← [Раздел 08](README.md) · [Главная](../README.md)

# Incident response

## Цель

Освоить основы **реагирования на инциденты безопасности (IR)**: роли, фазы, communication, containment и post-mortem — для команды без выделенного SOC.

## Предварительно

- [siem-i-alerty.md](siem-i-alerty.md).
- On-call concept (кто дежурит при алерте).

## Время

~35 минут чтения + draft 1-page runbook

---

## Что такое security incident

**Incident** — подтверждённое или высоковероятное нарушение безопасности:

- Unauthorized access to data/system
- Malware / ransomware
- Leaked credentials in use
- Defacement, fraud, extortion

Alert ≠ incident до **triage**.

## IR phases (NIST-style)

```
Prepare → Detect → Analyze → Contain → Eradicate → Recover → Post-incident
   ↑                                                              │
   └──────────────────── lessons learned ─────────────────────────┘
```

| Phase | Actions |
|-------|---------|
| **Prepare** | Runbooks, contacts, backups tested |
| **Detect** | SIEM alert, user report, vendor notice |
| **Analyze** | Scope, timeline, affected assets |
| **Contain** | Stop spread (isolate, block IP, disable account) |
| **Eradicate** | Remove malware, patch vuln, rotate creds |
| **Recover** | Restore service, monitor closely |
| **Post-incident** | Blameless post-mortem, improve controls |

## Roles (минимальный RACI)

| Role | Responsibility |
|------|----------------|
| **Incident Commander (IC)** | Decisions, priorities, comms |
| **Technical Lead** | Investigation, containment |
| **Comms Lead** | Internal + external messaging |
| **Legal / DPO** | Breach notification (if PII) |
| **Scribe** | Timeline, decisions log |

In small teams one person wears multiple hats — **назначайте IC явно**.

## First 60 minutes checklist

- [ ] Acknowledge alert, open incident ticket `INC-YYYY-NNN`
- [ ] Assign IC + scribe
- [ ] Classify severity (P1–P4)
- [ ] Preserve evidence: don't wipe logs/pods yet
- [ ] Quick containment if ongoing (disable compromised account)
- [ ] Notify stakeholders per severity matrix
- [ ] Start timeline doc (UTC timestamps)

## Containment strategies

| Scenario | Containment |
|----------|-------------|
| Compromised user account | Disable + force password reset + revoke sessions |
| Compromised API key | Revoke key, audit usage logs |
| Malicious pod | Cordon node / delete pod + NetworkPolicy deny |
| Ransomware | Isolate segment, **don't** pay without exec/legal |
| Leaked DB | Block egress, snapshot for forensics |

Balance: containment vs business continuity.

## Evidence handling

| Do | Don't |
|----|-------|
| Copy logs to secure bucket | Login as attacker on prod |
| Snapshot disk / memory if skilled | Reboot without capture (if forensic need) |
| Hash artifacts | Discuss details in public Slack |

Chain of custody matters for legal cases.

## Communication

| Audience | Content |
|----------|---------|
| Engineering | Technical facts, actions needed |
| Leadership | Impact, ETA, regulatory risk |
| Customers | Only confirmed facts, legal review |
| Regulators | Per jurisdiction (72h GDPR if personal data breach) |

Template internal: «We investigate unauthorized access to X since TIME. Service Y affected. Containment: Z. Next update in 2h.»

## Runbook example: credential leak in git

1. **Detect:** GitLeaks alert on PR / public repo report
2. **Analyze:** Which secret, commits, fork clones unknown
3. **Contain:** Revoke token in provider immediately
4. **Eradicate:** Remove from history (BFG), enable push protection
5. **Recover:** Deploy new creds via vault
6. **Post:** Post-mortem, training, pre-commit hooks mandatory

Link [secrets scanning](../06-bezopasnost-koda/secrets-scanning.md).

## Runbook skeleton (copy to wiki)

```markdown
# IR: [Scenario name]
## Triggers
## Severity
## Immediate actions (0–15 min)
## Investigation steps
## Containment options
## Recovery
## Escalation contacts
## Regulatory notes
```

## Post-mortem (blameless)

| Section | Question |
|---------|----------|
| Summary | What happened |
| Timeline | UTC events |
| Root cause | Technical + process |
| Impact | Users, data, duration |
| What went well | |
| What to improve | Action items with owners |
| Detection gap | Why not sooner? |

No naming/shaming individuals.

## Tabletop exercise

Quarterly 90-min simulation: «RDS credentials leaked on forum» — walk phases without production changes. Builds muscle memory.

## Tools

| Purpose | Examples |
|---------|----------|
| Ticketing | Jira INC project |
| Comms | Dedicated Slack channel |
| Status page | status.example.com |
| Forensics | Volatility, cloud forensics export |

## When to call external help

- Ransomware, legal threat
- Forensics beyond team skill
- PCI/regulator mandated
- Persistent APT indicators

## IR readiness checklist

- [ ] Incident severity definitions documented
- [ ] On-call rotation + backup
- [ ] Runbooks for top 5 scenarios
- [ ] Backup restore tested this quarter
- [ ] Legal/DPO contact list current
- [ ] Post-mortem template ready
- [ ] Insurance / retainer for IR firm (optional)

---

## Самопроверка

1. Перечислите 5 фаз IR по порядку.
2. Зачем назначать Incident Commander?
3. Первое действие при утечке API key — что делаем в минуту 1?
4. Чем post-mortem отличается от «найти виноватого»?

## Дальше

[Управление уязвимостями](vulnerability-management.md)