rules:

Cycle:
1. Threat Intel (CVE, report, TTPs) atau Post-Mortem Gap
       β”‚
       β–Ό
2. Hypothesis β€” "Bagaimana attacker akan beroperasi di env kita?"
       β”‚
       β–Ό
3. Data Source Mapping β€” logs apa yang punya info relevan?
       β”‚
       β–Ό
4. Rule Authoring β€” Sigma, YARA, KQL, Splunk SPL
       β”‚
       β–Ό
5. Testing β€” Historical data + live simulation (Atomic Red Team, Stratus)
       β”‚
       β–Ό
6. Tuning β€” Baseline untuk mengurangi FP, adjust threshold
       β”‚
       β–Ό
7. Deployment β€” Deploy ke SIEM, EDR, atau WAF
       β”‚
       β–Ό
8. Monitoring β€” Alert performance monitoring + periodic review
       β”‚
       β–Ό
9. Feedback β€” Post-mortem findings β†’ adjust detection gaps

Sigma Rule β€” Detection as Code

Sigma adalah format universal untuk detection rules (bisa di-export ke Splunk, QRadar, Elastic, ArcSight, dll):

title: Suspicious PowerShell Download Cradle
id: 7c8d9e0f-1a2b-3c4d-5e6f-7a8b9c0d1e2f
status: experimental
description: Mendeteksi pola download PowerShell dari URL β€” sering digunakan oleh post-exploitation tools
references:
  - https://thedfirreport.com/2024/07/powershell-cradle/
tags:
  - attack.t1059.001 # PowerShell
  - attack.t1105 # Ingress Tool Transfer
logsource:
  product: windows
  category: ps_script
  definition: "Requires PowerShell Script Block Logging (EnableScriptBlockLogging)"
detection:
  selection_download:
    ScriptBlockText|contains:
      - "System.Net.WebClient"
      - "Invoke-WebRequest"
      - "Invoke-RestMethod"
      - "Start-BitsTransfer"
  selection_bypass:
    ScriptBlockText|contains:
      - "Bypass"
      - "-ExecutionPolicy"
      - "EncodedCommand"
  selection_obfuscation:
    ScriptBlockText|contains:
      - "[System.Text.Encoding]::UTF8.GetString"
      - "[System.Convert]::FromBase64String"
      - "-join"
  condition: (selection_download and selection_bypass) or (selection_download and selection_obfuscation)
level: high
falsepositives:
  - "Admin menggunakan PowerShell untuk legitimate download (rare)"
  - "Software update scripts"

Atomic Red Team β€” Simulation Testing

Atomic Red Team (Red Canary) adalah library test case yang memetakan langsung ke MITRE ATT&CK:

# Install
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1');
Install-AtomicRedTeam -getAtomics
 
# Run single test
Invoke-AtomicTest T1059.001 -TestName "Powershell Download Cradle" -GetPrereqs
 
# Run against entire technique
Invoke-AtomicTest T1059.001
 
# Run with cleanup
Invoke-AtomicTest T1059.001 -Cleanup

Pro tip: Schedule Atomic Red Team di test environment secara otomatis setiap minggu untuk memvalidasi bahwa detection rules Anda masih berfungsi.

Purple Team Framework

Purple Team bukan peran β€” ini aktivitas kolaborasi antara Red (attack) dan Blue (defense):

Purple Team Exercise Cycle:
1. Select TTP dari MITRE ATT&CK (prioritas: yang belum terdeteksi atau incident gap)
2. Red Team execute attack technique
3. Blue Team observe: apakah detection rule triggered?
   β”Œβ”€ Yes β†’ dokumentasikan sebagai "detected"
   └─ No  β†’ identifikasi gap:
           β”œβ”€ Log source tidak tersedia?
           β”œβ”€ Log source ada tapi rule tidak tertulis?
           └─ Rule ada tapi threshold tidak cocok?
4. Create/update detection rule
5. Test ulang dengan teknik yang sama
6. Dokumentasikan dan masukkan ke knowledge base

Maturity Model β€” IR Capability Assessment

LevelNamaKarakteristik
Level 0Ad-hocTidak ada playbook, incident ditangani β€œby heroes”, dokumentasi minim
Level 1InitialAda IR policy dasar, satu dua orang tahu prosedur, tools tidak terintegrasi
Level 2DefinedIR policy tertulis, playbook untuk SEV-1/2, basic SIEM + EDR
Level 3ManagedMetrics dikumpulkan (MTTD, MTTR), purple team exercise berkala, SOAR untuk SEV-3/4
Level 4OptimizingDetection engineering lifecycle berjalan, threat intel feed integrated, automated IR untuk SEV-3/4, join ISAC/FS-ISAC

Assessment: Gunakan checklist NIST CSF untuk self-assessment tiap kuartal.

