Incident Response Playbook : guide 72 heures pour réponse à breach

Auteur : Dr. phil. Özkaya Zübeyir Talha | Dernière mise à jour : 10 janvier 2025

Executive Summary

Les 72 premières heures après la détection d'un incident de sécurité sont critiques. Les organisations avec un plan IR documenté contiennent les breaches 54 jours plus vite et économisent en moyenne 1,23 M EUR (IBM Cost of Data Breach Report 2024).

Après 300+ réponses à incidents (ransomware, data breaches, campagnes APT), nous avons affiné ce playbook pour fournir des actions claires et immédiates pendant la phase la plus critique.

Key Statistics :

• Temps moyen pour identifier un breach : 204 jours
• Temps moyen pour contenir un breach : 73 jours
• Coût d'un breach <200 jours : EUR 3,61 M
• Coût d'un breach >200 jours : EUR 4,88 M
• La vitesse compte !

---

Heure 0-1 : Détection & réponse initiale

Déclencheurs de détection

Méthodes de détection courantes :

1. Outils de sécurité (45%)

   • Alerts SIEM
   • Détections EDR
   • Alerts IDS/IPS
   • Violations DLP

2. Signalements utilisateurs (32%)

   • "Mon PC se comporte bizarrement"
   • "Je n'ai plus acces a mes fichiers" (ransomware)
   • Emails suspects

3. Notification de tiers (15%)

   • Autorites / law enforcement
   • Alerte partenaire/client
   • Security researcher

4. Audit de routine (8%)

   • Revue de logs
   • Findings de pen-test

Les compromissions de tiers declenchent de plus en plus d'IR. Si vos fournisseurs, SaaS ou MSP font partie de votre exposition, alignez votre plan IR avec une gouvernance fournisseurs structuree. Voir notre guide TPRM.

Actions immédiates (premières 60 minutes)

Etape 1 : Confirmer l'incident (5 minutes)

VALIDATION CHECKLIST:
□ Incident réel ou faux positif ?
□ Quel est l'IoC ?
□ Quels systemes/donnees sont affectes ?
□ La menace est-elle toujours active ?

Exemples:
✅ REAL: Chiffrement ransomware en cours
✅ REAL: Accès non autorisé a la base
✅ REAL: Exfiltration détectée
❌ FALSE: Pen-test autorisé
❌ FALSE: Comportement normal d'un outil de sécurité

Etape 2 : Activer l'Incident Response Team (10 minutes)

Membres IRT essentiels :

• Incident Commander : coordination globale (CISO ou délégué)
• Technical Lead : forensics, containment (SOC Manager)
• Communications : interne/externe (PR/Legal)
• Legal Counsel : obligations réglementaires
• Management : décisions executives, ressources

Template de notification :

TO: incident-response@company.com
SUBJECT: [CRITICAL] Security Incident Declared - IRT Activation

Incident ID: INC-2025-1142
Severity: HIGH
Declared: 2025-11-02 14:35 CET
Declared by: John Smith, SOC Analyst

INITIAL ASSESSMENT:
Ransomware detected on file server FS-01. Approximately 500GB 
encrypted. Attack ongoing. Multiple workstations also affected.

IMMEDIATE ACTIONS REQUIRED:
1. Join war room: https://teams.microsoft.com/...
2. Review incident dashboard: https://dashboard.company.com/inc/1142
3. Standby for assignments

Next update: 30 minutes
Incident Commander: Jane Doe, CISO

Etape 3 : Preserver les preuves (continu)

# Capturer les donnees volatiles AVANT shutdown
# Memory dump
sudo lime-acquire /dev/sda1 /mnt/evidence/server01.mem

# Connexions réseau
netstat -anp > /mnt/evidence/netstat.txt
ss -tulpn > /mnt/evidence/ss.txt

# Processus en cours
ps aux > /mnt/evidence/processes.txt
top -b -n 1 > /mnt/evidence/top.txt

# Timeline
date > /mnt/evidence/timeline.txt
last -F >> /mnt/evidence/timeline.txt

# Hash des preuves
sha256sum /mnt/evidence/* > /mnt/evidence/CHECKSUMS.txt

# Chain of custody
echo "Collected by: John Smith" >> /mnt/evidence/custody.txt
echo "Date: $(date)" >> /mnt/evidence/custody.txt

Critical : Travaillez sur des copies forensiques, jamais sur l'original.

