incident-response

plaintext
rule SuspiciousDownloader {
  strings:
    $a = "powershell -enc" nocase
    $b = "Invoke-WebRequest" nocase
    $c = "http://" nocase
  condition:

YARA rules for spotting suspicious binaries during triage

yara malware triage
by Kai Nakamura 1 tab
bash
#!/usr/bin/env bash
set -euo pipefail

# ==========================================================
# Production Incident Response Runbook
# ==========================================================

Incident response runbook and diagnostic scripts

incident-response sre production
by Ryan Nakamura 1 tab
yaml
severities:
  sev1: customer-impacting active compromise or confirmed data exposure
  sev2: high risk suspicious activity with potential customer impact
  sev3: contained issue with low current impact

first_hour:

Incident response severity matrix and first hour checklist

incident-response runbooks security-operations
by Kai Nakamura 1 tab
bash
#!/usr/bin/env bash
set -euo pipefail

OUT="/tmp/incident-$(date +%Y%m%d-%H%M%S)"
mkdir -p "$OUT"

Forensic collection script for volatile host evidence

forensics incident-response linux
by Kai Nakamura 1 tab
bash
#!/usr/bin/env bash
tcpdump -i eth0 host 10.10.20.15 -w suspect-host.pcap
tcpdump -i eth0 port 443 and host api.example.com
tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0'

tcpdump filters for fast packet capture during investigations

tcpdump packets incident-response
by Kai Nakamura 1 tab
plaintext
http.response.code >= 400
tcp.analysis.retransmission
tls.alert_message
dns.flags.response == 1 && dns.a
ip.addr == 10.10.20.15 && tcp.port == 443

Wireshark display filters that speed up incident triage

wireshark packet-analysis incident-response
by Kai Nakamura 1 tab