Why Incident Response Matters
Security incidents are inevitable. The difference between a minor issue and a major breach often comes down to how quickly and effectively you respond.
Incident Response Phases
- Preparation: Plans, tools, training
- Detection: Identify potential incidents
- Containment: Limit the damage
- Eradication: Remove the threat
- Recovery: Restore normal operations
- Lessons Learned: Improve for next time
Detection and Alerting
// Centralized security logging
const securityLogger = {
log(event) {
const entry = {
timestamp: new Date().toISOString(),
...event,
environment: process.env.NODE_ENV,
service: process.env.SERVICE_NAME
};
// Send to SIEM
siem.ingest(entry);
// Check for alert conditions
if (this.shouldAlert(event)) {
alertService.notify(entry);
}
},
shouldAlert(event) {
const alertConditions = [
event.type === 'authentication_failure' && event.count > 5,
event.type === 'privilege_escalation',
event.type === 'data_exfiltration',
event.severity === 'critical'
];
return alertConditions.some(c => c);
}
};Incident Classification
const incidentSeverity = {
P1: {
name: 'Critical',
response: '15 minutes',
examples: ['Active data breach', 'Ransomware', 'Complete service outage'],
escalation: ['Security Lead', 'CTO', 'Legal']
},
P2: {
name: 'High',
response: '1 hour',
examples: ['Suspected breach', 'Credential compromise', 'Major vulnerability'],
escalation: ['Security Lead', 'Engineering Lead']
},
P3: {
name: 'Medium',
response: '4 hours',
examples: ['Phishing attempt', 'Minor vulnerability', 'Policy violation'],
escalation: ['Security Team']
},
P4: {
name: 'Low',
response: '24 hours',
examples: ['Security scan findings', 'Audit findings'],
escalation: ['Security Team']
}
};Containment Playbook
// Automated containment actions
const containmentPlaybook = {
'compromised_credentials': async (incident) => {
// 1. Disable affected user accounts
await identityService.disableUser(incident.userId);
// 2. Revoke all sessions
await sessionService.revokeAllSessions(incident.userId);
// 3. Rotate API keys
await apiKeyService.rotateKeys(incident.userId);
// 4. Block IP addresses
await waf.blockIPs(incident.sourceIPs);
// 5. Notify user
await notificationService.sendSecurityAlert(incident.userId);
},
'malware_detected': async (incident) => {
// 1. Isolate affected systems
await networkService.isolateHost(incident.hostId);
// 2. Preserve evidence
await forensics.captureMemory(incident.hostId);
await forensics.captureDisks(incident.hostId);
// 3. Block C2 domains
await dns.blockDomains(incident.iocs.domains);
}
};Communication Template
const incidentCommunication = {
internal: {
initial: `
SECURITY INCIDENT - {severity}
What: {brief_description}
When: {detection_time}
Status: Investigation in progress
Immediate Actions:
- {action_1}
- {action_2}
Next Update: {time}
Contact: {incident_commander}
`,
update: `
INCIDENT UPDATE #{update_number}
Status: {status}
Progress: {progress}
Next Steps: {next_steps}
Next Update: {time}
`
},
external: {
notification: `
We are investigating a security incident that may have
affected your data. We are working with security experts
and will provide updates as we learn more.
What we know: {known_impact}
What we're doing: {remediation_steps}
What you should do: {user_actions}
`
}
};Evidence Preservation
// Forensic evidence collection
async function preserveEvidence(incident) {
const evidence = {
incidentId: incident.id,
collectedAt: new Date().toISOString(),
items: []
};
// Collect logs
evidence.items.push({
type: 'logs',
source: 'application',
data: await logService.export(incident.timeRange)
});
// Collect network data
evidence.items.push({
type: 'network',
source: 'firewall',
data: await firewall.exportLogs(incident.timeRange)
});
// Hash all evidence
for (const item of evidence.items) {
item.hash = await crypto.hash(item.data);
}
// Store in immutable storage
await evidenceStorage.store(evidence);
return evidence;
}Post-Incident Review
const postIncidentTemplate = {
summary: '',
timeline: [],
rootCause: '',
impact: {
systems: [],
data: [],
users: [],
financial: ''
},
whatWentWell: [],
whatCouldImprove: [],
actionItems: [
{ description: '', owner: '', dueDate: '', priority: '' }
],
lessonsLearned: []
};Conclusion
Preparation is key. Have playbooks ready, practice them, and continuously improve based on lessons learned. The goal is to minimize impact and recover quickly.