IT AI Skill
Computer Emergency Response Team
Manage computer emergency response team (CERT) operations including incident response planning, threat hunting, digital forensics, malware analysis, and incident reporting. Use when responding to cybersecurity incidents, conducting threat hunts, performing...
Computer Emergency Response Team (CERT)
Manage CERT operations including incident response planning, threat hunting, digital forensics, and incident reporting.
Workflow
1. Incident Response Plan
INCIDENT RESPONSE LIFECYCLE (NIST SP 800-61)
═══════════════════════════════════════
Phase 1: PREPARATION
═══════════════════════════════════════
→ IR team roster and contact tree
→ Communication plan (internal, external, legal)
→ Tool inventory (forensics, analysis, containment)
→ Runbooks for common scenarios
→ Training and tabletop exercises (quarterly)
→ Retained forensic firm contact
Phase 2: DETECTION & ANALYSIS
═══════════════════════════════════════
Sources:
→ SIEM alerts (Splunk, Sentinel)
→ EDR alerts (CrowdStrike, SentinelOne)
→ User reports (phishing, suspicious activity)
→ External threat intelligence
→ Vulnerability scanning
→ Honeypots/deception technology
Triage:
→ Validate alert (false positive vs real)
→ Classify incident type
→ Assign severity
→ Assign incident handler
→ Begin investigation
Phase 3: CONTAINMENT, ERADICATION & RECOVERY
═══════════════════════════════════════
Containment (short-term):
→ Isolate affected systems (network segment)
→ Disable compromised accounts
→ Block malicious IPs/domains
→ Preserve evidence (forensic image)
Containment (long-term):
→ Deploy temporary firewall rules
→ Patch vulnerabilities
→ Reset credentials
→ Monitor for lateral movement
Eradication:
→ Remove malware/backdoors
→ Patch exploited vulnerabilities
→ Harden systems
→ Rebuild compromised systems (preferred over clean)
Recovery:
→ Restore from clean backup
→ Verify system integrity
→ Monitor for reinfection (30 days)
→ Return to normal operations
→ Document recovery steps
Phase 4: POST-INCIDENT ACTIVITY
═══════════════════════════════════════
→ Lessons learned meeting (within 1 week)
→ Root cause analysis (RCA)
→ Update runbooks and playbooks
→ Implement preventive controls
→ Report to management and regulators (if required)2. Incident Classification
INCIDENT CLASSIFICATION
═══════════════════════════════════════
Severity Levels:
═══════════════════════════════════════
Level Description Response Time Escalation Examples
───────────────────────────────────────────────────────────────────────────────
SEV1 Critical: Active breach, 15 min CISO + CEO Ransomware, data exfiltration,
data exfiltration, ransomware Security team APT detected, C-level account
SEV2 High: Confirmed compromise, 1 hour CISO Phishing with credential theft,
malware on critical systems IR lead malware on server, insider threat
SEV3 Medium: Suspicious activity, 4 hours IR lead Failed brute force, policy violation,
potential vulnerability suspicious login, vulnerability
SEV4 Low: Informational, 24 hours IR analyst Failed login attempts, scan detected,
policy violation benign alert3. Threat Hunting
THREAT HUNTING METHODOLOGY
═══════════════════════════════════════
Hunting Process:
═══════════════════════════════════════
1. Hypothesis generation:
→ Based on threat intelligence
→ Based on adversary TTPs (MITRE ATT&CK)
→ Based on internal data analysis
2. Data collection:
→ EDR telemetry (process, file, network)
→ Authentication logs (Active Directory, Okta)
→ Network flows (NetFlow, Zeek)
→ Cloud logs (CloudTrail, Azure AD)
→ Email logs (Exchange, M365)
3. Analysis:
→ Statistical analysis (anomalies)
→ Correlation across data sources
→ Timeline reconstruction
→ Indicator extraction
4. Validation:
→ Check against known good behavior
→ Investigate false positives
→ Confirm malicious activity
5. Response:
→ Escalate to incident response
→ Contain threat
→ Share IOCs with security team
HUNTING HYPOTHESES (Examples):
═══════════════════════════════════════
Hypothesis 1: Credential dumping
→ Query: EDR processes → lsass.exe access
→ Indicators: mimikatz, procdump, rundll3