π¨ Incident Response Framework β NIST CSF, SANS PICERL, Detection Engineering & Post-Mortem
Panduan komprehensif incident response (IR) yang menyatukan kerangka kerja standar (NIST CSF, SANS PICERL, MITRE ATT&CK), detection engineering lifecycle, playbook execution, forensic acquisition, hingga post-mortem analysis. Nota ini adalah hub sentral yang mengikat semua SOP yang ada di vault ke dalam satu siklus IR yang terstruktur β dari preparation hingga lessons learned. Bisa digunakan sebagai acuan untuk SOC tim, blue team drills, dan maturity assessment.
Hubungan ke Vault
Nota ini adalah hub yang mengikat: arp-spoofing-mitigation (containment), forensic-imaging-analysis (acquisition), hpa-exorcism dan systemrescue-recovery (recovery), storage-refurbishing (eradication), endpoint-detection-playbook (triage), blueteam-detection-matrix dan blueteam-vs-enterprise-c2 (detection), malware-analysis-reverse-engineering-playbook (analysis), serta threat-modeling-deepdive dan comprehensive-threat-directory (threat intel). Setiap SOP di vault ini dipetakan ke fase IR tertentu.
Daftar Isi
Foundation
Incident Response β Mengapa Perlu Framework?
Tanpa framework, incident response cenderung reaktif, tidak konsisten, dan sulit diukur efektivitasnya. Framework memberikan:
| Manfaat | Deskripsi |
|---|---|
| Struktur | Fase jelas: apa yang dilakukan, kapan, oleh siapa |
| Konsistensi | Setiap incident ditangani dengan proses yang sama |
| Efisiensi | Mengurangi waktu pengambilan keputusan (decision fatigue) |
| Akuntabilitas | Setiap tindakan tercatat dan bisa diaudit |
| Improvement | Post-mortem β feedback loop β perbaikan berkelanjutan |
| Compliance | Memenuhi persyaratan regulasi (PCI DSS, ISO 27001, GDPR, PBI) |
Dua Framework Utama
NIST SP 800-61 Rev. 2 β Computer Security Incident Handling Guide
| Fase | Deskripsi | Output |
|---|---|---|
| 1. Preparation | Siapkan tools, playbook, training, communication plan | IR plan, toolkit, contact list, SLAs |
| 2. Detection & Analysis | Deteksi, verifikasi, triage, dan analisis awal incident | Incident ticket, severity score, preliminary scope |
| 3. Containment, Eradication & Recovery | Isolasi, bersihkan, dan pulihkan sistem | Containment plan, eradication log, recovery timeline |
| 4. Post-Incident Activity | Post-mortem, lessons learned, report | Incident report, action items, updated playbook |
SANS PICERL (6 Fase Praktis)
| Fase | Nama | Tujuan Utama | Waktu Target |
|---|---|---|---|
| P | Preparation | Siapkan tools, training, team | Berkelanjutan |
| I | Identification | Deteksi, triage, tentukan scope & severity | <15 menit (severity), <1 jam (scope) |
| C | Containment | Isolasi β stop the bleeding | Short-term: <30 menit; Long-term: <4 jam |
| E | Eradication | Hapus root cause, malware, backdoor | 1-24 jam tergantung severity |
| R | Recovery | Kembalikan operasi normal, validasi | 1-48 jam |
| L | Lessons Learned | Post-mortem, update playbook, training | 1-14 hari pasca-incident |
Perbandingan: NIST lebih strategic (cocok untuk management dan compliance), PICERL lebih operational (cocok untuk SOC dan responder).
