Detection

Verification & Triage

Stopping

Containment

Escalation

Remediation & Recovery

Post-Incident & Wrap-up

Preparation

FALSE/TRUE POSITIVE (No further action if false positive)

DG/IPS, Sysmon, Threat intel, SIEM, Source, EDR alerts

True positive: Investigate alerts and host data, gather forensic information and logs, start management of situation

False positive: Investigate alerts and host data, update false positive state decision, gather forensic information if possible

Set preliminary threat level based on available information

Gather information on impacted systems

STANDARD

MANAGEMENT

Contact IT vendors

Power off machine only at request of senior management

Isolate systems from network (disconnect network)

Tag system(s) to be disconnected

Confirm and spread IOC from impacted systems to other devices

Remediation & Recovery

Patching any exploits that can be remediated

Root to the documentation for full steps in this process

Post-incident & Wrap-up

Evaluate root cause, review team performance, update documentation