How to Handle a Security Incident: A Step-by-Step Guide

 

In today’s evolving threat landscape, security incidents are inevitable. How you respond to them determines the extent of damage and your organization’s resilience. Whether you’re dealing with a phishing attack, malware, a data breach, or a misconfiguration, a well-defined incident response process is crucial.

In this post, we’ll walk through a practical, structured approach to handling security incidents, based on best practices from the NIST Cybersecurity Framework and ISO/IEC 27035.

 

What is a Security Incident?

NIST SP 800-61 Rev. 2 defines an incident as:

"A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices."

 

A security incident is any event or series of events that indicate a potential breach or violation of an organization’s information security policies, acceptable use policies, or standard security practices. It often involves unauthorized access, use, disclosure, modification, or destruction of information or systems, and may impact confidentiality, integrity, or availability (CIA triad).

 

The Three Pillars:

• Confidentiality: Preventing unauthorized disclosure of information, like using encryption or access controls to keep sensitive data secret.
• Integrity: Maintaining the accuracy, consistency, and trustworthiness of data, protecting it from unauthorized changes or destruction (e.g., backups, checksums).
• Availability: Ensuring authorized users can reliably access information and systems when needed, through measures like redundancy, disaster recovery, and DoS protection. 

Key Characteristics of a Security Incident:

1. Unauthorized Activity
   An attempt to access or modify data or systems without authorization.
2. Policy Violation
   Activity that goes against internal security controls or procedures.
3. Threat Indicators
   Evidence of malware, phishing, data exfiltration, or insider misuse.
4. Potential Harm
   May result in data loss, service disruption, regulatory fines, or reputational damage.

Common Types of Security Incidents:

• Phishing attacks – where attackers trick users into giving up credentials or downloading malware.
• Malware infections – including ransomware or trojans on endpoints or servers.
• Data breaches – unauthorized access and/or theft of sensitive data.
• Insider threats – malicious or negligent actions by employees or contractors.
• Denial-of-Service (DoS/DDoS) attacks – aimed at making a system or service unavailable.
• Cloud misconfigurations – such as publicly exposed storage buckets or permissive IAM roles.

Incident Response: Cloud Provider Security Response Teams (Azure, AWS, GCP)

When operating in Azure, AWS, or GCP, your cloud provider has dedicated internal security teams that can assist during high-severity security incidents, such as:

• Suspected breaches of cloud infrastructure
• Data exfiltration concerns
• Compromised credentials with cloud-wide impact
• Abuse or misuse of cloud services
• Suspected platform-level vulnerabilities or service compromise

 What is MSRC?

The Microsoft Security Response Center (MSRC) is responsible for investigating and responding to security incidents affecting Microsoft services and infrastructure.

 What is AWS Security?

AWS Security is responsible for responding to issues affecting AWS’s own infrastructure or abuse of their services. For incidents in your own environment, you are the primary responder, but AWS can assist in platform-level issues or abuse cases.

 What is GCAT?

Google Cloud’s Cybersecurity Action Team (GCAT) provides strategic and technical incident support to enterprise customers. Google also has Security Command Center (SCC) and Chronicle for threat detection.

Step 1: Preparation

Before an incident even occurs, preparation is essential. Without it, your team will be reactive and either slow or don’t know how to respond.

Key Activities:

• Develop an Incident Response Plan (IRP) that outlines roles, responsibilities, communication protocols, and escalation procedures.
• Train your team on common attack vectors and run regular simulations or tabletop exercises.
• Implement monitoring tools:
• Security Information and Event Management (SIEM) tools like Splunk, Microsoft Sentinel, Cortex XSIAM is SIEM+XDR+SOAR, QRadar.
• Endpoint Detection and Response (EDR) platforms like CrowdStrike, Cortex XDR, Microsoft Defender for Endpoint, Prisma, Threat Locker
• Network monitoring tools like Zeek or Suricata
• Ensure all systems are logging security-relevant events and that logs are stored securely and centrally.

Preparation includes securing cloud resources as well. Tools like AWS GuardDuty, Azure Security Center, and Google Cloud’s Security Command Center can provide native visibility into cloud workloads.

 

Step 2: Detection and Analysis

Once a potential incident is suspected, the next step is detecting and verifying the event.

How to Detect an Incident:

• Monitor alerts from:
• SIEM dashboards
• Email security gateways
• Cloud security platforms
• IDS/IPS systems like Perimeter Firewalls
• Encourage users to report suspicious behavior such as phishing emails or system slowdowns.

How to Analyze the Incident:

• Identify affected systems and users.
• Correlate logs to determine the source and scope of the incident.
• Check for Indicators of Compromise (IOCs), such as:
• Unusual login times or locations
• Unexpected network traffic
• File integrity changes
• Unknown processes or binaries

Tools to Use:

• Use SIEM to create timelines and identify patterns.
• Use endpoint tools to capture forensic data (processes, registry changes, file hashes).