Severity Classification
| Level | Warna | Kriteria | Contoh | Response Time |
|---|---|---|---|---|
| SEV-1 | π΄ Critical | Data breach, ransomware, system-wide outage, PII exfiltrated | Ransomware encrypting file servers | <15 menit |
| SEV-2 | π High | Lateral movement detected, malware outbreak di segmen terbatas | Emotet infection di 3 workstation | <1 jam |
| SEV-3 | π‘ Medium | Single host compromise, phishing success tanpa lateral | Malware downloaded (blocked by AV) | <4 jam |
| SEV-4 | π΅ Low | Scanning, probe, phishing attempt gagal | Port scan dari external IP | <24 jam |
| SEV-5 | βͺ Info | False positive, user reported suspicious email | Phishing email reported (no click) | Next business day |
IR Team Structure (RACI)
| Role | Tanggung Jawab | SEV-1 | SEV-2 | SEV-3/4 |
|---|---|---|---|---|
| Incident Commander (IC) | Decision maker, coordinator | On-call 24/7 | Lead | Lead |
| SME β Network | Network containment, firewall | On-call | Available | Available |
| SME β Endpoint | Host forensics, EDR | On-call | Lead | Available |
| SME β Cloud | Cloud IR, IAM, CSPM | On-call | Available | Consult |
| Legal & Compliance | Regulatory obligation, data breach notification | On-call | Consult | Available |
| Communications | Internal comms, PR | On-call | Available | β |
| Management | Resource allocation, business decisions | Informed | Informed | Informed |
Technical Deep-Dive
Phase 1 β Preparation
IR Toolkit Minimum
β Endpoint:
β Live response: Velociraptor, CyLR (Collection) + EDR agent (CrowdStrike/Defender)
β Memory acquisition: winpmem, LiME (Linux Memory Extractor)
β Disk imaging: FTK Imager, dd, Guymager
β Triage: KAPE (Kroll Artifact Parser and Extractor), Chainsaw, Hayabusa
β Analysis: Volatility 3, FLOSS, CAPA
β Timeline: Plaso (log2timeline)
β Network:
β Packet capture: tcpdump, Wireshark, NetworkMiner
β Flow analysis: zeek (bro), nfdump
β DNS: dnscap, passive DNS tools
β Proxy: squid logs, mitmproxy
β Cloud:
β AWS: CloudTrail, GuardDuty, AWS Config
β Azure: Microsoft Sentinel, Azure Activity Log
β GCP: Cloud Audit Logs, Security Command Center
β SIEM & SOAR:
β SIEM: Wazuh (OSS), ELK Stack, Splunk, Sentinel
β SOAR: Shuffle (OSS), Splunk SOAR, Palo Alto XSOAR
β Communication:
β Secure chat: Signal, Slack (with war room)
β Ticketing: Jira, TheHive (OSS)
β Documentation: collaborative doc (Google Doc/Confluence dengan access control)
Playbook Template
Setiap playbook harus memiliki format standar:
---
title: "Playbook: Ransomware Response"
id: IR-PB-001
version: 1.2
last_updated: 2026-07-15
severity: SEV-1
phases:
- identification
- containment
- eradication
- recovery
dependencies:
- EDR logs
- Network flow logs
- Backup system access
trigger: "EDR alert: Ransomware behavior detected"
steps:
identification:
- "0-5m: Verify alert β is it real or FP?"
- "5-15m: Determine scope: host, user, encryption type"
- "15-30m: Check if backup is also encrypted"
containment:
- "0-10m: Isolate host (network disconnect or EDR containment)"
- "10-30m: Block C2 IOCs at firewall/proxy"
- "30-60m: Disable affected AD accounts"
eradication:
- "Reimage affected hosts from known-good image"
- "Rotate all credentials in scope"
- "Remove persistence: scheduled tasks, services, registry run keys"
recovery:
- "Restore from clean backup (verify timestamp pre-encryption)"
- "Deploy updated EDR signatures"
- "Monitor for re-infection for 48 hours"
lessons_learned:
- "Root cause analysis: how did initial access occur?"
- "Gap analysis: what detection/prevention failed?"
