joshuaguda281-stack/incident-response

GitHub: joshuaguda281-stack/incident-response

一个基于 Python 和 PICERL 模型的事件响应框架，提供从识别到总结经验的完整流程与自动化证据处理。

Stars: 0 | Forks: 0

# 事件响应框架 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![Python 3.6+](https://img.shields.io/badge/python-3.6+-blue.svg)](https://www.python.org/downloads/) [![Platform](https://img.shields.io/badge/platform-Linux-blue)](https://www.kernel.org/) 一个全面的事件响应框架，实现了 PICERL（准备、识别、遏制、根除、恢复、总结经验）模型。 ## 🚀 功能特性 ### PICERL 模型实现 | 阶段 | 描述 | 操作 | |-------|-------------|---------| | **准备** | IR 计划、工具、培训 | 案件创建、目录设置 | | **识别** | 检测、验证、分类 | 严重性评分、指标分析 | | **遏制** | 隔离、保留、阻止 | 进程终止、IP 阻断 | | **根除** | 移除、修补、清理 | 恶意软件清除、持久化机制清理 | | **恢复** | 恢复、监控、验证 | 备份恢复、完整性检查 | | **总结经验** | 回顾、更新、改进 | 文档记录、建议 | ### 能力特性 - ✅ 唯一案件 ID 生成与管理 - ✅ 严重性分级（CRITICAL/HIGH/MEDIUM/LOW） - ✅ 自动证据收集（进程、网络、文件、日志） - ✅ 用于 containment 的进程终止 - ✅ 通过 iptables 和 /etc/hosts 进行 IP 阻断 - ✅ 带有哈希跟踪的恶意软件根除 - ✅ 持久化机制检测 - ✅ 系统恢复协助 - ✅ 总结经验文档 - ✅ JSON 和易读报告 - ✅ 事件模拟模式 ## 📋 需求 - **Python 3.6** 或更高版本 - **psutil** 用于进程/网络监控 - **Root 权限**（完整 containment 推荐） ## 🔧 安装 ``` # 克隆仓库 git clone https://github.com/joshuaguda281-stack/incident-response.git cd incident-response # 安装依赖 pip install psutil # 或者一次性全部安装 pip install -r requirements.txt 📋 Severity Classification Severity Score Criteria Response Time CRITICAL 70+ Ransomware, data exfiltration Immediate HIGH 40-69 Lateral movement, privilege escalation < 4 hours MEDIUM 20-39 Suspicious activity, potential breach < 24 hours LOW 0-19 Single failed login, policy violation < 1 week 🎯 Use Cases Security Operations Center (SOC) - Standardized incident response Incident Response Teams - Structured investigation workflow Forensic Analysis - Evidence collection and preservation Compliance - Audit trail and documentation Training - Incident response simulation 📝 Report Format JSON Report { "case_id": "IR-20240115-143000", "severity": "CRITICAL", "status": "CLOSED", "actions_summary": 12, "evidence_count": 1, "recommendations": [ "Implement additional monitoring", "Review incident response plan" ] } Human-Readable Report Executive summary Timeline of events Actions taken Recommendations 🔧 Troubleshooting Issue Solution Permission denied Run with sudo for full containment psutil not found Run: pip install psutil Evidence collection slow Reduce target path or increase skip directories 📝 License MIT License - See LICENSE file for details. 👤 Author Joshua Guda GitHub: @joshuaguda281-stack LinkedIn: Joshua Guda 🙏 Acknowledgments SANS PICERL Model NIST SP 800-61 Incident Response Guide psutil library contributors ⭐ Support If this framework helps you respond to incidents, please star the repository! ```

标签：Cloudflare, HTTP工具, IP阻断, MITRE ATT&CK, PE 加载器, PICERL, Python, 取证, 取证收集, 威胁响应, 子域名变形, 完整性校验, 库, 应急响应, 恢复, 恶意软件清除, 无后门, 根除, 渗透测试框架, 经验教训, 网络安全, 网络安全审计, 自动化响应, 进程终止, 逆向工具, 遏制, 防御, 隐私保护