Initial commit: GreySec CSIRP

README.md

@@ -0,0 +1,24 @@
+# GreySec Cyber Security Incident Response Plan (CSIRP)
+
+Standardized incident response procedures following NIST SP 800-61.
+
+## Structure
+
+- `containment/` - Initial containment procedures and isolation steps
+- `eradication/` - Threat removal and vulnerability remediation
+- `recovery/` - System restoration and monitoring procedures
+- `post-incident/` - Lessons learned and process improvement
+- `templates/` - IR forms, checklists, and report templates
+
+## Severity Levels
+
+| Level | Description | Response Time |
+|-------|-------------|---------------|
+| Critical | Active breach, data exfiltration | Immediate |
+| High | Confirmed malware, unauthorized access | 1 hour |
+| Medium | Suspected intrusion, investigation needed | 4 hours |
+| Low | Policy violation, minor anomaly | 24 hours |
+
+## Usage
+
+See individual playbook directories for phase-specific procedures.

containment/initial-response.md

@@ -0,0 +1,22 @@
+# Initial Response Procedure
+
+## 1. Detection & Analysis
+
+1. Verify the incident is not a false positive
+2. Document initial findings
+3. Determine severity level
+
+## 2. Initial Containment
+
+- Isolate affected systems from the network
+- Preserve evidence (do not power off if possible)
+- Document system state
+
+## Severity Levels
+
+| Level | Description | Response Time |
+|-------|-------------|---------------|
+| Critical | Active breach, data exfiltration | Immediate |
+| High | Confirmed malware, unauthorized access | 1 hour |
+| Medium | Suspected intrusion, investigation needed | 4 hours |
+| Low | Policy violation, minor anomaly | 24 hours |

eradication/procedures.md

@@ -0,0 +1,18 @@
+# Eradication Procedures
+
+## 1. Identify Root Cause
+
+- Analyze logs, memory dumps, and network traffic
+- Identify entry point and attacker TTPs
+- Document IOCs
+
+## 2. Remove Threat
+
+- Remove malware and backdoors
+- Close unauthorized access points
+- Patch exploited vulnerabilities
+
+## 3. Validate
+
+- Confirm systems are clean
+- Monitor for recurring indicators

post-incident/lessons-learned.md

@@ -0,0 +1,19 @@
+# Post-Incident Activities
+
+## 1. Lessons Learned
+
+- Conduct post-incident review within 2 weeks
+- Document what worked and what did not
+- Update procedures based on findings
+
+## 2. Process Improvement
+
+- Update detection rules
+- Improve containment playbooks
+- Address training gaps
+
+## 3. Reporting
+
+- Final incident report to stakeholders
+- Update incident metrics
+- Archive evidence per retention policy

recovery/procedures.md

@@ -0,0 +1,19 @@
+# Recovery Procedures
+
+## 1. Restore Systems
+
+- Restore from clean backups
+- Rebuild compromised systems if integrity cannot be confirmed
+- Apply hardening baselines
+
+## 2. Verify Functionality
+
+- Confirm services are operational
+- Validate security controls are functioning
+- Monitor for relapse indicators
+
+## 3. Return to Operations
+
+- Gradual return to production
+- Enhanced monitoring during initial period
+- Document restoration timeline

templates/incident-log.md

@@ -0,0 +1,4 @@
+# Incident Log
+
+| Date/Time | Action | Analyst | Notes |
+|-----------|--------|---------|-------|