---Phase 2 β Identification
Sumber Deteksi
| Sumber | Contoh Alert | Kecepatan | False Positive Rate |
|---|---|---|---|
| EDR | Behavioral detection, process injection, LSASS access | Real-time | Medium |
| SIEM | Correlation rule β multiple failed logon + success | Near real-time | Medium-High |
| Network | DNS sinkhole hit, C2 beacon pattern | Real-time | Low |
| Cloud | GuardDuty, IAM anomaly, S3 public access | Real-time | Low-Medium |
| User report | Phishing report, unusual behavior | Manual | Medium |
| 3rd party | Takedown notice, threat intel feed | Hours-days | Low |
| Threat hunting | Hypothesis-driven search | Proactive | Variable |
Triage β Diamond Model
Setiap incident harus dipetakan ke Diamond Model untuk memahami konteks:
Adversary
β²
/ \
/ \
/ \
/ \
Infrastructure ββββββββ Capability
\ /
\ /
\ /
\ /
βΌ
Victim
| Sisi Diamond | Pertanyaan Kunci |
|---|---|
| Adversary | Siapa? Known group? Motivasi? TTPs? |
| Capability | Apa yang digunakan? Malware, exploit, phishing? |
| Infrastructure | IP, domain, C2 server? Hosting provider? |
| Victim | Siapa yang terkena dampak? Data apa yang terekspos? |
Initial Triage Checklist (15 Menit)
β Verifikasi alert: cek log mentah, bukan sekedar alert summary
β Tentukan SEV level (1-5 berdasarkan dampak bisnis)
β Screenshot: timeline event, indicators, affected hosts
β Assign Incident Commander
β Notify stakeholders (sesuai RACI matrix)
β Create war room (secure chat + document)
β Open ticket with incident timeline
β Jika SEV-1: paging tree β semua on-call
Phase 3 β Containment
Containment Strategies per Skenario
| Skenario | Short-Term Containment | Long-Term Containment |
|---|---|---|
| Ransomware (single host) | Network isolation + EDR kill process | Reimage host from known-good image |
| Ransomware (network-wide) | Disable AD accounts + block SMB outbound + firewall block | Restore from backup + rotate all credentials |
| C2 Beacon | Network block C2 IP/domain at firewall | Forensik host β remove persistence β reimage |
| Data exfiltration (in progress) | Block outbound traffic to unknown IPs + revoke IAM keys | IAM audit + S3 bucket policy lockdown |
| Phishing credential theft | Force password reset + revoke session tokens | MFA enrollment for all affected + investigation |
| Insider threat | Suspend AD account + revoke access + preserve evidence | HR + Legal involved, forensic imaging |
| DDoS | Blackhole routing + scrubbing center | WAF + rate limiting + CDN failover |
| Supply chain compromise | Disconnect affected vendor integrations | Vendor risk assessment + alternative vendor |
Containment Commands β Quick Reference
Linux:
# Kill process
kill -9 $(pgrep -f malicious_process)
# Network isolation (iptables)
iptables -A INPUT -s 0.0.0.0/0 -j DROP
iptables -A OUTPUT -d 0.0.0.0/0 -j DROP
# Remove SSH key persistence
rm -rf ~/.ssh/authorized_keysWindows:
# Kill process
Stop-Process -Name "malicious" -Force
# Network isolation (Windows Firewall)
New-NetFirewallRule -Direction Outbound -RemoteAddress 0.0.0.0/0 -Block -Profile Any
# Disable AD account
Disable-ADAccount -Identity "compromised_user"Chain of Custody
Setiap evidence yang dikumpulkan harus memiliki chain of custody:
| Field | Isi |
|---|---|
| Evidence ID | E-001 |
| Description | Memory dump host CORP-WKS-045 |
| Source | IP 10.0.45.22, hostname CORP-WKS-045 |
| Acquired by | J. Analyst (SOC Lead) |
| Date/Time | 2026-07-15 14:30 UTC |
| Method | winpmem_x64.exe mem.dmp |
| Hash (MD5) | a1b2c3d4e5f6β¦ |
| Hash (SHA256) | f9e8d7c6b5a4β¦ |
| Location | NAS://cases/IR-2026-007/evidence/ |
| Transfer log | File copied via rsync to NAS at 14:35 UTC |
| Handover to | A. Forensics Analyst (15:00 UTC, signed) |
Phase 4 β Eradication
Eradication berarti menghilangkan root cause dari lingkungan β bukan hanya mengembalikan sistem ke state operational.
