Incident Response

Incident response skill for the full lifecycle from initial triage through forensic collection, severity declaration, and escalation routing. This is NOT threat hunting (see threat-detection) or post-incident compliance mapping (see governance/compliance-mapping) — this is about classifying, triaging, and managing declared security incidents.

Table of Contents

• Overview
• Incident Triage Tool
• Incident Classification
• Severity Framework
• False Positive Filtering
• Forensic Evidence Collection
• Escalation Paths
• Regulatory Notification Obligations
• Workflows
• Anti-Patterns
• Cross-References

Overview

What This Skill Does

This skill provides the methodology and tooling for incident triage and response — classifying security events into typed incidents, scoring severity, filtering false positives, determining escalation paths, and initiating forensic evidence collection under chain-of-custody controls.

Distinction from Other Security Skills

Prerequisites

A security event must be ingested before triage. Events can come from SIEM alerts, EDR detections, threat intel feeds, or user reports. The triage tool accepts JSON event payloads; see the input schema below.

Incident Triage Tool

The incident_triage.py tool classifies events, checks false positives, scores severity, determines escalation, and performs forensic pre-analysis.

# Classify an event from JSON file
python3 scripts/incident_triage.py --input event.json --classify --json

# Classify with false positive filtering enabled
python3 scripts/incident_triage.py --input event.json --classify --false-positive-check --json

# Force a severity level for tabletop exercises
python3 scripts/incident_triage.py --input event.json --severity sev1 --json

# Read event from stdin
echo '{"event_type": "ransomware", "host": "prod-db-01", "raw_payload": {}}' | \
  python3 scripts/incident_triage.py --classify --false-positive-check --json

Input Event Schema

{
  "event_type": "ransomware",
  "host": "prod-db-01",
  "user": "svc_backup",
  "source_ip": "10.1.2.3",
  "timestamp": "2024-01-15T14:32:00Z",
  "raw_payload": {}
}

Exit Codes

Incident Classification

Security events are classified into 14 incident types. Classification drives default severity, MITRE technique mapping, and response SLA.

Incident Taxonomy

SEV Escalation Triggers

Any of the following automatically re-declare a higher severity:

Severity Framework

SEV Level Matrix

False Positive Filtering

The triage tool applies five filters before escalating to prevent false positive inflation.

False Positive Filter Types

A confirmed false positive suppresses escalation and logs the suppression reason for audit purposes. Recurring false positives from the same source should be tuned out at the detection layer, not filtered repeatedly at triage.

Forensic Evidence Collection

Evidence collection follows the DFRWS six-phase framework and the principle of volatile-first acquisition.

DFRWS Six Phases

Volatile Evidence — Collect First

1. Live memory (RAM dump) — lost on reboot
2. Running processes and open network connections (netstat, ps)
3. Logged-in users and active sessions
4. System uptime and current time (for timeline anchoring)
5. Environment variables and loaded kernel modules

Chain of Custody Requirements

Every evidence item must be recorded with:

• SHA-256 hash at acquisition time
• Acquisition timestamp in UTC with timezone offset
• Tool provenance (FTK Imager, Volatility, dd, AWS CloudTrail export)
• Investigator identity
• Transfer log (who had custody and when)

Escalation Paths

By Severity

By Incident Type

Regulatory Notification Obligations

The notification clock starts at incident declaration, not at investigation completion.

Operational rule: If scope is unclear at declaration, assume the most restrictive applicable deadline and confirm scope within the first response window.

Full deadline reference: references/regulatory-deadlines.md

Workflows

Workflow 1: Quick Triage (15 Minutes)

For single alert requiring classification before escalation decision:

# 1. Classify the event with false positive filtering
python3 scripts/incident_triage.py --input alert.json \
  --classify --false-positive-check --json

# 2. Review severity, escalation_path, and false_positive_flag in output
# 3. If severity = sev1 or sev2, page SOC Lead immediately
# 4. If false_positive_flag = true, document and close

Decision: Exit code 2 = SEV1 war room now. Exit code 1 = SEV2 bridge call within 30 minutes.

Workflow 2: Full Incident Response (SEV1)

T+0   Detection arrives (SIEM alert, EDR, user report)
T+5   Classify with incident_triage.py --classify --false-positive-check
T+10  If SEV1: page CISO, open war room, start regulatory clock
T+15  Initiate forensic collection (volatile evidence first)
T+15  Containment assessment (parallel with forensics)
T+30  Human approval gate for any containment action
T+45  Execute approved containment
T+60  Assess containment effectiveness, brief Legal if PII/PHI scope
T+4h  Final forensic evidence package, dwell time estimate
T+8h  Eradication and recovery plan
T+72h Regulatory notification submission (if GDPR/NIS2 triggered)

# Full classification with forensic context
python3 scripts/incident_triage.py --input incident.json \
  --classify --false-positive-check --severity sev1 --json > incident_triage_output.json

# Forensic pre-analysis
python3 scripts/incident_triage.py --input incident.json --json | \
  jq '.forensic_findings, .chain_of_custody_steps'

Workflow 3: Tabletop Exercise Simulation

Simulate incidents at specific severity levels without real events:

# Simulate SEV1 ransomware incident
echo '{"event_type": "ransomware", "host": "prod-db-01", "user": "svc_backup"}' | \
  python3 scripts/incident_triage.py --classify --severity sev1 --json

# Simulate SEV2 credential compromise
echo '{"event_type": "credential_compromise", "user": "admin_user", "source_ip": "203.0.113.5"}' | \
  python3 scripts/incident_triage.py --classify --false-positive-check --json

# Verify escalation paths for all 14 incident types
for type in ransomware data_exfiltration credential_compromise lateral_movement; do
  echo "{\"event_type\": \"$type\"}" | python3 scripts/incident_triage.py --classify --json
done

Anti-Patterns

1. Starting the notification clock at investigation completion — Regulatory clocks (GDPR 72 hours, PCI 24 hours) start at discovery, not investigation completion. Declaring late exposes the organization to maximum penalties even if the incident itself was minor.
2. Containing before collecting volatile evidence — Rebooting or isolating a system destroys RAM, running processes, and active connections. Forensic collection of volatile evidence must happen in parallel with containment, never after.
3. Skipping false positive verification before escalation — Escalating every alert to SEV1 degrades SOC credibility and causes alert fatigue. Always run false positive filters before paging the CISO.
4. Undocumented incident command decisions — Every decision made during a SEV1, including decisions made under uncertainty, must be logged in the evidence chain with timestamp and rationale. Undocumented decisions cannot be defended in regulatory investigations.
5. Treating incident closure as investigation completion — Incidents are closed when eradication and recovery are complete, not when the investigation is done. The forensic report and regulatory submissions may continue after operational closure.
6. Single-source classification — Classifying an incident from a single data source (one SIEM alert) without corroborating evidence frequently leads to misclassification. Collect at least two independent signals before declaring SEV1.
7. Bypassing human approval gates for containment — Automated containment actions (network isolation, credential revocation) taken without human approval can cause production outages, destroy evidence, and create liability. Human approval is non-negotiable for all mutating containment actions.

Cross-References