Incident Response Playbook: 72-Stunden-Breach-Response-Guide

Autor: Dr. phil. Özkaya Zübeyir Talha | Letztes Update: 10. Januar 2025

Executive Summary

Die ersten 72 Stunden nach der Entdeckung eines Security-Incidents sind entscheidend. Organisationen mit dokumentiertem Incident-Response-Plan dämmen Breaches im Schnitt 54 Tage schneller ein und sparen durchschnittlich 1,23 Mio. EUR an Kosten (IBM Cost of Data Breach Report 2024).

Nach der Reaktion auf 300+ Sicherheitsvorfälle (Ransomware, Data Breaches, APT-Kampagnen) haben wir dieses Playbook zu einem klaren, umsetzbaren Leitfaden für die kritischste Phase jedes Incidents verdichtet.

Key Statistics:

• Durchschnittliche Zeit bis zur Entdeckung: 204 Tage
• Durchschnittliche Zeit bis zur Eindämmung: 73 Tage
• Kosten bei Breach <200 Tage: EUR 3,61 Mio.
• Kosten bei Breach >200 Tage: EUR 4,88 Mio.
• Speed matters!

---

Stunde 0-1: Erkennung & Erstreaktion

Incident-Detection-Trigger

Häufige Erkennungswege:

1. Security Tools (45%)

   • SIEM Alerts
   • EDR Detections
   • IDS/IPS Alerts
   • DLP Violations

2. User Reports (32%)

   • "Mein Rechner spinnt"
   • "Ich komme nicht mehr an meine Dateien" (Ransomware)
   • Verdächtige E-Mails

3. Third-Party Notification (15%)

   • Behörden / Law Enforcement
   • Partner-/Kundenhinweis
   • Security Researcher

4. Routine Audit (8%)

   • Log-Review
   • Pen-Test Findings

Third-Party-Kompromittierungen triggern Incident-Response zunehmend. Wenn Vendoren, SaaS Provider oder MSPs Teil Ihres Exposures sind, muss Ihr IR-Plan mit strukturierter Vendor Governance verzahnt sein. Siehe unseren Third-Party Risk Management (TPRM) Guide.

Sofortmassnahmen (erste 60 Minuten)

Schritt 1: Incident bestätigen (5 Minuten)

VALIDATION CHECKLIST:
□ Ist es ein echter Incident oder False Positive?
□ Was ist der Indicator of Compromise (IoC)?
□ Welche Systeme/Daten sind betroffen?
□ Ist die Bedrohung noch aktiv?

Beispiele:
✅ REAL: Ransomware-Verschlüsselung läuft
✅ REAL: Unautorisierter DB-Zugriff
✅ REAL: Data Exfiltration erkannt
❌ FALSE: Autorisierter Pen-Test
❌ FALSE: Bekanntes Security-Tool-Verhalten

Schritt 2: Incident Response Team aktivieren (10 Minuten)

Core IRT Mitglieder:

• Incident Commander: Gesamtkoordination (CISO oder Stellvertreter)
• Technical Lead: Forensik, Containment (SOC Manager)
• Communications: Intern/Extern (PR/Legal)
• Legal Counsel: Regulatorik, Haftung
• Management: Executive Decisions, Ressourcen

Notification Template:

TO: incident-response@company.com
SUBJECT: [CRITICAL] Security Incident Declared - IRT Activation

Incident ID: INC-2025-1142
Severity: HIGH
Declared: 2025-11-02 14:35 CET
Declared by: John Smith, SOC Analyst

INITIAL ASSESSMENT:
Ransomware detected on file server FS-01. Approximately 500GB 
encrypted. Attack ongoing. Multiple workstations also affected.