| Root Cause | Eradication Action |
|---|---|
| Malware dropper | Reimage host, clean all shared drives |
| Weak credential | Force password reset + enable MFA |
| Unpatched vulnerability | Apply patch + verify other hosts same vulnerability |
| Misconfiguration | Fix config + IaC policy update + CSPM rule |
| Phishing | Block sender domain + training + email security rule |
| Insider | Revoke access + HR action + forensic preservation |
| Supply chain | Remove vendor integration + incident report to vendor |
Phase 5 β Recovery
Recovery adalah mengembalikan operasi dengan aman β bukan sekedar restore:
Recovery Checklist:
β Restore from clean backup (validated timestamp pre-compromise)
β Verify integrity: scan with updated signatures
β Network monitoring: enable extra logging on recovered hosts
β User access: restore with MFA + least privilege
β Validation: run security scan (SAST/DAST/SCA)
β Monitoring: enhanced monitoring for 48-72 hours post-recovery
β Stakeholder comms: status update "operasi normal kembali"
β Business verification: confirm key metrics (transactions, uptime, latency)
Phase 6 β Lessons Learned (Post-Mortem)
Post-mortem harus dilakukan dalam 1-14 hari setelah incident β semakin cepat semakin baik, detail masih segar.
Post-Mortem Template
# Post-Mortem Incident IR-2026-007
## Metadata
- **Incident ID:** IR-2026-007
- **Severity:** SEV-1 (Critical)
- **Date:** 2026-07-15
- **Duration:** 3h 24m (14:30 - 17:54 UTC)
- **Report Author:** J. Analyst
- **Response Team:** 5 persons (IC, Endpoint, Network, Cloud, Legal)
## Timeline
| Time (UTC) | Event |
| ---------- | -------------------------------------------------------- |
| 14:30 | EDR alert: Ransomware behavior detected on CORP-WKS-045 |
| 14:32 | IC assigned, severity upgraded to SEV-1 |
| 14:35 | Host network-isolated |
| 14:40 | Block C2 IP at firewall |
| 14:50 | Memory + disk imaging started |
| 15:10 | IC determines: single host, no lateral movement detected |
| 15:30 | EDR scans all endpoints β 0 additional detections |
| 16:00 | Containment confirmed successful |
| 16:30 | Forensic analysis: initial access via phishing email |
| 17:00 | Host reimaged from known-good ISO |
| 17:30 | User credentials rotated + MFA enforced |
| 17:54 | Recovery verified β host back in production |
## Root Cause Analysis
### Teknis
- **Initial Access:** Spear-phishing email dengan malicious Excel macro
- **Execution:** PowerShell download cradle β .NET assembly loaded in memory (fileless)
- **Persistence:** Scheduled task "OneDrive Sync" setiap 30 menit
- **Impact:** Single host encrypted (files di %USERPROFILE%), tidak ada network share terenkripsi
### Process
- Email security rule tidak menangkap phishing karena sender domain legitimate (compromised vendor account)
- User tidak melaporkan email (trained? no β user belum training phishing dalam 6 bulan)
## Action Items
| ID | Action | Owner | Due Date | Status |
| ----- | ------------------------------------------------------------- | -------------- | ---------- | -------------- |
| AI-01 | Update email security rule: block macro from external senders | Email Sec Team | 2026-07-20 | β
Done |
| AI-02 | Mandatory phishing training untuk semua user | HR + IT Sec | 2026-08-01 | π‘ In Progress |
| AI-03 | Deploy ASR rule: block Office child process creation | Endpoint Team | 2026-07-18 | β
Done |
| AI-04 | Update ransomware playbook (IR-PB-001) | IR Lead | 2026-07-25 | π΄ Not Started |
## Metrics
| Metric | Value |