Mapping SOP di Vault ke Fase IR

SOP / NoteFase IRTujuan
arp-spoofing-mitigationC β€” ContainmentIsolasi serangan ARP spoofing di jaringan lokal
forensic-imaging-analysisI β€” IdentificationAkuisisi bit-stream untuk analisis forensik
hpa-exorcismE β€” EradicationBersihkan HPA/DCO dari media penyimpanan
systemrescue-recoveryR β€” RecoveryRecovery OS dari SystemRescue live CD
storage-refurbishingE β€” Eradication (then R β€” Recovery)Wipe & recondition storage media
laptop-qc-procurementP β€” PreparationStandardisasi hardware sebelum deploy (reduce supply chain risk)
printer-maintenance-resetR β€” RecoveryReset printer (low-severity but operational IT)
quartz-setup-windowsP β€” PreparationSetup Quartz engine untuk monitoring
endpoint-detection-playbookI β€” IdentificationTriage endpoint β€” RAM dump, Volatility, persistence
blueteam-detection-matrixI β€” IdentificationDetection rules dan C2 detection matrix
blueteam-vs-enterprise-c2I β€” IdentificationDeteksi C2 enterprise-grade
malware-analysis-reverse-engineering-playbookA β€” Analysis (cross-phase)Analisis malware: triage, static, dynamic, memory, RE
threat-modeling-deepdiveP β€” PreparationIdentifikasi ancaman preventif sebelum incident
comprehensive-threat-directoryP β€” PreparationThreat intel knowledge base

Detection Engineering β€” KQL Query Examples

Failed Logon Spike (Potential Password Spray)

// Azure Sentinel / Microsoft 365 Defender
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == "50057" // User account is disabled
    or ResultType == "50053" // Account locked
    or ResultType == "50126" // Invalid username or password
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
| where FailedAttempts > 10
| join kind=inner (
    SigninLogs
    | where ResultType == "0" // Success
    | summarize SuccessfulLogon = count() by UserPrincipalName
) on UserPrincipalName
| project UserPrincipalName, IPAddress, FailedAttempts, SuccessfulLogon
| order by FailedAttempts desc

Suspicious Outbound DNS Query (DGA)

// Zeek DNS logs
dns
| where query_type == "A"
| where timestamp > ago(1h)
| extend domain_length = strlen(query)
| where domain_length >= 8 and domain_length <= 20
| extend entropy =
    countof(query, @'[a-z]') * 0.4 +
    countof(query, @'[0-9]') * 0.6
| where entropy > 0.6
| summarize count() by query
| top 10 by count_ desc

Case Studies

Studi KasusFase IRTemuan KunciAction Items
Ransomware LockBit (Skenario Single Host)I β†’ C β†’ E β†’ R1. Detection: EDR alert process injection β†’ svchost.exe unusual child. 2. Containment: 20 menit β€” network isolate. 3. Eradication: reimage from ISO. 4. Recovery: restore user profile from backup. 5. Post-mortem: initial access via Excel macro.1. Block Office child process. 2. User phishing training. 3. Enhance email security rule.
Data Exfiltration via Cloud (2023)I β†’ C β†’ E β†’ R1. Detection: Cloud DLP alert β€” 10GB data upload ke non-corporate cloud storage. 2. Containment: revoke IAM keys + disable user account. 3. Eradication: remove unauthorized IAM user + cross-account role. 4. Recovery: enable CloudTrail + GuardDuty. 5. Post-mortem: compromised contractor credentials β€” no MFA.1. MFA enforce ALL external users. 2. SCP untuk restrict data exfil. 3. DLP policy: block upload >100MB.
APT29 (Nobelium) Supply Chain (2020)Full PICERL, multi-month1. Detection: threat intel β€” SolarWinds Orion signature. 2. Containment: disconnect Orion from network. 3. Eradication: reimage all affected servers + rotate golden SAML key. 4. Recovery: months-long remediation. 5. Lessons: zero-trust, federated identity monitoring, SBOM.1. SLSA 3+ build pipeline. 2. Federated identity anomaly detection. 3. Supply chain vendor SLA.
Insider Threat β€” IP TheftI β†’ C β†’ L1. Detection: VPN session from unusual location + bulk download dari code repository. 2. Containment: suspend AD account, revoke VPN certificate. 3. Eradication: not applicable (data already exfiltrated). 4. Recovery: not applicable. 5. Lessons: DLP data classification maturity.1. Data classification + DLP. 2. UEBA untuk user behavior. 3. Just-in-Time access untuk sensitive repo.
Web App Compromise (SQL Injection)I β†’ C β†’ E β†’ R1. Detection: WAF alert β€” SQL injection pattern. 2. Containment: WAF block rule + temporary application takedown. 3. Eradication: SAST menemukan query concatenation. 4. Recovery: deploy fix + verify via DAST. 5. Lessons: no parameterized query in CI gate.1. SAST pipeline block. 2. WAF managed SQL injection rule. 3. DAST in staging.