---

Heure 1-4 : Containment

Strategies de containment

Containment court terme (immédiat) :

Option 1 : Isolation réseau

# Isoler l'hôte infecte (préserver pour forensics)
# Firewall block (exemple AWS)
aws ec2 revoke-security-group-ingress \
  --group-id sg-12345 \
  --ip-permissions file://revoke-all.json

# Deconnecter du réseau
# PRESERVER L'ALIMENTATION - ne pas shutdown

Option 2 : Desactiver les comptes

# Compte compromis
# Azure AD
az ad user update --id user@company.com --account-enabled false

# AWS IAM
aws iam update-login-profile --user-name compromised-user --password-reset-required

# Revoquer toutes les sessions
aws iam delete-access-key --user-name compromised-user --access-key-id AKIA...

Option 3 : Arret de service

# Arreter le service affecte (si possible)
systemctl stop apache2

# Base en read-only
mysql> SET GLOBAL read_only = ON;

# Kill du process malveillant
kill -9 $(ps aux | grep malware.exe | awk '{print $2}')

Containment long terme (dans 24h) :

• Rebuild des systemes compromises
• Patch des vulnérabilités d'entrée
• Monitoring supplémentaire
• Renforcement des controles

Matrice de decision

---

Heure 4-24 : Investigation & eradication

Forensic Investigation

Analyse de timeline :

# Linux: combiner les logs
cat /var/log/auth.log /var/log/syslog /var/log/apache2/access.log | \
  sort | grep -E "Failed|Accepted|GET|POST" > timeline.txt

# Windows: extraction Event Logs
Get-EventLog -LogName Security -After (Get-Date).AddDays(-7) | \
  Where-Object {$_.EventID -eq 4625} | # Failed logins
  Export-Csv failed-logins.csv

Malware Analysis :

# Isoler l'échantillon
cp /tmp/suspicious.exe /evidence/malware/sample.exe

# Hash
sha256sum /evidence/malware/sample.exe
a3f8b9c2d1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0

# VirusTotal
curl --request POST \
  --url 'https://www.virustotal.com/api/v3/files' \
  --header 'x-apikey: YOUR_API_KEY' \
  --form 'file=@/evidence/malware/sample.exe'

# Analyse dynamique (sandbox only)
# ANY.RUN, Joe Sandbox ou Cuckoo

Indicator of Compromise (IoC) Collection :

# IoC Format (STIX/TAXII compatible)
iocs:
  file_hashes:
    - type: SHA256
      value: a3f8b9c2d1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0
      context: Ransomware payload
  
  ip_addresses:
    - value: 185.220.102.8
      type: C2 server
      asn: AS51167 (Tor exit node)
    
  domains:
    - value: evil-command.xyz
      type: C2 domain
      first_seen: 2025-11-01
  
  registry_keys:
    - path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask
      value: C:\ProgramData\malware.exe
  
  urls:
    - value: hxxp://185.220.102.8:8080/beacon
      type: Beacon URL

Threat Intelligence :

# Threat feeds
# AlienVault OTX
curl -X GET "https://otx.alienvault.com/api/v1/indicators/IPv4/185.220.102.8/general" \
  -H "X-OTX-API-KEY: YOUR_KEY"

# MISP
# Verifier si les IoCs matchent des campagnes connues

# VirusTotal retrohunt
# Recherche de samples similaires

Root Cause Analysis

Methode des 5 Why :

Incident: Ransomware encrypted file server

Why 1: How did ransomware get on file server?
→ Via admin workstation with RDP connection

Why 2: How did ransomware get on admin workstation?
→ User clicked malicious email attachment

Why 3: Why did email attachment execute?
→ Email gateway didn't block .zip with .exe inside

Why 4: Why didn't EDR block execution?
→ EDR policy in "monitor only" mode on admin workstations

Why 5: Why was EDR not in enforcement mode?
→ No policy requiring EDR enforcement for all endpoints

ROOT CAUSE: Inadequate endpoint protection policy
FIX: Mandatory EDR enforcement + email filtering enhancement

Eradication

Suppression malware :

# Supprimer les fichiers malveillants
rm -f /tmp/malware.exe
rm -f /var/tmp/.hidden-backdoor

# Kill processes
pkill -9 -f malware

# Retirer la persistance
crontab -e  # Supprimer les cron malveillants
vi /etc/rc.local  # Retirer les scripts au demarrage

# Windows: Supprimer la persistance registry
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v MaliciousTask /f

Reset des credentials :

# Reset des mots de passe des comptes affectes
# Azure AD
az ad user list --query "[].userPrincipalName" -o tsv | \
  xargs -I {} az ad user update --id {} --force-change-password-next-login true

# Revoquer toutes les sessions
az ad signed-in-user list-owned-objects | # Identify logged-in users
  # Force re-authentication

Patch des vulnérabilités :

# Emergency patches
apt-get update && apt-get upgrade -y  # Linux
# Ou outils de patch management (WSUS, SCCM, AWS Systems Manager)