| --------------------------------------- | ------------------------------------ |
| Time to detection (from initial access) | 24 minutes |
| Time to containment | 20 minutes |
| Time to eradication | 1h 30m |
| Time to recovery | 3h 24m |
| Business impact | None (single host, no customer data) |
| False positives | 0 (alert was accurate) |IR Metrics Penting
| Metric | Target | Rumus |
|---|---|---|
| MTTD (Mean Time to Detect) | <30 menit untuk SEV-1 | Total waktu deteksi / jumlah incident |
| MTTC (Mean Time to Contain) | <1 jam untuk SEV-1 | Total waktu containment / jumlah incident |
| MTTE (Mean Time to Eradicate) | <4 jam untuk SEV-1 | Total waktu eradication / jumlah incident |
| MTTR (Mean Time to Recover) | <8 jam untuk SEV-1 | Total waktu recovery / jumlah incident |
| False Positive Rate | <30% dari all alerts | Total FP / total alerts |
| Post-mortem completion | 100% untuk SEV-1/2 dalam 7 hari | Rata-rata hari penyelesaian |
Advanced
Detection Engineering Lifecycle
Detection engineering adalah proses sistematis untuk menulis, menguji, dan memelihara detection rules:
Cycle:
1. Threat Intel (CVE, report, TTPs) atau Post-Mortem Gap
β
βΌ
2. Hypothesis β "Bagaimana attacker akan beroperasi di env kita?"
β
βΌ
3. Data Source Mapping β logs apa yang punya info relevan?
β
βΌ
4. Rule Authoring β Sigma, YARA, KQL, Splunk SPL
β
βΌ
5. Testing β Historical data + live simulation (Atomic Red Team, Stratus)
β
βΌ
6. Tuning β Baseline untuk mengurangi FP, adjust threshold
β
βΌ
7. Deployment β Deploy ke SIEM, EDR, atau WAF
β
βΌ
8. Monitoring β Alert performance monitoring + periodic review
β
βΌ
9. Feedback β Post-mortem findings β adjust detection gaps
Sigma Rule β Detection as Code
Sigma adalah format universal untuk detection rules (bisa di-export ke Splunk, QRadar, Elastic, ArcSight, dll):
title: Suspicious PowerShell Download Cradle
id: 7c8d9e0f-1a2b-3c4d-5e6f-7a8b9c0d1e2f
status: experimental
description: Mendeteksi pola download PowerShell dari URL β sering digunakan oleh post-exploitation tools
references:
- https://thedfirreport.com/2024/07/powershell-cradle/
tags:
- attack.t1059.001 # PowerShell
- attack.t1105 # Ingress Tool Transfer
logsource:
product: windows
category: ps_script
definition: "Requires PowerShell Script Block Logging (EnableScriptBlockLogging)"
detection:
selection_download:
ScriptBlockText|contains:
- "System.Net.WebClient"
- "Invoke-WebRequest"
- "Invoke-RestMethod"
- "Start-BitsTransfer"
selection_bypass:
ScriptBlockText|contains:
- "Bypass"
- "-ExecutionPolicy"
- "EncodedCommand"
selection_obfuscation:
ScriptBlockText|contains:
- "[System.Text.Encoding]::UTF8.GetString"
- "[System.Convert]::FromBase64String"
- "-join"
condition: (selection_download and selection_bypass) or (selection_download and selection_obfuscation)
level: high
falsepositives:
- "Admin menggunakan PowerShell untuk legitimate download (rare)"
- "Software update scripts"Atomic Red Team β Simulation Testing
Atomic Red Team (Red Canary) adalah library test case yang memetakan langsung ke MITRE ATT&CK:
# Install
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1');
Install-AtomicRedTeam -getAtomics
# Run single test
Invoke-AtomicTest T1059.001 -TestName "Powershell Download Cradle" -GetPrereqs
# Run against entire technique
Invoke-AtomicTest T1059.001
# Run with cleanup
Invoke-AtomicTest T1059.001 -CleanupPro tip: Schedule Atomic Red Team di test environment secara otomatis setiap minggu untuk memvalidasi bahwa detection rules Anda masih berfungsi.