IMMEDIATE ACTIONS REQUIRED:
1. Join war room: https://teams.microsoft.com/...
2. Review incident dashboard: https://dashboard.company.com/inc/1142
3. Standby for assignments

Next update: 30 minutes
Incident Commander: Jane Doe, CISO

Schritt 3: Evidence sichern (laufend)

# Volatile data vor Shutdown sichern
# Memory dump
sudo lime-acquire /dev/sda1 /mnt/evidence/server01.mem

# Netzwerkverbindungen
netstat -anp > /mnt/evidence/netstat.txt
ss -tulpn > /mnt/evidence/ss.txt

# Prozesse
ps aux > /mnt/evidence/processes.txt
top -b -n 1 > /mnt/evidence/top.txt

# Timeline
date > /mnt/evidence/timeline.txt
last -F >> /mnt/evidence/timeline.txt

# Evidence hashen
sha256sum /mnt/evidence/* > /mnt/evidence/CHECKSUMS.txt

# Chain of custody dokumentieren
echo "Collected by: John Smith" >> /mnt/evidence/custody.txt
echo "Date: $(date)" >> /mnt/evidence/custody.txt

Critical: Nur mit Forensic Copies arbeiten, nie mit Originalen.

---

Stunde 1-4: Containment

Containment-Strategien

Kurzfristiges Containment (sofort):

Option 1: Network Isolation

# Infizierten Host isolieren (für Forensik erhalten)
# Firewall block (AWS Beispiel)
aws ec2 revoke-security-group-ingress \
  --group-id sg-12345 \
  --ip-permissions file://revoke-all.json

# Netzwerk trennen (physisch/virtuell)
# POWER ERHALTEN - nicht sofort herunterfahren!

Option 2: Account Disable

# Kompromittierter Account
# Azure AD
az ad user update --id user@company.com --account-enabled false

# AWS IAM
aws iam update-login-profile --user-name compromised-user --password-reset-required

# Sessions revoke
aws iam delete-access-key --user-name compromised-user --access-key-id AKIA...

Option 3: Service Shutdown

# Betroffenen Service stoppen (wenn sicher)
systemctl stop apache2

# DB Read-only
mysql> SET GLOBAL read_only = ON;

# Malicious Process killen
kill -9 $(ps aux | grep malware.exe | awk '{print $2}')

Langfristiges Containment (innerhalb 24h):

• Kompromittierte Systeme sauber neu aufsetzen
• Angriffsvektoren patchen
• Zusätzliche Monitoring-Kontrollen aktivieren
• Security Controls härten

Containment Decision Matrix

---

Stunde 4-24: Investigation & Eradication

Forensic Investigation

Timeline Analysis:

# Linux: relevante Logs kombinieren
cat /var/log/auth.log /var/log/syslog /var/log/apache2/access.log | \
  sort | grep -E "Failed|Accepted|GET|POST" > timeline.txt

# Windows: PowerShell Event Logs
Get-EventLog -LogName Security -After (Get-Date).AddDays(-7) | \
  Where-Object {$_.EventID -eq 4625} | # Failed logins
  Export-Csv failed-logins.csv

Malware Analysis:

# Sample isolieren
cp /tmp/suspicious.exe /evidence/malware/sample.exe

# Hash
sha256sum /evidence/malware/sample.exe
a3f8b9c2d1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0

# VirusTotal
curl --request POST \
  --url 'https://www.virustotal.com/api/v3/files' \
  --header 'x-apikey: YOUR_API_KEY' \
  --form 'file=@/evidence/malware/sample.exe'

# Dynamic analysis (nur sandboxed)
# ANY.RUN, Joe Sandbox oder Cuckoo

Indicator of Compromise (IoC) Collection:

# IoC Format (STIX/TAXII compatible)
iocs:
  file_hashes:
    - type: SHA256
      value: a3f8b9c2d1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0
      context: Ransomware payload
  
  ip_addresses:
    - value: 185.220.102.8
      type: C2 server
      asn: AS51167 (Tor exit node)
    
  domains:
    - value: evil-command.xyz
      type: C2 domain
      first_seen: 2025-11-01
  
  registry_keys:
    - path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask
      value: C:\ProgramData\malware.exe
  
  urls:
    - value: hxxp://185.220.102.8:8080/beacon
      type: Beacon URL

Threat Intelligence:

