CyberVault | Incident Response Playbooks

Comprehensive incident response playbook for detecting, containing, eradicating, and recovering from ransomware attacks. Covers all phases from initial alert through post-incident review. Aligns with NIST SP 800-61 and MITRE ATT&CK framework.

🆔 CV-PLB-001

📅 Last updated: Jan 15, 2025

⏱️ Est. completion: 2–8 hours

👥 Teams: SOC, IR, IT Ops, Legal

⚡

Total Steps

📋

Response Phases

✅

Success Rate (%)

🔄

47x

Times Executed

Detection & Triage

⏱️ 0–15 min

1.1

Verify the ransomware alert

SOC Analyst

▼

Confirm the alert is a true positive. Check for indicators of compromise (IOCs) including file extensions, ransom notes, and unusual process behavior.

$ Get-ChildItem -Path "C:\" -Recurse -Include "*.encrypted","*.locked","*.crypt" -ErrorAction SilentlyContinue | Select-Object -First 10 FullName

$ Get-Process | Where-Object { $_.CPU -gt 80 -or $_.WorkingSet64 -gt 500MB } | Format-Table Name, Id, CPU, WorkingSet64

Alert received from EDR/XDR platform
IOCs confirmed on affected endpoint
Ransom note or decryption file found
File encryption activity verified via logs

1.2

Determine scope of infection

SOC Lead

▼

Identify all potentially affected systems across the network. Search SIEM and EDR for related IOCs, lateral movement indicators, and unusual admin activities.

$ Get-WinEvent -LogName Security | Where-Object { $_.Id -in @(4624, 4625, 4672) } | Select-Object TimeCreated, Id, Message | Format-Table -AutoSize

ℹ️

Cross-reference IOCs with threat intelligence feeds. Check for known ransomware variants: LockBit, BlackCat, Conti, REvil.

1.3

Classify severity and activate IR team

SOC Manager

▼

Based on scope assessment, classify the incident and trigger the appropriate response level.

🚨 Escalation Matrix

L1: Single endpoint — SOC Team handles

L2: Multiple endpoints / servers — IR Team activated

L3: Critical systems / data at risk — Executive notification required

Containment

⏱️ 15–60 min

2.1

Isolate affected systems immediately

IR Team Lead

▼

Disconnect infected systems from the network to prevent lateral movement. Do NOT power off — preserve RAM for forensic analysis.

$ # NetworkIsolate the affected hosts via EDR console # Or manually: Disable-NetAdapter -Name "Ethernet" -Confirm:$false Disable-NetAdapter -Name "Wi-Fi" -Confirm:$false

⚠️

DO NOT power off infected machines. Memory may contain encryption keys or volatile evidence. Use network isolation only.

2.2

Block attacker IOCs at perimeter

Network Security

▼

Update firewall rules, DNS sinkholes, and proxy blocklists with identified IOCs. Block C2 communication channels.

$ # Block identified C2 domains via DNS firewall Set-DnsServerZone -ZoneName "*.malicious-c2-domain.com" -ZoneFile "sinkhole.dns" # Update firewall deny rules New-NetFirewallRule -DisplayName "Block C2 IP" -Direction Outbound -RemoteAddress 185.220.101.0/24 -Action Block

2.3

Disable compromised credentials

Identity Team

▼

Identify and disable all potentially compromised accounts. Force password resets and revoke active sessions.

Identify compromised accounts via log analysis
Disable accounts in Active Directory / Identity Provider
Revoke all active sessions and tokens
Revoke service account credentials
Audit privileged access (admin, root, service accounts)

Eradication & Recovery

⏱️ 1–6 hours

3.1

Forensic image and malware analysis

Forensics Team

▼

Create forensic images of affected systems before remediation. Analyze malware samples in a sandboxed environment.

$ # Capture memory dump for analysis Get-Process -Name suspicious_process | ForensicMemoryCapture -OutputPath \\[\\FORENSICS\\SHARE\\dump.dmp # Collect full forensic image dd if=/dev/sda of=/evidence/system-image.img bs=4M status=progress

3.2

Remove malware and close attack vectors

IR Team

▼

Perform thorough malware removal on all affected systems. Patch the vulnerability that was exploited as the initial access vector.

Run full anti-malware scan on all systems
Remove persistence mechanisms (registry, scheduled tasks, services)
Patch exploited vulnerability (e.g., CVE reference)
Harden configurations on affected assets

3.3

Restore from verified clean backups

IT Operations

▼

Verify backup integrity before restoration. Ensure backups are clean and taken before the point of compromise.

$ # Verify backup integrity Get-VSSBackup -Server backup-server -Verify -OutputPath ./backup-verify-log.txt # Restore from last known good backup Restore-VSSBackup -BackupId "2025-01-14T020000Z" -TargetPath "C:\" -WhatIf

⚠️

Verify backup timestamp is BEFORE the initial compromise time identified in step 1.2. Do NOT use backups that may be encrypted.

Post-Incident Review

⏱️ 24–72 hours

4.1

Conduct lessons learned and update controls

CISO / IR Lead

▼

Document the full incident timeline, root cause analysis, and corrective actions. Update detection rules and this playbook as needed.

Compile incident timeline with timestamps
Document root cause and attack chain
Identify detection gaps and false negatives
Update SIEM detection rules and EDR policies
Update this playbook with lessons learned
Schedule follow-up security awareness training

4.2

Regulatory notification and reporting

Legal / Compliance

▼

Determine regulatory reporting obligations and timelines based on the data types affected and jurisdictions involved.

ℹ️

GDPR: 72-hour reporting window. HIPAA: 60-day reporting. CCPA/CPRA: Notification without unreasonable delay. Check industry-specific requirements.

📡 Playbook Status

Approved & Active

Last reviewed: Jan 15, 2025

Execution Completion 67%

👥 Response Team

Alex Kovacs

IR Team Lead

Maria Petrova

SOC Senior Analyst

Raj Joshi

Network Security

Sarah Liu

Legal / Compliance

🏷️ Tags & Frameworks

📝 Version History

Updated MITRE ATT&CK mappings

Jan 15, 2025

Added cloud-specific containment steps

Nov 28, 2024

Revised escalation matrix

Sep 10, 2024

Initial playbook created

Mar 22, 2024

⚙️ Actions

Ransomware Attack Response 🔴 Critical

All Playbooks