Incident Response Playbook
Document Owner: ____________________
Effective Date: ____________________
Last Reviewed: ____________________
Classification: Internal Use Only
1. Purpose
This Incident Response Playbook establishes a standardized process for identifying, containing, eradicating, and recovering from cybersecurity incidents affecting:
-
Blackhawk MSP internal systems
-
Managed client environments
-
Cloud platforms (Microsoft 365, Azure, etc.)
-
Network infrastructure
-
Endpoints and servers
2. Incident Severity Levels
| Severity | Description | Examples | Response Time |
|---|---|---|---|
| Critical (SEV-1) | Active breach or business outage | Ransomware, domain admin compromise, server down | Immediate |
| High (SEV-2) | Confirmed security incident with limited spread | Malware infection, account takeover | < 1 Hour |
| Medium (SEV-3) | Suspicious activity requiring investigation | Phishing report, unusual login alerts | Same Day |
| Low (SEV-4) | Security advisory or vulnerability notice | Patch update alert | Within 48 Hours |
3. Incident Response Phases
Blackhawk MSP follows a 6-phase response model:
-
Preparation
-
Identification
-
Containment
-
Eradication
-
Recovery
-
Lessons Learned
4. Phase 1 – Preparation
4.1 Required Security Controls
All managed environments must maintain:
-
MFA on all privileged accounts
-
Endpoint detection & response (EDR)
-
Encrypted backups (immutable when possible)
-
Centralized logging
-
Patch management
-
Role-based access control
4.2 Internal Readiness
Maintain:
-
Up-to-date client contact list
-
Incident contact escalation tree
-
Cyber insurance contact info
-
Law enforcement contacts (if required)
-
Backup restore procedures tested quarterly
5. Phase 2 – Identification
5.1 Incident Triggers
Incidents may be identified via:
-
RMM alerts
-
EDR detections
-
User report of phishing
-
Failed backup alerts
-
Unusual login activity
-
SIEM alerts
-
Vendor notification
5.2 Initial Actions
When incident suspected:
-
Open high-priority ticket
-
Assign severity level
-
Notify senior technician
-
Begin evidence collection
-
Document timeline immediately
Never assume a false positive without verification.
6. Phase 3 – Containment
6.1 Endpoint Containment
If device compromised:
-
Disconnect from network (wired & WiFi)
-
Do NOT power off unless instructed
-
Disable user account if needed
-
Preserve logs
6.2 Account Compromise
If credentials compromised:
-
Reset password immediately
-
Revoke sessions
-
Reset MFA tokens
-
Review sign-in logs
-
Check mailbox rules
6.3 Server Compromise
-
Isolate server VLAN if possible
-
Disable compromised accounts
-
Block malicious IPs
-
Preserve system logs
-
Escalate immediately
7. Phase 4 – Eradication
7.1 Malware Removal
-
Run approved EDR scan
-
Remove malicious files
-
Patch exploited vulnerability
-
Verify no persistence mechanisms
-
Re-scan system
7.2 Email Compromise
-
Remove malicious forwarding rules
-
Remove OAuth tokens
-
Check sent mail
-
Notify affected recipients
-
Enforce password reset
7.3 Ransomware
-
Confirm encryption scope
-
Validate backup integrity
-
Engage cyber insurance (if applicable)
-
Do NOT communicate with attacker unless authorized
-
Preserve forensic data
8. Phase 5 – Recovery
8.1 Restore from Backup
-
Validate backup clean state
-
Restore to isolated test environment first
-
Confirm system integrity
-
Monitor closely for reinfection
8.2 System Hardening Post-Incident
-
Patch vulnerabilities
-
Rotate all privileged credentials
-
Review firewall rules
-
Audit admin accounts
-
Review MFA enforcement
-
Confirm logging enabled
8.3 Client Communication
Provide:
-
Incident summary
-
Impact assessment
-
Timeline
-
Remediation actions taken
-
Recommendations for prevention
All communication must be professional and factual.
9. Special Incident Scenarios
9.1 Phishing Email Report
Procedure:
-
Obtain email headers
-
Confirm sender authenticity
-
Check if link was clicked
-
Scan endpoint
-
Block sender domain if malicious
-
Notify impacted users
9.2 Business Email Compromise (BEC)
-
Lock account immediately
-
Review inbox rules
-
Check sent mail
-
Notify impacted vendors
-
Confirm no financial loss
-
Report to client leadership
9.3 Data Breach (Regulated Client)
If PHI or regulated data exposed:
-
Notify management immediately
-
Preserve all logs
-
Do not alter evidence
-
Engage legal/compliance counsel
-
Follow HIPAA breach notification timeline
-
Document all actions
9.4 Backup Failure During Incident
If backup unavailable:
-
Attempt snapshot recovery
-
Assess recovery point objective (RPO)
-
Inform client immediately
-
Document risk exposure
10. Escalation Matrix
| Role | Responsibility |
|---|---|
| Tier 1 | Identify & escalate |
| Tier 2 | Containment & remediation |
| Senior Engineer | Infrastructure decisions |
| Management | Client communication & insurance |
| Legal (if needed) | Breach notification compliance |
11. Evidence Preservation Guidelines
During serious incidents:
-
Do not wipe affected systems immediately
-
Capture logs before changes
-
Document IP addresses involved
-
Save screenshots
-
Record timestamps
Maintain chain-of-custody documentation when required.
12. Post-Incident Review
Within 7 days of resolution:
-
Conduct internal review meeting
-
Identify root cause
-
Evaluate response speed
-
Identify gaps
-
Update SOP if necessary
Document:
-
What happened
-
Why it happened
-
How it was fixed
-
Preventative measures implemented
13. Incident Documentation Requirements
Every incident must include:
-
Timeline
-
Impact assessment
-
Containment actions
-
Remediation steps
-
Client communication summary
-
Lessons learned
Incomplete documentation is unacceptable.
14. Zero-Tolerance Security Failures
Immediate escalation required for:
-
Unauthorized admin access
-
Client data exfiltration
-
Ransomware encryption
-
Privileged credential leak
-
Firewall compromise
Incident Sign-Off
Incident ID: ___________________________
Severity: _____________________________
Resolved Date: _______________________
Lead Technician: _____________________
Management Review Completed: _________