Further Reading: Incident Response

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier (Tier 1 verified canonical; Tier 2 attributed). Start with the suggested order; you do not need everything before Chapter 25.

Suggested order

  1. Read the NIST SP 800-61 computer-security incident-handling guide — the lifecycle this whole chapter is built on. It is the one primary source you should know cold.
  2. Pair it with the SANS Incident Handler's Handbook / PICERL framing to see the same lifecycle in the form most working responders actually carry in their heads.
  3. Browse CISA's incident-response resources and ransomware guidance for the operational, current, U.S.-government view — playbooks and the practical "what to do now."
  4. If you are on the GRC path, read your sector's breach-notification rule (banking 36-hour rule, or HIPAA Breach Notification Rule) directly; the deadlines are not optional and the wording matters.

Standards & primary documents (Tier 1)

  • NIST SP 800-61, Computer Security Incident Handling Guide. 🛡️📋📜 The canonical U.S. reference for the incident-response lifecycle (preparation; detection & analysis; containment, eradication & recovery; post-incident activity). This chapter follows its model; read the lifecycle and the recommendations on building a capability. The single most important source for this chapter.
  • NIST SP 800-53 (control families IR — Incident Response). 🏗️📋 The control catalog's IR family (IR-1 through IR-8: policy, training, testing, handling, monitoring, reporting, response assistance, plan) — useful for mapping your program to a recognized control set and for audits.
  • CISA, Incident Response resources and #StopRansomware guidance. 🛡️ Practical, current U.S. government guidance and joint advisories, including the inter-agency ransomware guide. The operational companion to NIST's framework — checklists and "do this now" actions.
  • CISA / federal Cybersecurity Incident & Vulnerability Response Playbooks. 🛡️📋 Government-issued playbooks for incident and vulnerability response; an excellent model for the structure and altitude of your own playbooks (decision/coordination level) versus runbooks.
  • The U.S. banking Computer-Security Incident Notification rule (interagency). 📋 The source for the 36-hour notification requirement referenced in this chapter; if you defend a bank, know it directly rather than secondhand.
  • HHS, HIPAA Breach Notification Rule. 📋 The source for the healthcare notification framework in Case Study 2 (individual + HHS within 60 days; ≥500 adds media and the HHS portal; the four-factor risk assessment). Read it directly if you handle PHI.
  • MITRE ATT&CK. 🛡️ Used throughout triage and scoping to map observed activity to techniques (e.g., "Inhibit System Recovery" for shadow-copy deletion), which tells you what likely happened before and after an alert. Mastered in Chapter 22; applied here.

Books (Tier 1 / Tier 2)

  • SANS, Incident Handler's Handbook (and the SANS 504/508 body of knowledge). 🛡️📜 The widely used practitioner framing of the lifecycle as PICERL — Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. Compare it to NIST's phases; they are the same ideas, and you will hear both names in the field. (Tier 1 for the handbook; the broader course material is Tier 2.)
  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide — incident-response chapter. 📜 Exam-aligned coverage of the lifecycle, playbooks/runbooks, and exercise types; an efficient review for certification candidates.
  • Harris, S., & Maymí, F., CISSP All-in-One Exam Guide — Security Operations domain. 📜📋 Broader, management-oriented treatment of incident management, including the relationship between IR, BCP/DR, and governance — useful for the GRC and architect tracks.
  • Murdoch, Blue Team Handbook: Incident Response Edition. 🛡️ A concise, field-oriented reference for responders — the practical companion to the standards, with checklists and common technical actions. (Tier 2: a well-regarded practitioner reference.)

Free online & talks (Tier 1 / Tier 2)

  • SRE/aviation literature on blameless postmortems (e.g., the postmortem-culture chapter of Google's freely available SRE material). 🛡️📋 The clearest articulation of why blamelessness produces better outcomes than blame — directly applicable to §24.6 and to the SOC culture of Chapter 37. (Tier 1 for the SRE book; the broader safety-culture literature is Tier 2.)
  • CISA Tabletop Exercise Packages (CTEPs). 📋🛡️ Ready-made tabletop scenarios and facilitator materials — an excellent starting point for running your own exercises (Exercise 21) rather than building from scratch.
  • Verizon Data Breach Investigations Report (DBIR) (annual). 🛡️📋 Grounds the chapter's claims in data: how breaches are actually discovered (often by third parties), how long they dwell undetected, and which patterns dominate — context for why detection speed and scoping matter so much.

Tools to explore (in your own lab only)

  • A tabletop you facilitate. 🛡️📋 The highest-value "tool" in this chapter needs no software: a scenario, timed injects, the people who would respond, and an honest debrief. Run the §24.5 ransomware scenario (or a CISA CTEP) with a study group.
  • An EDR / SIEM home lab for the response actions. 🛡️🏗️ In a sandbox, practice the runbook mechanics on benign changes: host isolation, account disable and session revocation, and restoring a VM from a known-good snapshot (the §24.4 "Try It in the Lab"). Practicing the recovery half safely teaches why tested, offline backups are load-bearing.

⚖️ Authorization & Ethics reminder: Incident-response and forensics techniques touch real systems and sometimes real evidence. Practice only in your own lab or with explicit authorization; in a real incident, act under your IR plan and (for anything that may become legal) under counsel's direction (Chapters 25 and 39).