# Threat Feeds abfragen
# AlienVault OTX
curl -X GET "https://otx.alienvault.com/api/v1/indicators/IPv4/185.220.102.8/general" \
  -H "X-OTX-API-KEY: YOUR_KEY"

# MISP
# Prüfen ob IoCs zu bekannten Kampagnen passen

# VirusTotal retrohunt
# Suche nach verwandten Samples

Root Cause Analysis

5 Whys Methode:

Incident: Ransomware encrypted file server

Why 1: How did ransomware get on file server?
→ Via admin workstation with RDP connection

Why 2: How did ransomware get on admin workstation?
→ User clicked malicious email attachment

Why 3: Why did email attachment execute?
→ Email gateway didn't block .zip with .exe inside

Why 4: Why didn't EDR block execution?
→ EDR policy in "monitor only" mode on admin workstations

Why 5: Why was EDR not in enforcement mode?
→ No policy requiring EDR enforcement for all endpoints

ROOT CAUSE: Inadequate endpoint protection policy
FIX: Mandatory EDR enforcement + email filtering enhancement

Eradication

Malware Removal:

# Malicious Files entfernen
rm -f /tmp/malware.exe
rm -f /var/tmp/.hidden-backdoor

# Prozesse killen
pkill -9 -f malware

# Persistence entfernen
crontab -e  # Malicious cron jobs entfernen
vi /etc/rc.local  # Startup scripts entfernen

# Windows: Registry Persistence entfernen
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v MaliciousTask /f

Credential Reset:

# Passwort-Reset für alle betroffenen Accounts
# Azure AD
az ad user list --query "[].userPrincipalName" -o tsv | \
  xargs -I {} az ad user update --id {} --force-change-password-next-login true

# Alle Sessions revoken
az ad signed-in-user list-owned-objects | # Identify logged-in users
  # Force re-authentication

Patch Vulnerabilities:

# Emergency Patches
apt-get update && apt-get upgrade -y  # Linux
# Oder Patch-Management (WSUS, SCCM, AWS Systems Manager)

# Verwundbare Services deaktivieren
systemctl disable vsftpd  # Wenn FTP der Angriffsvektor war
systemctl stop vsftpd

---

Stunde 24-72: Recovery & Restoration

Recovery Steps

1. Clean State validieren

# Full system scan
clamscan -r / --infected --remove

# Rootkit check
rkhunter --check
chkrootkit

# Integrity verification
aide --check  # Vergleich mit Baseline

# Network traffic analysis
tcpdump -i eth0 -w recovery-traffic.pcap
# Auf C2 Beaconing prüfen

2. Restore aus Backups

# Backup integrity
sha256sum backup.tar.gz
# Mit Original-Hash vergleichen

# Restore (zuerst in isolierter Umgebung)
tar -xzf backup.tar.gz -C /mnt/restore/

# Restored Files scannen
clamscan -r /mnt/restore/

# Wenn clean: Restore to prod
rsync -avz /mnt/restore/ /production/

3. Phased Service Restoration

PHASE 1 (Hour 24-36): Critical Systems
□ Authentication (AD, IAM)
□ Email (mit verbessertem Filtering)
□ Core business apps

PHASE 2 (Hour 36-48): Important Systems
□ File servers (aus clean backups)
□ Databases (validiert clean)
□ Internal tools

PHASE 3 (Hour 48-72): Standard Systems
□ Development
□ Test systems
□ Non-critical applications

VALIDATION JE PHASE:
✅ No malware detected
✅ Logs normal
✅ Performance normal
✅ No IOCs detected

---

Communication & Reporting

Interne Kommunikation

Stakeholder Updates:

Alle 4 Stunden während des Incidents:

TO: Executive Leadership
SUBJECT: Incident Update - Hour 28

SITUATION:
Ransomware incident affecting 12 file servers. Containment 
complete. No evidence of data exfiltration. Beginning recovery 
from backups.