Forensic Tool	Type	Key Use Case
Velociraptor	Open-source	Enterprise live forensics
KAPE	Free	Fast artifact collection
FTK Imager	Free	Full disk/image acquisition
Magnet RAM Capture	Free	RAM dump
Redline	Free	In-depth memory/process analysis
GRR	Open-source	Scalable remote collection
Sysinternals	Free	Manual triage
Cortex XDR	Commercial	Integrated Palo Alto forensic collection
CrowdStrike RTR	Commercial	Remote forensics with scripting

 

• For web or API attacks, analyze WAF logs and application logs.
• In cloud environments, examine audit trails such as AWS CloudTrail, Azure Activity Logs, or GCP Audit Logs.

 

Example:
If you receive an alert for suspicious login from a foreign country, verify it against sign-in logs and determine whether MFA was bypassed.

 

Step 3: Containment

After confirming the incident, immediately take steps to contain the damage and stop the attack from spreading.

Short-Term Containment:

• Isolate and/or Disconnect affected machines from the network.
• Revoke access tokens or API keys.
• Disable compromised accounts or Force change passwords.
• Block malicious IPs or domains in firewalls or cloud security groups.

Long-Term Containment:

• Patch any vulnerabilities that were exploited.
• Update firewall rules or WAF policies to prevent further exploitation.
• Segregate sensitive data and services from the rest of the network.

Cloud:
If a compromised IAM user in Azure/AWS is discovered:

• Disable or delete their access keys.
• Attach a deny-all policy to the user or role.
• Rotate credentials immediately.

 

Step 4: Eradication

Once contained, the next goal is to eliminate the root cause and ensure the threat is removed.

Key Steps:

• Remove malware or malicious code.
• Delete backdoors or persistence mechanisms.
• Clean registry or service entries added by attackers.
• Restore altered files from clean backups.
• Identify and patch vulnerable applications or services.

Tools and Techniques:

• Use antivirus or EDR solutions to scan and remove malicious payloads.
• Review and clean crontabs, startup scripts, scheduled tasks, or registry keys.
• In the cloud, check for modified security groups, IAM roles, or resource policies.

 

Always validate that eradication was successful. Perform a full scan and re-check logs for lingering activity.

 

Step 5: Recovery

After the environment is clean, begin restoring systems to operational status.

Best Practices:

• Rebuild compromised systems from clean images.
• Restore data from backups and verify integrity.
• Monitor systems closely after bringing them back online.
• Re-enable access with secure credentials and enforce MFA.

 

Cloud Recovery:
In AWS or Azure, use infrastructure-as-code (Terraform, CloudFormation, ARM templates) to redeploy services consistently and securely.

Keep impacted users or customers informed, especially if there are regulatory obligations under GDPR, HIPAA, or other data protection laws.

 

Step 6: Post-Incident Activity

After recovery, take time to learn from the incident and improve defenses.

Activities to Perform:

• Conduct a Root Cause Analysis (RCA) to determine how the incident happened and what can prevent it next time.
• Review what worked and what didn’t in your IR process.
• Update documentation and playbooks.
• Share IOCs with threat intelligence platforms or industry partners.
• Conduct a debriefing with all stakeholders.

 

Example of Lessons Learned:

• The phishing email bypassed security filters - update email rules and user training.
• MFA wasn’t enforced – mandate MFA for all accounts.
• A known vulnerability wasn’t patched – improve vulnerability management program.

 

Final Thoughts

Security incidents will happen, but their impact can be greatly reduced with the right processes, tools, and discipline. By following a structured approach like the one outlined above, you can protect your organization, maintain trust, and continuously improve your security posture.

Stay proactive. Stay prepared. Incident response is not just a technical task it's a business-critical capability.

How to schedule Palo Alto Firewall config backups

 How to schedule daily config backups for Palo Alto Firewall

Login to the Palo Alto Firewall Web UI.

Navigate to Device > Setup > Operations.

Under the Configuration Management section:

 Click on Export named configuration snapshot to export a saved config.

    Or click on Export running configuration to export the current running config.

Method 2: Export Config Backup via CLI

sameer@mypanoramalin01> scp export configuration from running-config.xml to fwsftpuser@10.0.0.1:backup/
fwsftpuser@10.0.0.1's password:

running-config.xml      

[root@mypanoramalin01]# ls -lrt

total 224
-rw-r--r--. 1 fwsftpuser sftpusers 228436 Jul 22 12:52 running-config.xml

Use ingress to route web traffic to your Pods via services

 Basics:

The Purpose of a Service in Kubernetes and How It Differs from Ingress

In Kubernetes, a Service is used as an abstraction layer (load balancer) that has a set of pods in the backend and provides a stable endpoint for accessing them. The primary purpose of a service is to enable communication between different components within a Kubernetes cluster. A service allows other pods or external applications to interact with the pods in the backend, regardless of the pod’s individual IP addresses, which can change over time. By defining a service, you ensure that users or other services can consistently access a set of pods, providing load balancing and service discovery capabilities.