Purple Team Framework
Purple Team bukan peran β ini aktivitas kolaborasi antara Red (attack) dan Blue (defense):
Purple Team Exercise Cycle:
1. Select TTP dari MITRE ATT&CK (prioritas: yang belum terdeteksi atau incident gap)
2. Red Team execute attack technique
3. Blue Team observe: apakah detection rule triggered?
ββ Yes β dokumentasikan sebagai "detected"
ββ No β identifikasi gap:
ββ Log source tidak tersedia?
ββ Log source ada tapi rule tidak tertulis?
ββ Rule ada tapi threshold tidak cocok?
4. Create/update detection rule
5. Test ulang dengan teknik yang sama
6. Dokumentasikan dan masukkan ke knowledge base
Maturity Model β IR Capability Assessment
| Level | Nama | Karakteristik |
|---|---|---|
| Level 0 | Ad-hoc | Tidak ada playbook, incident ditangani βby heroesβ, dokumentasi minim |
| Level 1 | Initial | Ada IR policy dasar, satu dua orang tahu prosedur, tools tidak terintegrasi |
| Level 2 | Defined | IR policy tertulis, playbook untuk SEV-1/2, basic SIEM + EDR |
| Level 3 | Managed | Metrics dikumpulkan (MTTD, MTTR), purple team exercise berkala, SOAR untuk SEV-3/4 |
| Level 4 | Optimizing | Detection engineering lifecycle berjalan, threat intel feed integrated, automated IR untuk SEV-3/4, join ISAC/FS-ISAC |
Assessment: Gunakan checklist NIST CSF untuk self-assessment tiap kuartal.
Mapping SOP di Vault ke Fase IR
| SOP / Note | Fase IR | Tujuan |
|---|---|---|
| arp-spoofing-mitigation | C β Containment | Isolasi serangan ARP spoofing di jaringan lokal |
| forensic-imaging-analysis | I β Identification | Akuisisi bit-stream untuk analisis forensik |
| hpa-exorcism | E β Eradication | Bersihkan HPA/DCO dari media penyimpanan |
| systemrescue-recovery | R β Recovery | Recovery OS dari SystemRescue live CD |
| storage-refurbishing | E β Eradication (then R β Recovery) | Wipe & recondition storage media |
| laptop-qc-procurement | P β Preparation | Standardisasi hardware sebelum deploy (reduce supply chain risk) |
| printer-maintenance-reset | R β Recovery | Reset printer (low-severity but operational IT) |
| quartz-setup-windows | P β Preparation | Setup Quartz engine untuk monitoring |
| endpoint-detection-playbook | I β Identification | Triage endpoint β RAM dump, Volatility, persistence |
| blueteam-detection-matrix | I β Identification | Detection rules dan C2 detection matrix |
| blueteam-vs-enterprise-c2 | I β Identification | Deteksi C2 enterprise-grade |
| malware-analysis-reverse-engineering-playbook | A β Analysis (cross-phase) | Analisis malware: triage, static, dynamic, memory, RE |
| threat-modeling-deepdive | P β Preparation | Identifikasi ancaman preventif sebelum incident |
| comprehensive-threat-directory | P β Preparation | Threat intel knowledge base |
Detection Engineering β KQL Query Examples
Failed Logon Spike (Potential Password Spray)
// Azure Sentinel / Microsoft 365 Defender
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == "50057" // User account is disabled
or ResultType == "50053" // Account locked
or ResultType == "50126" // Invalid username or password
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
| where FailedAttempts > 10
| join kind=inner (
SigninLogs
| where ResultType == "0" // Success
| summarize SuccessfulLogon = count() by UserPrincipalName
) on UserPrincipalName
| project UserPrincipalName, IPAddress, FailedAttempts, SuccessfulLogon
| order by FailedAttempts descSuspicious Outbound DNS Query (DGA)
// Zeek DNS logs
dns
| where query_type == "A"
| where timestamp > ago(1h)