ACTIONS TAKEN:
✅ Isolated all infected systems
✅ Disabled 45 compromised accounts
✅ Applied emergency patches
✅ Engaged forensics partner (Mandiant)

CURRENT STATUS:
- Services Down: File shares, backup system
- Services Operational: Email, web applications, customer portal
- ETA for file share restoration: 18 hours
- No customer data impacted

DECISIONS NEEDED:
- Approve EUR 180,000 for forensics investigation
- Approve overtime for IT team (next 72 hours)

Next update: 16:00 CET
Incident Commander: Jane Doe

Externe Kommunikation

Regulatorische Meldung (NIS2, GDPR):

TO: Belgian Data Protection Authority
SUBJECT: Data Breach Notification - Initial Report

Reporting Entity: ATLAS Advisory SE
Incident ID: INC-2025-1142
Report Type: Initial (24-hour)

INCIDENT DESCRIPTION:
Ransomware attack detected 2025-11-02 14:35 CET. File servers 
encrypted. Investigation ongoing.

SUSPECTED CAUSE:
Malicious email attachment leading to ransomware deployment.

CROSS-BORDER IMPACT:
Potentially yes - file servers contain client data from BE, DE, FR.

DATA SUBJECTS AFFECTED:
Under investigation. Estimated: 500-2,000 individuals.
Categories: Client contact information, project files.

IMMEDIATE ACTIONS:
- Isolated affected systems
- Engaged forensics team
- Notifying potentially affected clients
- Password resets enforced

NEXT STEPS:
Detailed report within 72 hours.

Contact: dpo@atlas-advisory.eu / +32 2 XXX XXXX
Date: 2025-11-02 18:30 CET

Customer Notification:

SUBJECT: Important Security Notice

Dear [Customer Name],

We are writing to inform you of a security incident that may have 
affected your data.

WHAT HAPPENED:
On November 2, 2025, we detected and contained a ransomware attack 
affecting our file storage systems. We immediately isolated the 
affected systems and engaged cybersecurity experts to investigate.

WHAT INFORMATION WAS INVOLVED:
Our investigation is ongoing. Files that may have been accessed include:
- Contact information (names, email addresses, phone numbers)
- Project documentation from [Date Range]

We have found NO EVIDENCE of data exfiltration at this time.

WHAT WE ARE DOING:
✓ Contained the incident within 4 hours
✓ Engaged leading cybersecurity forensics firm
✓ Restored systems from clean backups
✓ Enhanced security monitoring
✓ Notified relevant authorities

WHAT YOU SHOULD DO:
- Remain vigilant for phishing emails
- Enable multi-factor authentication on your accounts
- Monitor accounts for suspicious activity
- Contact us with any concerns

FOR MORE INFORMATION:
Visit: https://company.com/security-incident
Email: security@company.com
Phone: +32 2 XXX XXXX (24/7 hotline)

We sincerely apologize for any concern this may cause and are committed 
to protecting your information.

[Company Name]
[Date]

---

Post-Incident Activities

Lessons Learned (innerhalb 2 Wochen)

Post-Incident Review Meeting:

Teilnehmer: IRT Members, Management, Key Stakeholder

Agenda:

1. Timeline Reconstruction
2. Was lief gut?
3. Was muss besser werden?
4. Root Cause Analysis
5. Action Items

Beispiel Findings:

INCIDENT: Ransomware via phishing email

WHAT WENT WELL:
✅ Detection within 30 minutes (EDR alert)
✅ IRT activated quickly (15 minutes)
✅ Containment successful (4 hours)
✅ Backups were clean and restorable
✅ No data exfiltration

WHAT COULD BE IMPROVED:
❌ Email filtering didn't block attachment (.zip with .exe)
❌ EDR was in "monitor only" mode on some systems
❌ No email authentication training in past 12 months
❌ Incident response plan not tested in 18 months
❌ Backup restoration took 36 hours (too slow)