A Service in Kubernetes usually takes one of several forms, including ClusterIP (for internal access within the cluster), NodePort (exposes the service on a specific port on each node), and LoadBalancer (exposes the service externally via a load balancer). Services are essentially network resources that allow you to abstract the complexity of individual pods and ensure reliable communication.

Now an Ingress is a higher-level abstraction for managing external access to services in the cluster. While services help direct traffic within the cluster, Ingress defines how external HTTP(S) traffic should reach the right service based on defined rules. For example, an Ingress can direct traffic based on the URL or host, such as routing `shaiksameer.com/onlinecart` to one service and `shaiksameer.com/video` to another, making it a powerful tool for routing external traffic to internal services.

So services will route internal/Node traffic to Pods and Ingress will route external http/https traffic to services

Now, imagine we have two services that are each pointing to two different running pods. For instance, one service could point to an online shopping cart application running in one pod, while another service points to a video streaming application running in another pod. These services make it possible for traffic to be sent to the right application, with each service forwarding requests to its respective pods. However, the challenge comes when we want to expose these services to the outside world and manage how traffic is directed to them based on specific paths in the URL.

controlplane ~ ➜  k get svc -n web-app 
NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
default-http-backend   ClusterIP   10.109.20.37     <none>        80/TCP     20m
video-service          ClusterIP   10.107.56.221    <none>        8080/TCP   20m
onlinecart-service     ClusterIP   10.102.149.138   <none>        8080/TCP   20m

In this scenario, we can use an Ingress Controller to manage external traffic routing. Instead of directly exposing the services via NodePorts or LoadBalancers, we can configure an Ingress resource to route traffic based on URL paths. For example, requests coming to `shaiksameer.com/onlinecart` could be routed to the service that handles the online shopping cart pod, while requests to `shaiksameer.com/video` would be directed to the service serving the video pod.

controlplane ~ ➜  k describe svc onlinecart-service -n web-app 
Name:                     onlinecart-service
Namespace:                web-app
Labels:                   <none>
Annotations:              <none>
Selector:                 app=webapp-onlinecart
Type:                     ClusterIP
IP Family Policy:         SingleStack
IP Families:              IPv4
IP:                       10.102.149.138
IPs:                      10.102.149.138
Port:                     <unset>  8080/TCP
TargetPort:               8080/TCP
Endpoints:                10.244.0.4:8080
Session Affinity:         None
Internal Traffic Policy:  Cluster
Events:                   <none>

To achieve this, we’ll first create an Ingress Controller, which will act as the entry point for incoming HTTP(S) traffic. The Ingress Controller will inspect the incoming request and, based on predefined rules, forward it to the correct service. These rules will use the URL path to make decisions, ensuring that traffic for `/onlinecart` goes to one service and traffic for `/video` goes to another. Once the traffic reaches the correct service, that service will then forward the request to the appropriate pod, ensuring the right application handles the request.

apiVersion: networking.k8s.io/v1

kind: Ingress

metadata:

  name: test-ingress

  annotations:

    nginx.ingress.kubernetes.io/rewrite-target: /

spec:

  ingressClassName: nginx-example

  rules:

  - http:

      paths:

      - path: /onlinecart

        pathType: Prefix

        backend:

          service:

            name: onlinecart-service

            port:

              number: 8080

      - path: /watch

        pathType: Prefix

        backend:

          service:

            name: video-service

            port:

              number: 8080

By using an Ingress, you can manage multiple services with a single external endpoint, making it easier to scale and maintain your Kubernetes applications. This setup also allows you to implement advanced routing logic, such as load balancing, SSL termination, and path-based routing, all of which are essential for managing complex, distributed applications efficiently in Kubernetes.

controlplane ~  k replace -f ingress.yml -n web-app 
ingress.networking.k8s.io/test-ingress replaced

Kubernetes create a Static Pod:

Kubernetes create a Static Pod:

cat my-static-pod.yaml

apiVersion: v1

kind: Pod

metadata:

  creationTimestamp: null

  labels:

    run: static-busybox

  name: static-busybox

spec:

  containers:

  - command:

     - sleep

     - "1000"

    image: busybox

    name: static-busybox

    resources: {}

  dnsPolicy: ClusterFirst

  restartPolicy: Always

status: {}

setup your local k8 environment with kubectl auto completion

 # set alias and make permanent

echo 'alias k=kubectl' >> ~/.bashrc

# add bash completion for kubectl
apt update && apt install -y bash-completion
echo 'source <(kubectl completion bash)' >> ~/.bashrc

# source the bash completion script 
echo 'source /usr/share/bash-completion/bash_completion' >> ~/.bashrc

# setup completion for kubectl
echo 'complete -o default -F __start_kubectl k' >> ~/.bashrc

# source our bashrc to use within the bash shell
source ~/.bashrc

Reference:

https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#enable-kubectl-autocompletion