| extend domain_length = strlen(query)
| where domain_length >= 8 and domain_length <= 20
| extend entropy =
countof(query, @'[a-z]') * 0.4 +
countof(query, @'[0-9]') * 0.6
| where entropy > 0.6
| summarize count() by query
| top 10 by count_ descCase Studies
| Studi Kasus | Fase IR | Temuan Kunci | Action Items |
|---|---|---|---|
| Ransomware LockBit (Skenario Single Host) | I β C β E β R | 1. Detection: EDR alert process injection β svchost.exe unusual child. 2. Containment: 20 menit β network isolate. 3. Eradication: reimage from ISO. 4. Recovery: restore user profile from backup. 5. Post-mortem: initial access via Excel macro. | 1. Block Office child process. 2. User phishing training. 3. Enhance email security rule. |
| Data Exfiltration via Cloud (2023) | I β C β E β R | 1. Detection: Cloud DLP alert β 10GB data upload ke non-corporate cloud storage. 2. Containment: revoke IAM keys + disable user account. 3. Eradication: remove unauthorized IAM user + cross-account role. 4. Recovery: enable CloudTrail + GuardDuty. 5. Post-mortem: compromised contractor credentials β no MFA. | 1. MFA enforce ALL external users. 2. SCP untuk restrict data exfil. 3. DLP policy: block upload >100MB. |
| APT29 (Nobelium) Supply Chain (2020) | Full PICERL, multi-month | 1. Detection: threat intel β SolarWinds Orion signature. 2. Containment: disconnect Orion from network. 3. Eradication: reimage all affected servers + rotate golden SAML key. 4. Recovery: months-long remediation. 5. Lessons: zero-trust, federated identity monitoring, SBOM. | 1. SLSA 3+ build pipeline. 2. Federated identity anomaly detection. 3. Supply chain vendor SLA. |
| Insider Threat β IP Theft | I β C β L | 1. Detection: VPN session from unusual location + bulk download dari code repository. 2. Containment: suspend AD account, revoke VPN certificate. 3. Eradication: not applicable (data already exfiltrated). 4. Recovery: not applicable. 5. Lessons: DLP data classification maturity. | 1. Data classification + DLP. 2. UEBA untuk user behavior. 3. Just-in-Time access untuk sensitive repo. |
| Web App Compromise (SQL Injection) | I β C β E β R | 1. Detection: WAF alert β SQL injection pattern. 2. Containment: WAF block rule + temporary application takedown. 3. Eradication: SAST menemukan query concatenation. 4. Recovery: deploy fix + verify via DAST. 5. Lessons: no parameterized query in CI gate. | 1. SAST pipeline block. 2. WAF managed SQL injection rule. 3. DAST in staging. |
Koneksi ke Vault
- arp-spoofing-mitigation β Containment phase: SOP mitigasi ARP spoofing
- forensic-imaging-analysis β Identification phase: akuisisi bit-stream
- hpa-exorcism β Eradication phase: HPA/DCO removal
- systemrescue-recovery β Recovery phase: SystemRescue live CD recovery
- storage-refurbishing β Eradication β Recovery phase: wipe & recondition
- laptop-qc-procurement β Preparation phase: standardisasi hardware
- printer-maintenance-reset β Recovery phase: operational recovery
- quartz-setup-windows β Preparation phase: monitoring setup
- endpoint-detection-playbook β Identification phase: triage & forensics
- blueteam-detection-matrix β Identification phase: C2 detection
- blueteam-vs-enterprise-c2 β Identification phase: enterprise C2 detection
- malware-analysis-reverse-engineering-playbook β Analysis (cross-phase): malware RE
- threat-modeling-deepdive β Preparation phase: preventive threat identification
- comprehensive-threat-directory β Preparation phase: threat intelligence
