andrewesley1211/incident-response

GitHub: andrewesley1211/incident-response

基于 NIST SP 800-61 标准的网络安全应急响应 Playbook 与事后报告集合，帮助 SOC 团队标准化处置钓鱼、勒索软件、云配置错误等安全事件。

Stars: 0 | Forks: 0

# 🚨 应急响应 ### Playbook、报告与遏制工作流 [![Playbooks](https://img.shields.io/badge/Playbooks-5%20Active-red?style=for-the-badge)](#) [![Framework](https://img.shields.io/badge/Framework-NIST%20SP%20800--61-003087?style=for-the-badge)](#) [![Status](https://img.shields.io/badge/Status-Production%20Ready-2ea44f?style=for-the-badge)](#)

## 📋 概述本仓库包含基于 NIST SP 800-61 Rev. 2 标准构建的**应急响应 playbook、事后报告和遏制工作流**。每个 playbook 都会指导 SOC 分析师完成检测、分析、遏制、根除、恢复和事后审查。 **应用框架：** - NIST SP 800-61 Rev. 2 — 计算机安全事件处理指南 - MITRE ATT&CK — 对手行为映射 - SANS 应急响应流程 — 6 阶段模型 ## 🗂️ 文档索引 | 文档 | 类型 | 事件类别 | 优先级 | |---|---|---|---| | [钓鱼攻击 IR Playbook](./playbooks/phishing-playbook.md) | Playbook | 社会工程学 | 🔴 P1 | | [勒索软件 IR Playbook](./playbooks/ransomware-playbook.md) | Playbook | 恶意软件 / 勒索 | 🔴 P1 | | [未授权访问 Playbook](./playbooks/unauthorized-access-playbook.md) | Playbook | 账户盗用 | 🔴 P1 | | [AWS S3 暴露 Playbook](./playbooks/aws-s3-exposure-playbook.md) | Playbook | 云配置错误 | 🟠 P2 | | [DDoS 响应 Playbook](./playbooks/ddos-playbook.md) | Playbook | 可用性攻击 | 🟠 P2 | | [事件报告 — PHI-2026-0312](./reports/incident-report-PHI-2026-0312.md) | 报告 | 钓鱼攻击 | 已关闭 | | [事件报告 — MAL-2026-0615](./reports/incident-report-MAL-2026-0615.md) | 报告 | 恶意软件/RAT | 已关闭 | ## 🔄 IR 流程 (NIST SP 800-61) ``` +-----------------------------------------------------------------+ | INCIDENT RESPONSE LIFECYCLE | +----------+--------------+-------------+------------+-----------+ | PREPARE | DETECT | CONTAIN | ERADICATE | RECOVER | | | ANALYZE | | | | | * Policy | * SIEM alert | * Isolate | * Remove | * Restore | | * Train | * Triage | * Preserve | * Patch | * Monitor | | * Tools | * Escalate | * Block IOC | * Harden | * Validate| +----------+--------------+-------------+------------+-----------+ | POST-INCIDENT REVIEW * Lessons learned * Update playbooks * Report metrics ``` ## 📂 仓库结构 ``` incident-response/ ├── README.md ├── playbooks/ │ ├── phishing-playbook.md │ ├── ransomware-playbook.md │ ├── unauthorized-access-playbook.md │ ├── aws-s3-exposure-playbook.md │ └── ddos-playbook.md ├── reports/ │ ├── incident-report-PHI-2026-0312.md │ └── incident-report-MAL-2026-0615.md └── templates/ └── incident-report-template.md ``` ## 🔗 相关仓库 - 🔍 [SOC 分析师实验室](https://github.com/andrewesley1211/soc-analyst-labs) — 为这些 playbook 提供支持的实验调查 - ☁️ [云安全项目](https://github.com/andrewesley1211/cloud-security-aws) — 针对 AWS 的特定 IR 程序 - 📊 [NIST CSF 差距分析](https://github.com/andrewesley1211/nist-csf-gap-analysis) — 框架覆盖范围图

标签：NIST标准, 剧本, 安全运营, 库, 应急响应, 扫描框架, 防御加固