Diagram Incident Response Process - korachi-9090/wiki GitHub Wiki
This diagram illustrates the cyclical nature of the incident response process based on the NIST SP 800-61 framework, highlighting key activities within each phase and the continuous improvement loop.
graph TD
subgraph "1. Preparation"
A1[Create IR Plan] --> A2[Establish IR Team]
A2 --> A3[Deploy Security Tools]
A3 --> A4[Conduct Training]
A4 --> A5[Test IR Capabilities]
end
subgraph "2. Detection & Analysis"
B1[Alert Monitoring] --> B2[Initial Triage]
B2 --> B3[Incident Verification]
B3 --> B4[Incident Scoping]
B4 --> B5[Impact Assessment]
B5 --> B6[Prioritization]
end
subgraph "3. Containment"
C1[Short-term Containment] --> C2[System Backup]
C2 --> C3[Long-term Containment]
C3 --> C4[Evidence Collection]
end
subgraph "4. Eradication"
D1[Identify Attack Vectors] --> D2[Remove Malware]
D2 --> D3[Patch Vulnerabilities]
D3 --> D4[Secure Accounts]
D4 --> D5[Harden Systems]
end
subgraph "5. Recovery"
E1[Validate Systems] --> E2[Restore Services]
E2 --> E3[Monitor for Issues]
E3 --> E4[Return to Production]
end
subgraph "6. Post-Incident Activity"
F1[Document Incident] --> F2[Lessons Learned]
F2 --> F3[Update IR Plan]
F3 --> F4[Implement Improvements]
F4 --> F5[Share Threat Intelligence]
end
A5 --> B1
B6 --> C1
C4 --> D1
D5 --> E1
E4 --> F1
F5 -.-> A1
classDef preparation fill:#e6f7ff,stroke:#1890ff,stroke-width:2px;
classDef detection fill:#f6ffed,stroke:#52c41a,stroke-width:2px;
classDef containment fill:#fffbe6,stroke:#faad14,stroke-width:2px;
classDef eradication fill:#fff2e8,stroke:#fa541c,stroke-width:2px;
classDef recovery fill:#f9f0ff,stroke:#722ed1,stroke-width:2px;
classDef postincident fill:#fcfcfc,stroke:#8c8c8c,stroke-width:2px;
class A1,A2,A3,A4,A5 preparation;
class B1,B2,B3,B4,B5,B6 detection;
class C1,C2,C3,C4 containment;
class D1,D2,D3,D4,D5 eradication;
class E1,E2,E3,E4 recovery;
class F1,F2,F3,F4,F5 postincident;
flowchart TB
subgraph "Incident Response Team"
IR[IR Team Lead]
TA[Technical Analysts]
CO[Communications Coordinator]
end
subgraph "Internal Stakeholders"
EX[Executive Leadership]
IT[IT Operations]
LE[Legal & Compliance]
HR[Human Resources]
BU[Business Units]
end
subgraph "External Entities"
RP[Regulatory Bodies]
LE2[Law Enforcement]
CU[Customers/Users]
PR[PR & Media]
VE[Vendors/Partners]
end
IR <--> TA
IR <--> CO
CO <--> EX
CO <--> IT
CO <--> LE
CO <--> HR
CO <--> BU
CO <-.-> RP
CO <-.-> LE2
CO <-.-> CU
CO <-.-> PR
CO <-.-> VE
classDef team fill:#e6f7ff,stroke:#1890ff,stroke-width:2px;
classDef internal fill:#f6ffed,stroke:#52c41a,stroke-width:2px;
classDef external fill:#fff2e8,stroke:#fa541c,stroke-width:2px;
class IR,TA,CO team;
class EX,IT,LE,HR,BU internal;
class RP,LE2,CU,PR,VE external;
graph TB
subgraph "Severity Levels"
S1["Critical (Level 1)"]
S2["High (Level 2)"]
S3["Medium (Level 3)"]
S4["Low (Level 4)"]
end
subgraph "Impact Categories"
I1["Operational Impact"]
I2["Data Impact"]
I3["Financial Impact"]
I4["Reputational Impact"]
I5["Regulatory Impact"]
end
subgraph "Response Times"
R1["Critical: Immediate (24x7)"]
R2["High: Within 4 hours"]
R3["Medium: Within 24 hours"]
R4["Low: Within 48 hours"]
end
S1 --> I1 & I2 & I3 & I4 & I5
S2 --> I1 & I2 & I3 & I4 & I5
S3 --> I1 & I2 & I3 & I4 & I5
S4 --> I1 & I2 & I3 & I4 & I5
S1 --> R1
S2 --> R2
S3 --> R3
S4 --> R4
classDef critical fill:#f5222d,color:white;
classDef high fill:#fa8c16,color:white;
classDef medium fill:#faad14;
classDef low fill:#52c41a;
classDef impact fill:#e6f7ff;
classDef response fill:#f9f0ff;
class S1 critical;
class S2 high;
class S3 medium;
class S4 low;
class I1,I2,I3,I4,I5 impact;
class R1,R2,R3,R4 response;
graph LR
subgraph "Initial Documentation"
ID1[Alert Details] --> ID2[Initial Assessment]
ID2 --> ID3[Incident Declaration]
end
subgraph "Ongoing Documentation"
OD1[Investigation Notes] --> OD2[Evidence Collection]
OD2 --> OD3[Containment Actions]
OD3 --> OD4[Eradication Steps]
end
subgraph "Final Documentation"
FD1[Incident Summary] --> FD2[Timeline of Events]
FD2 --> FD3[Technical Details]
FD3 --> FD4[Remediation Actions]
FD4 --> FD5[Lessons Learned]
end
ID3 --> OD1
OD4 --> FD1
classDef initial fill:#e6f7ff,stroke:#1890ff,stroke-width:2px;
classDef ongoing fill:#fff2e8,stroke:#fa541c,stroke-width:2px;
classDef final fill:#f6ffed,stroke:#52c41a,stroke-width:2px;
class ID1,ID2,ID3 initial;
class OD1,OD2,OD3,OD4 ongoing;
class FD1,FD2,FD3,FD4,FD5 final;
graph TD
IR[Incident Response Manager] --> TC[Technical Coordinator]
IR --> CC[Communications Coordinator]
IR --> LC[Legal Coordinator]
TC --> FA[Forensic Analysts]
TC --> MA[Malware Analysts]
TC --> NA[Network Analysts]
TC --> SA[System Analysts]
CC --> IC[Internal Communications]
CC --> EC[External Communications]
CC --> MC[Management Communications]
LC --> RP[Regulatory Compliance]
LC --> EP[Evidence Preservation]
LC --> LR[Legal Review]
classDef manager fill:#f5222d,color:white;
classDef coordinator fill:#fa8c16,color:white;
classDef specialist fill:#52c41a;
class IR manager;
class TC,CC,LC coordinator;
class FA,MA,NA,SA,IC,EC,MC,RP,EP,LR specialist;
- Digital Forensics Process
- Threat Detection Lifecycle
- Security Monitoring Architecture
- Malware Analysis Workflow