# Desactiver les services vulnerables
systemctl disable vsftpd  # Si FTP etait le vecteur
systemctl stop vsftpd

---

Heure 24-72 : Recovery & restoration

Recovery Steps

1. Valider l'etat clean

# Full system scan
clamscan -r / --infected --remove

# Rootkit check
rkhunter --check
chkrootkit

# Integrity verification
aide --check

# Network traffic analysis
tcpdump -i eth0 -w recovery-traffic.pcap
# Analyser le beaconing C2

2. Restore depuis backups

# Verifier l'integrite
sha256sum backup.tar.gz

# Restore (en environnement isole)
tar -xzf backup.tar.gz -C /mnt/restore/

# Scanner les fichiers
clamscan -r /mnt/restore/

# Si clean, restore en prod
rsync -avz /mnt/restore/ /production/

3. Restauration par phases

PHASE 1 (Hour 24-36): Critical Systems
□ Authentication (AD, IAM)
□ Email (avec filtering renforce)
□ Core business apps

PHASE 2 (Hour 36-48): Important Systems
□ File servers (depuis clean backups)
□ Databases (validees clean)
□ Internal tools

PHASE 3 (Hour 48-72): Standard Systems
□ Development
□ Test systems
□ Non-critical applications

VALIDATION PAR PHASE:
✅ No malware detected
✅ Logs normal
✅ Performance normal
✅ No IOCs detected

---

Communication & Reporting

Communication interne

Updates stakeholders :

Toutes les 4h pendant l'incident :

TO: Executive Leadership
SUBJECT: Incident Update - Hour 28

SITUATION:
Ransomware incident affecting 12 file servers. Containment 
complete. No evidence of data exfiltration. Beginning recovery 
from backups.

ACTIONS TAKEN:
✅ Isolated all infected systems
✅ Disabled 45 compromised accounts
✅ Applied emergency patches
✅ Engaged forensics partner (Mandiant)

CURRENT STATUS:
- Services Down: File shares, backup system
- Services Operational: Email, web applications, customer portal
- ETA for file share restoration: 18 hours
- No customer data impacted

DECISIONS NEEDED:
- Approve EUR 180,000 for forensics investigation
- Approve overtime for IT team (next 72 hours)

Next update: 16:00 CET
Incident Commander: Jane Doe

Communication externe

Notification réglementaire (NIS2, GDPR) :

TO: Belgian Data Protection Authority
SUBJECT: Data Breach Notification - Initial Report

Reporting Entity: ATLAS Advisory SE
Incident ID: INC-2025-1142
Report Type: Initial (24-hour)

INCIDENT DESCRIPTION:
Ransomware attack detected 2025-11-02 14:35 CET. File servers 
encrypted. Investigation ongoing.

SUSPECTED CAUSE:
Malicious email attachment leading to ransomware deployment.

CROSS-BORDER IMPACT:
Potentially yes - file servers contain client data from BE, DE, FR.

DATA SUBJECTS AFFECTED:
Under investigation. Estimated: 500-2,000 individuals.
Categories: Client contact information, project files.

IMMEDIATE ACTIONS:
- Isolated affected systems
- Engaged forensics team
- Notifying potentially affected clients
- Password resets enforced

NEXT STEPS:
Detailed report within 72 hours.

Contact: dpo@atlas-advisory.eu / +32 2 XXX XXXX
Date: 2025-11-02 18:30 CET

Notification client :

SUBJECT: Important Security Notice

Dear [Customer Name],

We are writing to inform you of a security incident that may have 
affected your data.

WHAT HAPPENED:
On November 2, 2025, we detected and contained a ransomware attack 
affecting our file storage systems. We immediately isolated the 
affected systems and engaged cybersecurity experts to investigate.

WHAT INFORMATION WAS INVOLVED:
Our investigation is ongoing. Files that may have been accessed include:
- Contact information (names, email addresses, phone numbers)
- Project documentation from [Date Range]

We have found NO EVIDENCE of data exfiltration at this time.

WHAT WE ARE DOING:
✓ Contained the incident within 4 hours
✓ Engaged leading cybersecurity forensics firm
✓ Restored systems from clean backups
✓ Enhanced security monitoring
✓ Notified relevant authorities

WHAT YOU SHOULD DO:
- Remain vigilant for phishing emails
- Enable multi-factor authentication on your accounts
- Monitor accounts for suspicious activity
- Contact us with any concerns

FOR MORE INFORMATION:
Visit: https://company.com/security-incident
Email: security@company.com
Phone: +32 2 XXX XXXX (24/7 hotline)

We sincerely apologize for any concern this may cause and are committed 
to protecting your information.

[Company Name]
[Date]

---

Post-Incident Activities

Lessons Learned (dans les 2 semaines)

Post-Incident Review Meeting :

Participants : membres IRT, management, stakeholders cles

Agenda :

1. Reconstruction timeline
2. Ce qui a bien fonctionne
3. Ce qui doit etre ameliore
4. Root cause analysis
5. Action items

Exemple de findings :

INCIDENT: Ransomware via phishing email

WHAT WENT WELL:
✅ Détection within 30 minutes (EDR alert)
✅ IRT activated quickly (15 minutes)
✅ Containment successful (4 hours)
✅ Backups were clean and restorable
✅ No data exfiltration

WHAT COULD BE IMPROVED:
❌ Email filtering didn't block attachment (.zip with .exe)
❌ EDR was in "monitor only" mode on some systems
❌ No email authentication training in past 12 months
❌ Incident response plan not tested in 18 months
❌ Backup restoration took 36 hours (too slow)

ACTION ITEMS:
1. Enhance email filtering (owner: IT Manager, due: Nov 15)
2. Enforce EDR on all endpoints (owner: SOC Manager, due: Nov 10)
3. Security awareness training (owner: HR, due: Dec 1)
4. Quarterly IR tabletop exercises (owner: CISO, ongoing)
5. Optimize backup restoration (owner: Infra Lead, due: Nov 30)

Metrics to Track

Response Metrics :

• Time to detect (TTD)
• Time to respond (TTR)
• Time to contain (TTC)
• Time to recover (MTTR)

Business Impact :

• Services affectes
• Duree de downtime
• Impact revenu
• Impact client
• Sanctions réglementaires

Cost :

• Temps IRT
• Consultants externes
• Legal fees
• Amendes
• Lost business
• Reputation damage

Exemple :

INCIDENT COST BREAKDOWN:

Direct Costs:
- Forensics firm: EUR 85,000
- Legal counsel: EUR 25,000
- Overtime (staff): EUR 18,000
- PR/communications: EUR 12,000
Total Direct: EUR 140,000

Indirect Costs:
- Lost revenue (3 days downtime): EUR 280,000
- Customer churn (estimated): EUR 450,000
- Reputation damage (estimated): EUR 1,200,000
Total Indirect: EUR 1,930,000

TOTAL INCIDENT COST: EUR 2,070,000

Cost Avoidance (due to quick response):
- Prevented data exfiltration: EUR 4,500,000 (estimated)
- Prevented ransomware payment: EUR 500,000 (demanded)
- Prevented longer downtime: EUR 1,200,000
Total Avoided: EUR 6,200,000

NET BENEFIT OF IR PROGRAM: EUR 4,130,000

---

Incident Response Tools

Essential Tools

Forensics & Analysis :

• Velociraptor - Endpoint visibility
• Autopsy - Digital forensics
• Volatility - Memory forensics
• Wireshark - Network analysis

Malware Analysis :

• ANY.RUN - Interactive malware sandbox
• VirusTotal - Multi-AV scanning
• Joe Sandbox - Automated analysis

Threat Intelligence :

• MISP - Threat sharing platform
• AlienVault OTX - Open threat exchange
• Shodan - Internet device search

Incident Management :

• TheHive - Incident response platform
• Cortex - Analysis engine
• MITRE ATT&CK Navigator - Tactic mapping

---

Conclusion

Une incident response efficace n'est pas optionnelle. Chaque heure de retard augmente les coûts d'un breach de 45.000 EUR en moyenne.

Key Takeaways :

1. Prepare : documenter le plan, former l'équipe, tester régulièrement
2. Detect Fast : investir dans détection/monitoring
3. Contain Quickly : les 4 premières heures sont critiques
4. Investigate Thoroughly : comprendre la root cause
5. Communicate Clearly : interne et externe
6. Learn : post-incident review

ATLAS Advisory a gere 300+ incidents, contenu 94% sous 24h et evite ~EUR 127 M de coûts.

Need incident response help?
24/7 Emergency Hotline: emergency@atlas-advisory.eu | +32 2 XXX XXXX

Voir nos services SOC pour monitoring et réponse 24/7.

---

Resources

Frameworks & Standards :

• NIST SP 800-61r2 - Computer Security Incident Handling Guide
• SANS Incident Response Process - 6-step methodology
• ISO 27035 - Information security incident management

Training & Certifications :

• SANS FOR508: Advanced Incident Response
• GCIH: GIAC Certified Incident Handler
• GCFA: GIAC Certified Forensic Analyst
• EC-Council CHFI: Computer Hacking Forensic Investigator

Related Articles :

• NIS2 Directive Compliance Guide
• GDPR Compliance Checklist 2025
• Zero Trust Architecture Guide