- active-directory-windows-security-deepdive β ALL phases: Windows AD security in IR context
- devsecops-pipeline-sast-dast-sbom β Preparation phase: pipeline security gate
- cloud-security-posture-management β ALL phases: cloud security in IR context
- system-design β Preparation phase: resilient architecture design
- zero-trust-security β Preparation + Containment: microsegmentation, least privilege
Referensi
- NIST. SP 800-61 Rev. 2: Computer Security Incident Handling Guide. 2012. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
- NIST. SP 800-86: Guide to Integrating Forensic Techniques into Incident Response. 2006. https://csrc.nist.gov/publications/detail/sp/800-86/final
- SANS Institute. Incident Handling Steps (PICERL). https://www.sans.org/white-papers/incident-handlers-handbook/
- FIRST. PSIRT Services Framework. https://www.first.org/standards/frameworks/psirts/psirt_services_framework_v1.1
- MITRE ATT&CK. Enterprise Matrix. https://attack.mitre.org/
- MITRE ATT&CK. Detection, Response, and Recovery Framework. https://attack.mitre.org/resources/getting-started/
- NIST. CSF 2.0: Cybersecurity Framework. 2024. https://www.nist.gov/cyberframework
- SANS. SEC504: Hacker Techniques, Exploits & Incident Handling. https://www.sans.org/cyber-security-courses/hacker-techniques-incident-handling/
- The DFIR Report. Real Intrusion Incidents. https://thedfirreport.com/
- Red Canary. Atomic Red Team. https://atomicredteam.io/
- Sigma HQ. Sigma Detection Rules. https://github.com/SigmaHQ/sigma
- Elastic. Security Detection Rules. https://github.com/elastic/detection-rules
- Splunk. Security Essentials. https://www.splunk.com/en_us/software/splunk-security-essentials.html
- CrowdStrike. Incident Response Services. https://www.crowdstrike.com/services/incident-response/
- Mandiant. Incident Response Services. https://www.mandiant.com/services/incident-response
- Velocidex. Velociraptor β Endpoint Visibility. https://docs.velociraptor.app/
- KAPE (Kroll). Kroll Artifact Parser and Extractor. https://www.kroll.com/en/services/cyber-risk/incident-response-forensics/kape
- Plaso (log2timeline). Plaso Documentation. https://plaso.readthedocs.io/en/latest/
- TheHive Project. TheHive β IR Platform. https://thehive-project.org/
- Shuffle. Shuffle SOAR. https://shuffler.io/
- CISA. Incident Response Training. https://www.cisa.gov/incident-response
- Verizon. 2024 Data Breach Investigations Report. https://www.verizon.com/business/resources/reports/dbir/
- OWASP. Incident Response Guide. https://owasp.org/www-project-incident-response-guide/
- ENISA. Incident Response in the EU. https://www.enisa.europa.eu/topics/incident-response
- FIRST. CVSS v4.0 Calculator. https://www.first.org/cvss/calculator/4.0
Bottom Line
Incident Response bukan tentang tool canggih β ini tentang proses yang terstruktur, dilatih, dan terus diperbaiki. Kunci IR yang efektif: (1) Preparation adalah fase termahal jika diabaikan β playbook harus ditulis, dilatih, dan diuji dengan simulasi (tabletop atau Atomic Red Team). (2) Containment adalah fase paling penting β stop the bleeding sebelum mencari root cause. (3) Post-mortem adalah investasi β tanpa lessons learned, Anda hanya mengulang incident yang sama setiap 6 bulan. (4) Semua SOP di vault ini terikat ke satu siklus IR β masing-masing punya tempat dan waktunya dalam fase PICERL. Gunakan framework ini sebagai βmapβ untuk menavigasi incident β dari preparation hingga recovery β dan jadikan post-mortem sebagai alat untuk mendorong perbaikan organisasi secara kontinu.