diff --git a/src/config/SUMMARY.md.develop b/src/config/SUMMARY.md.develop index 1d27699e..4ffd712f 100644 --- a/src/config/SUMMARY.md.develop +++ b/src/config/SUMMARY.md.develop @@ -74,6 +74,7 @@ - [Lessons Learned](./incident-management/lessons-learned.md) - [Playbooks](./incident-management/playbooks.md) - [SEAL 911 War Room Guidelines](./incident-management/seal-911-war-room-guidelines.md) + - [Decentralized Incident Response Framework (DeIRF)](./incident-management/decentralized-ir.md) - [Threat Modeling](./threat-modeling/README.md) - [Create and Maintain Threat Models](./threat-modeling/create-maintain-threat-models.md) - [Identity Mitigate Threats](./threat-modeling/identity-mitigate-threats.md) diff --git a/src/incident-management/decentralized-ir.md b/src/incident-management/decentralized-ir.md new file mode 100644 index 00000000..f69db81b --- /dev/null +++ b/src/incident-management/decentralized-ir.md @@ -0,0 +1,140 @@ +--- +tags: + - Security Specialist + - Operations & Strategy + - Devops + - SRE +contributors: + - role: wrote + users: [relotnek] +--- + +# Decentralized Incident Response Framework (DeIRF) + +A lightweight, end-to-end scaffold for security teams that work without a single authority. +Use it as a menu, not a mandate. + + +# 1. Guiding Principles + +| Principle | What it means in practice | +|-----------|---------------------------| +| **Zero-trust by default** | Assume every identity, device, and network path is potentially hostile. | +| **Shared responsibility** | Any responder can start an action if quorum rules are met. | +| **Minimum viable process** | Fewer steps, fewer blockers, faster containment. | +| **Open tooling** | Prefer transparent, auditable, community-maintained tools. | +| **Identity plurality** | Accept multiple forms of strong identity proof. | +| **Evidence first** | Collect before you change anything. | +| **Continuous learning** | Retrospective after every incident and drill. | + +--- + +# 2. Roles and Identities + +| Role | Key duties | Identity options (at least two) | +|------|-----------|----------------------------------| +| **First Reporter** | Sounds the alarm and starts evidence capture. | GPG key, DID, or multisig wallet signature | +| **Triage Lead** | Confirms severity, forms a swarm, assigns tasks. | FIDO2 passkey, GPG, signed Matrix handle | +| **Comms Lead** | Handles community and regulator updates. | Company issued OIDC, Lens profile | +| **Containment Lead** | Executes on chain actions or host isolation. | Multisig signer, SSH CA cert | +| **Recorder** | Maintains the timeline in an immutable log. | GPG key, signed git commit | + +> **Tip**: Publish a public mapping of handles to real names and keep it in a tamper evident repo. + +--- + +# 3. Preparation Checklist + +| Item | Why it matters | Suggested tools | +|------|----------------|-----------------| +| Asset inventory (code, infra, keys) | You cannot protect what you do not know. | ConfigDB + IaC scans, Sheet/CSV | +| Log pipeline with reliable clock | Forensic accuracy and ordering. | Vector + Loki or OpenSearch, Elasticsearch, RunReveal | +| Secure comms channels | Quick swarm with strong auth. | Matrix + E2EE, Signal groups, Wire | +| Evidence bucket (write-once) | Keeps raw data safe. | S3 object-lock, Storj, or IPFS | +| Automated alert rules | Detect known bad patterns. | On chain monitors, Falco, OpenZeppelin Defender, Slackbot | +| Drill schedule | Muscle memory beats panic. | Calendar invites, gamedays, CTF | + +--- + +# 4. Detection and Triage Flow + +1. **Alert fires or user reports an issue.