Koneksi ke Vault


Referensi

  1. NIST. SP 800-61 Rev. 2: Computer Security Incident Handling Guide. 2012. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
  2. NIST. SP 800-86: Guide to Integrating Forensic Techniques into Incident Response. 2006. https://csrc.nist.gov/publications/detail/sp/800-86/final
  3. SANS Institute. Incident Handling Steps (PICERL). https://www.sans.org/white-papers/incident-handlers-handbook/
  4. FIRST. PSIRT Services Framework. https://www.first.org/standards/frameworks/psirts/psirt_services_framework_v1.1
  5. MITRE ATT&CK. Enterprise Matrix. https://attack.mitre.org/
  6. MITRE ATT&CK. Detection, Response, and Recovery Framework. https://attack.mitre.org/resources/getting-started/
  7. NIST. CSF 2.0: Cybersecurity Framework. 2024. https://www.nist.gov/cyberframework
  8. SANS. SEC504: Hacker Techniques, Exploits & Incident Handling. https://www.sans.org/cyber-security-courses/hacker-techniques-incident-handling/
  9. The DFIR Report. Real Intrusion Incidents. https://thedfirreport.com/
  10. Red Canary. Atomic Red Team. https://atomicredteam.io/
  11. Sigma HQ. Sigma Detection Rules. https://github.com/SigmaHQ/sigma
  12. Elastic. Security Detection Rules. https://github.com/elastic/detection-rules
  13. Splunk. Security Essentials. https://www.splunk.com/en_us/software/splunk-security-essentials.html
  14. CrowdStrike. Incident Response Services. https://www.crowdstrike.com/services/incident-response/
  15. Mandiant. Incident Response Services. https://www.mandiant.com/services/incident-response
  16. Velocidex. Velociraptor β€” Endpoint Visibility. https://docs.velociraptor.app/
  17. KAPE (Kroll). Kroll Artifact Parser and Extractor. https://www.kroll.com/en/services/cyber-risk/incident-response-forensics/kape
  18. Plaso (log2timeline). Plaso Documentation. https://plaso.readthedocs.io/en/latest/
  19. TheHive Project. TheHive β€” IR Platform. https://thehive-project.org/
  20. Shuffle. Shuffle SOAR. https://shuffler.io/
  21. CISA. Incident Response Training. https://www.cisa.gov/incident-response
  22. Verizon. 2024 Data Breach Investigations Report. https://www.verizon.com/business/resources/reports/dbir/
  23. OWASP. Incident Response Guide. https://owasp.org/www-project-incident-response-guide/
  24. ENISA. Incident Response in the EU. https://www.enisa.europa.eu/topics/incident-response
  25. FIRST. CVSS v4.0 Calculator. https://www.first.org/cvss/calculator/4.0

Bottom Line

Incident Response bukan tentang tool canggih β€” ini tentang proses yang terstruktur, dilatih, dan terus diperbaiki. Kunci IR yang efektif: (1) Preparation adalah fase termahal jika diabaikan β€” playbook harus ditulis, dilatih, dan diuji dengan simulasi (tabletop atau Atomic Red Team). (2) Containment adalah fase paling penting β€” stop the bleeding sebelum mencari root cause. (3) Post-mortem adalah investasi β€” tanpa lessons learned, Anda hanya mengulang incident yang sama setiap 6 bulan. (4) Semua SOP di vault ini terikat ke satu siklus IR β€” masing-masing punya tempat dan waktunya dalam fase PICERL. Gunakan framework ini sebagai β€œmap” untuk menavigasi incident β€” dari preparation hingga recovery β€” dan jadikan post-mortem sebagai alat untuk mendorong perbaikan organisasi secara kontinu.