🚨 Security Incident Response Simulator

WIA-SEC-020: Interactive CSIRT Operations Platform

Incident Data Format (VERIS Schema)

The Vocabulary for Event Recording and Incident Sharing (VERIS) provides a standardized format for documenting security incidents.

Incident Structure

{ "incident_id": "INC-2025-001234", "timestamp": "2025-12-25T14:30:00Z", "severity": "HIGH", "category": "DATA_BREACH", "status": "CONTAINED", "reporter": { "name": "John Smith", "email": "john.smith@company.com", "department": "IT Security" }, "affected_assets": [ { "asset_id": "DB-PROD-001", "asset_type": "database", "criticality": "critical", "impact": "confidentiality" } ], "attack_vector": { "vector": "WEB_APPLICATION", "technique": "SQL_INJECTION", "mitre_attack_id": "T1190" }, "timeline": { "detection_time": "2025-12-25T14:15:00Z", "containment_time": "2025-12-25T14:45:00Z", "eradication_time": null, "recovery_time": null }, "indicators_of_compromise": [ { "type": "ip_address", "value": "192.168.1.100", "confidence": "high" }, { "type": "file_hash", "value": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "algorithm": "SHA256" } ], "response_actions": [ { "action": "NETWORK_ISOLATION", "timestamp": "2025-12-25T14:20:00Z", "executor": "auto-response-system", "status": "completed" } ] }

Incident Detection Algorithms

Advanced algorithms for detecting and classifying security incidents using behavioral analysis and machine learning.

Anomaly Detection - Z-Score Analysis

// Z-Score Anomaly Detection function detectAnomaly(dataPoints, threshold = 3) { const mean = dataPoints.reduce((a, b) => a + b) / dataPoints.length; const variance = dataPoints.reduce((a, b) => a + Math.pow(b - mean, 2), 0) / dataPoints.length; const stdDev = Math.sqrt(variance); return dataPoints.map((value, index) => { const zScore = (value - mean) / stdDev; return { index, value, zScore: zScore.toFixed(2), isAnomaly: Math.abs(zScore) > threshold, severity: Math.abs(zScore) > 4 ? 'CRITICAL' : Math.abs(zScore) > 3 ? 'HIGH' : 'NORMAL' }; }); }

Pattern Matching - MITRE ATT&CK

// MITRE ATT&CK Pattern Matcher const attackPatterns = { T1190: { name: "Exploit Public-Facing Application", tactics: ["initial-access"], indicators: ["sql_injection", "xss", "rce"] }, T1059: { name: "Command and Scripting Interpreter", tactics: ["execution"], indicators: ["powershell", "cmd", "bash"] }, T1566: { name: "Phishing", tactics: ["initial-access"], indicators: ["suspicious_email", "malicious_attachment"] } }; function identifyTechnique(observedIndicators) { for (const [techniqueId, pattern] of Object.entries(attackPatterns)) { const matches = observedIndicators.filter(ind => pattern.indicators.includes(ind) ); if (matches.length > 0) { return { technique: techniqueId, name: pattern.name, confidence: (matches.length / pattern.indicators.length) * 100, matched_indicators: matches }; } } return null; }

Incident Response Protocol (NIST 6-Phase)

Follow the NIST SP 800-61 incident response lifecycle for systematic incident management.

Phase 1: Preparation

Establish incident response capability, train personnel, and prepare tools and resources.

  • Deploy monitoring systems (SIEM, IDS/IPS)
  • Create incident response playbooks
  • Conduct tabletop exercises

Phase 2: Detection & Analysis

Identify and validate potential security incidents through alerts and analysis.

  • Monitor security alerts from SIEM
  • Analyze logs and network traffic
  • Determine incident scope and severity
  • Document initial findings

Phase 3: Containment

Limit the damage and prevent incident from spreading.

  • Short-term containment: Isolate affected systems
  • Long-term containment: Apply patches, rebuild systems
  • Preserve evidence for forensics

Phase 4: Eradication

Remove the threat from the environment.

  • Identify and remove malware
  • Close attack vectors
  • Disable compromised accounts
  • Apply security patches

Phase 5: Recovery

Restore systems to normal operations.

  • Restore from clean backups
  • Rebuild compromised systems
  • Reset credentials
  • Enhanced monitoring

Phase 6: Post-Incident Activity

Learn from the incident and improve defenses.

  • Conduct lessons learned meeting
  • Document incident timeline
  • Update response procedures
  • Implement preventive measures

Incident Response Playbook Generator

SIEM Integration & Event Correlation

Integrate with Security Information and Event Management systems for centralized incident detection and response.

Sample SIEM Event (CEF Format)

CEF:0|WIA-Security|IDS|1.0|100|Suspicious Login Attempt|8| src=192.168.1.100 spt=54321 dst=10.0.0.50 dpt=22 proto=TCP act=blocked cs1Label=MITRE_Technique cs1=T1078 msg=Multiple failed SSH login attempts detected

Event Correlation Rules

// Correlation Rule: Detect Brute Force Attack rule BruteForceDetection { condition: count(events) > 10 where event.type == "authentication_failure" and event.source_ip == same_value and timespan(events) < 5 minutes actions: - create_incident(severity: HIGH) - block_ip(event.source_ip) - notify_team(channel: "#security-alerts") } // Correlation Rule: Detect Lateral Movement rule LateralMovementDetection { condition: sequence: 1. successful_authentication 2. unusual_service_access within 10 minutes 3. file_access on different_host within 10 minutes actions: - create_incident(severity: CRITICAL) - isolate_host(event.host) - trigger_forensics() }

Real-time Dashboard Metrics

0
Total Events (24h)
0
Active Incidents
0
Critical Alerts
0
Mean Time to Detect (min)

CEF Log Parser

Incident Verification & Chain of Custody

Ensure evidence integrity and maintain cryptographic proof of incident handling.

Digital Evidence Verification

// Evidence Record with Digital Signature { "evidence_id": "EVD-2025-001234-001", "incident_id": "INC-2025-001234", "type": "DISK_IMAGE", "description": "Forensic disk image of compromised server", "collected_by": "John Smith (CSIRT)", "collection_timestamp": "2025-12-25T15:00:00Z", "file_hash": { "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "md5": "d41d8cd98f00b204e9800998ecf8427e" }, "chain_of_custody": [ { "timestamp": "2025-12-25T15:00:00Z", "custodian": "John Smith", "action": "COLLECTED", "location": "Server Room A", "signature": "0x1a2b3c4d..." }, { "timestamp": "2025-12-25T15:30:00Z", "custodian": "Evidence Locker", "action": "STORED", "location": "Secure Storage Facility", "signature": "0x5e6f7g8h..." } ], "verification": { "verified_by": "WIA-SEC-020", "verification_time": "2025-12-25T16:00:00Z", "integrity_status": "INTACT", "blockchain_anchor": "0xabc123...", "qr_code": "data:image/png;base64,iVBOR..." } }

Generate Evidence QR Code

Cryptographic Verification

// Hash Verification Algorithm function verifyEvidenceIntegrity(evidenceFile, expectedHash) { // Calculate current hash const currentHash = calculateSHA256(evidenceFile); // Compare with expected hash const isValid = currentHash === expectedHash; // Log verification const verification = { timestamp: new Date().toISOString(), expected_hash: expectedHash, actual_hash: currentHash, status: isValid ? "VERIFIED" : "TAMPERED", verifier: "WIA-SEC-020 Evidence System" }; // Record on blockchain for immutability if (isValid) { recordOnBlockchain(verification); } else { alertSecurityTeam("Evidence tampering detected!"); } return verification; }