ACTION ITEMS:
1. Enhance email filtering (owner: IT Manager, due: Nov 15)
2. Enforce EDR on all endpoints (owner: SOC Manager, due: Nov 10)
3. Security awareness training (owner: HR, due: Dec 1)
4. Quarterly IR tabletop exercises (owner: CISO, ongoing)
5. Optimize backup restoration (owner: Infra Lead, due: Nov 30)

Metrics to Track

Response Metrics:

• Time to detect (TTD)
• Time to respond (TTR)
• Time to contain (TTC)
• Time to recover (MTTR)

Business Impact:

• Betroffene Services
• Downtime
• Umsatzimpact
• Customer Impact
• Regulatorische Strafen

Cost:

• IRT Zeit
• Externe Consultants
• Legal Fees
• Regulatorische Strafen
• Lost Business
• Reputation Damage

Example:

INCIDENT COST BREAKDOWN:

Direct Costs:
- Forensics firm: EUR 85,000
- Legal counsel: EUR 25,000
- Overtime (staff): EUR 18,000
- PR/communications: EUR 12,000
Total Direct: EUR 140,000

Indirect Costs:
- Lost revenue (3 days downtime): EUR 280,000
- Customer churn (estimated): EUR 450,000
- Reputation damage (estimated): EUR 1,200,000
Total Indirect: EUR 1,930,000

TOTAL INCIDENT COST: EUR 2,070,000

Cost Avoidance (due to quick response):
- Prevented data exfiltration: EUR 4,500,000 (estimated)
- Prevented ransomware payment: EUR 500,000 (demanded)
- Prevented longer downtime: EUR 1,200,000
Total Avoided: EUR 6,200,000

NET BENEFIT OF IR PROGRAM: EUR 4,130,000

---

Incident Response Tools

Essential Tools

Forensics & Analysis:

• Velociraptor - Endpoint visibility
• Autopsy - Digital forensics
• Volatility - Memory forensics
• Wireshark - Network analysis

Malware Analysis:

• ANY.RUN - Interactive malware sandbox
• VirusTotal - Multi-AV scanning
• Joe Sandbox - Automated analysis

Threat Intelligence:

• MISP - Threat sharing platform
• AlienVault OTX - Open threat exchange
• Shodan - Internet device search

Incident Management:

• TheHive - Incident response platform
• Cortex - Analysis engine
• MITRE ATT&CK Navigator - Tactic mapping

---

Conclusion

Effektive Incident Response ist kein Nice-to-have, sondern Business Pflicht. Jede Stunde Verzug erhöht Breach-Kosten im Schnitt um EUR 45.000.

Key Takeaways:

1. Prepare: IR-Plan dokumentieren, Team trainieren, regelmäßig testen
2. Detect Fast: Monitoring und Detection investieren
3. Contain Quickly: Erste 4 Stunden sind kritisch
4. Investigate Thoroughly: Root Cause verstehen
5. Communicate Clearly: Intern und extern
6. Learn: Post-Incident Review verbessern

ATLAS Advisory hat 300+ Security Incidents beantwortet, 94% innerhalb 24 Stunden eingedämmt und geschätzt EUR 127 Mio. an Breach-Kosten verhindert.

Need incident response help?
24/7 Emergency Hotline: emergency@atlas-advisory.eu | +32 2 XXX XXXX

Siehe unsere SOC Services für 24/7 Monitoring und Response.

---

Ressourcen

Frameworks & Standards:

• NIST SP 800-61r2 - Computer Security Incident Handling Guide
• SANS Incident Response Process - 6-step methodology
• ISO 27035 - Information security incident management

Training & Certifications:

• SANS FOR508: Advanced Incident Response
• GCIH: GIAC Certified Incident Handler
• GCFA: GIAC Certified Forensic Analyst
• EC-Council CHFI: Computer Hacking Forensic Investigator

Related Articles:

• NIS2 Directive Compliance Guide
• GDPR Compliance Checklist 2025
• Zero Trust Architecture Guide