** +2. **First Reporter** opens a ticket in the transparent issue tracker (GitHub security advisory or private GitLab issue). +3. **Triage Lead** checks severity matrix. +4. If **P1**, spin up a temporary incident channel with a predefined template. +5. Assign Leads and set T-minus deadlines. + +| Pros | Cons | +|------|------| +| Fast and clear ownership | Relies on people in multiple time zones being awake | +| Public log builds trust | Attackers also watch public data if over-shared | + +--- + +# 5. Containment Options + +| Method | When to use | Pros | Cons | +|--------|-------------|------|------| +| **Smart contract pause / circuit breaker** | Critical on-chain bug | Stops further damage instantly | Requires a pre-coded pause function and multisig | +| **Multisig treasury freeze** | Key compromise or theft | No central keyholder | Coordination overhead | +| **Host or pod quarantine** | Off-chain infra breach | Isolates without full shutdown | Needs orchestration rights | +| **DNS or CDN reroute** | Phishing or DDoS | Quick traffic shift | May break some services | + +Keep a one-liner command ready for each action and store it in the runbook. + +--- + +# 6. Eradication and Recovery + +1. Patch or replace vulnerable code. +2. Peer review with at least two signers. +3. Deploy to staging with replay of attack scenario. +4. Roll forward to production by multisig or automated pipeline. +5. Verify by monitoring metrics and logs for stability. + +| Automation hint | Keep it simple | +|-----------------|----------------| +| GitHub Actions, ArgoCD, and Defender Autotasks are popular. | Always include a manual approval gate in case of false positives. | + +--- + +# 7. Post-Incident Actions + +| Step | Purpose | Tool Example | +|------|---------|-------------| +| **Retrospective within 72 h** | Capture lessons before they fade. | Miro board, Markdown doc in repo | +| **Update runbooks and detection rules** | Prevent repeat events. | Docs-as-code PR | +| **Reward community reporters** | Encourage transparency. | Bug bounty payouts, incentive model | +| **Public disclosure** | Build long-term trust. | Blog post plus on-chain message | + +--- + +# 8. Quick-Start Templates + +| Need | Template location | +|------|-------------------| +| Incident channel message | /templates/incident-kickoff.md | +| Retrospective form | /templates/retro-form.md | + +--- + +# 9. Pros and Cons of Decentralized IR + +| Aspect | Pros | Cons | +|--------|------|------| +| **No single point of failure** | Resilience if one keyholder is offline. | Slower consensus for urgent actions. | +| **Community trust** | Transparent logs and multisig votes. | Public scrutiny can amplify panic. | +| **Open tools** | Low cost, auditable, extensible. | Less vendor support, more DIY. | +| **Identity plurality** | Flexibility for global teams. | Complex to manage revocation and role drift. | + +--- + +# 10. Keep It Alive + +- Run quarterly red team drills. +- Rotate secrets on a fixed cadence. +- Review identity proofs every six months. +- Measure mean time to detect and contain. +- Iterate on this framework during each retrospective. + +> **Remember**: Simplicity plus strong fundamentals beat heavy processes every time. diff --git a/src/incident-management/templates/incident-kickoff.md b/src/incident-management/templates/incident-kickoff.md new file mode 100644 index 00000000..bb04d6af --- /dev/null +++ b/src/incident-management/templates/incident-kickoff.md @@ -0,0 +1,28 @@ +**Incident ID:** +**Date (UTC):** +**Initial Severity:** +**Current Status:** Open + +## Summary +One-sentence description of the issue + +## Leads +- **Triage Lead:** @handle +- **Containment Lead:** @handle +- **Comms Lead:** @handle +- **Recorder:** @handle + +## Key Links +- Timeline doc: +- Evidence bucket: +- Severity matrix entry: + +## Immediate Actions +1. +2. + +## Next Checkpoint +- **When:** +- **Where:** + +> This thread is the single source of truth. Keep replies factual and action-oriented. diff --git a/src/incident-management/templates/retro-form.md b/src/incident-management/templates/retro-form.md new file mode 100644 index 00000000..6f589a36 --- /dev/null +++ b/src/incident-management/templates/retro-form.md @@ -0,0 +1,34 @@ +**Incident ID:** +**Date Closed:** +**Severity:** + +## 1. What Happened +Brief timeline highlights + +## 2. Root Cause +Single clear statement + +## 3. What Went Well +- + +## 4. What Needs Improvement +- + +## 5. Action Items + +| Owner | Task | Due date | Status | +|-------|------|----------|--------| + +## 6. Metrics + +| Metric | Target | Actual | +|--------|--------|--------| +| Time to detect | | | +| Time to contain | | | +| Time to recover | | | + +## 7. Lessons Learned +Bullet summaries for the wiki + +## 8. Follow Up Verification +Date to review action item completion: