From bf3cadc6970845a90067edadbd2d4dd05a65a18f Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes@greysec.io>
Date: Fri, 8 May 2026 18:07:02 -0500
Subject: [PATCH] Initial commit: GreySec CSIRP

---
 README.md                        | 24 ++++++++++++++++++++++++
 containment/initial-response.md  | 22 ++++++++++++++++++++++
 eradication/procedures.md        | 18 ++++++++++++++++++
 post-incident/lessons-learned.md | 19 +++++++++++++++++++
 recovery/procedures.md           | 19 +++++++++++++++++++
 templates/incident-log.md        |  4 ++++
 6 files changed, 106 insertions(+)
 create mode 100644 README.md
 create mode 100644 containment/initial-response.md
 create mode 100644 eradication/procedures.md
 create mode 100644 post-incident/lessons-learned.md
 create mode 100644 recovery/procedures.md
 create mode 100644 templates/incident-log.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..53fe264
--- /dev/null
+++ b/README.md
@@ -0,0 +1,24 @@
+# GreySec Cyber Security Incident Response Plan (CSIRP)
+
+Standardized incident response procedures following NIST SP 800-61.
+
+## Structure
+
+- `containment/` - Initial containment procedures and isolation steps
+- `eradication/` - Threat removal and vulnerability remediation
+- `recovery/` - System restoration and monitoring procedures
+- `post-incident/` - Lessons learned and process improvement
+- `templates/` - IR forms, checklists, and report templates
+
+## Severity Levels
+
+| Level | Description | Response Time |
+|-------|-------------|---------------|
+| Critical | Active breach, data exfiltration | Immediate |
+| High | Confirmed malware, unauthorized access | 1 hour |
+| Medium | Suspected intrusion, investigation needed | 4 hours |
+| Low | Policy violation, minor anomaly | 24 hours |
+
+## Usage
+
+See individual playbook directories for phase-specific procedures.
\ No newline at end of file
diff --git a/containment/initial-response.md b/containment/initial-response.md
new file mode 100644
index 0000000..b055117
--- /dev/null
+++ b/containment/initial-response.md
@@ -0,0 +1,22 @@
+# Initial Response Procedure
+
+## 1. Detection & Analysis
+
+1. Verify the incident is not a false positive
+2. Document initial findings
+3. Determine severity level
+
+## 2. Initial Containment
+
+- Isolate affected systems from the network
+- Preserve evidence (do not power off if possible)
+- Document system state
+
+## Severity Levels
+
+| Level | Description | Response Time |
+|-------|-------------|---------------|
+| Critical | Active breach, data exfiltration | Immediate |
+| High | Confirmed malware, unauthorized access | 1 hour |
+| Medium | Suspected intrusion, investigation needed | 4 hours |
+| Low | Policy violation, minor anomaly | 24 hours |
\ No newline at end of file
diff --git a/eradication/procedures.md b/eradication/procedures.md
new file mode 100644
index 0000000..6822bd9
--- /dev/null
+++ b/eradication/procedures.md
@@ -0,0 +1,18 @@
+# Eradication Procedures
+
+## 1. Identify Root Cause
+
+- Analyze logs, memory dumps, and network traffic
+- Identify entry point and attacker TTPs
+- Document IOCs
+
+## 2. Remove Threat
+
+- Remove malware and backdoors
+- Close unauthorized access points
+- Patch exploited vulnerabilities
+
+## 3. Validate
+
+- Confirm systems are clean
+- Monitor for recurring indicators
\ No newline at end of file
diff --git a/post-incident/lessons-learned.md b/post-incident/lessons-learned.md
new file mode 100644
index 0000000..d217f5a
--- /dev/null
+++ b/post-incident/lessons-learned.md
@@ -0,0 +1,19 @@
+# Post-Incident Activities
+
+## 1. Lessons Learned
+
+- Conduct post-incident review within 2 weeks
+- Document what worked and what did not
+- Update procedures based on findings
+
+## 2. Process Improvement
+
+- Update detection rules
+- Improve containment playbooks
+- Address training gaps
+
+## 3. Reporting
+
+- Final incident report to stakeholders
+- Update incident metrics
+- Archive evidence per retention policy
\ No newline at end of file
diff --git a/recovery/procedures.md b/recovery/procedures.md
new file mode 100644
index 0000000..1262275
--- /dev/null
+++ b/recovery/procedures.md
@@ -0,0 +1,19 @@
+# Recovery Procedures
+
+## 1. Restore Systems
+
+- Restore from clean backups
+- Rebuild compromised systems if integrity cannot be confirmed
+- Apply hardening baselines
+
+## 2. Verify Functionality
+
+- Confirm services are operational
+- Validate security controls are functioning
+- Monitor for relapse indicators
+
+## 3. Return to Operations
+
+- Gradual return to production
+- Enhanced monitoring during initial period
+- Document restoration timeline
\ No newline at end of file
diff --git a/templates/incident-log.md b/templates/incident-log.md
new file mode 100644
index 0000000..b4e8561
--- /dev/null
+++ b/templates/incident-log.md
@@ -0,0 +1,4 @@
+# Incident Log
+
+| Date/Time | Action | Analyst | Notes |
+|-----------|--------|---------|-------|
\ No newline at end of file