• Security Governance and Incident Response Framework
• Security Documentation Hierarchy
• Security Policy
• Standards
• Guidelines
• Procedures
• Password Management Example
• NIST SP 800-61r2 Incident Response Lifecycle
• Preparation
• Detection and Analysis
• Containment
• Eradication
• Recovery
• Post-Incident Activity (Lessons Learned)
• NIST Cybersecurity Framework (CSF) 2.0 Functions
• Govern
• Identify
• Protect
• Detect
• Respond
• Recover
• Privileged Access Management Architecture
• Jump Server Infrastructure
• Zero Trust Principles
• Process Access Detection
• PCI DSS Compliance Scope
• Multi-Tenant Customer Management
• Antivirus vs EDR
• XDR Investigation Workflow
• Multi-Factor Authentication Defense in Depth
• Real-World Ransomware Incident Timeline
• XYZ Bank Ransomware Attack
• Security Documentation Application Scenario
• Password Reuse Incident
• CSF 2.0 Application Scenario
• Azure Admin Account Compromise Attempt

Security Governance and Incident Response Framework

Security Documentation Hierarchy

Security Policy

A security policy is a high-level document that defines an organization's security objectives and the rules that users and administrators must follow to protect systems, data, and networks. It establishes the overall direction for how security should be managed and what is considered acceptable behavior within the environment. A policy ensures that everyone understands their responsibilities and aligns their actions with the organization's security goals.

Standards

Standards translate the policy into specific technical requirements that maintain consistency across the organization. They outline the technologies, configurations, and criteria that systems, applications, and users must follow. By defining these precise technical expectations, standards ensure uniformity and support the secure operation of the network.

Guidelines

Guidelines provide flexible recommendations that help improve efficiency and security without being mandatory. They are meant to support standards by explaining how they should be developed and applied while ensuring alignment with the overall policy. Guidelines offer best practices and suggestions that help users and administrators make better security decisions.

Procedures

A procedure is a detailed, step-by-step document explaining exactly how to carry out a specific task. It is more comprehensive than standards or guidelines because it includes implementation details, instructions, and sometimes diagrams. Procedures ensure that tasks are performed correctly and consistently across the organization.

Password Management Example

For example, a password policy states that passwords must be strong and changed regularly, while the standard sets specific rules such as requiring at least twelve characters with mixed complexity. Guidelines suggest using passphrases and avoiding sharing passwords, and the procedure explains the steps to change a password through the account settings interface.

A practical standard might require sixteen characters with at least one uppercase letter, one lowercase letter, one number, and one special character. To create a passphrase following guidelines, you might combine elements like a drink you love such as "I love matcha", a place you go like "Aqaba", your lucky number like "364", and a special character like "#" to create the passphrase #ILoveMatcha364AqabaAmman. The procedure would walk through opening Outlook, accessing settings, and changing the password step by step.

The hierarchy flows from policy at the high level providing direction, to standards defining technical details, to guidelines offering advice, to procedures giving detailed step-by-step instructions.

NIST SP 800-61r2 Incident Response Lifecycle

Preparation

Preparation is about getting your tools, people, and processes ready before any incident happens. This includes playbooks, access to logs, security tools, communication channels, and training. For example, a company configures SIEM use cases, trains SOC analysts, and performs phishing tabletop exercises. They also ensure backups are tested and endpoint agents are deployed everywhere. This phase ensures the team can act quickly when something happens.

Detection and Analysis

This phase focuses on identifying suspicious activity and determining whether it is actually an incident. Analysts monitor alerts, correlate logs, and validate if the behavior is malicious. For example, a SOC receives an alert that WINWORD.exe spawned powershell.exe with encoded commands. They check EDR telemetry, user reports, and threat intel to confirm it's a malicious macro execution. Once confirmed, they classify severity and start documentation.

Containment

Containment aims to stop the attack from spreading while keeping business disruption minimal. This includes short-term and long-term containment actions. For example, the team isolates the infected workstation from the network while keeping disk intact. They also block malicious domains in DNS and disable the compromised account. The goal is to stop the attacker's movement while preserving evidence.

Eradication

Eradication removes the attacker's presence and any malicious artifacts from the environment. This includes deleting malware, killing persistence, and patching vulnerabilities. For example, analysts remove scheduled tasks created by the malware, clean registry keys, and uninstall dangerous extensions. The vulnerable Office macro template is replaced or patched. This ensures the threat is fully removed before restoring operations.

Recovery

Recovery focuses on safely bringing systems back into production after eradication. This includes monitoring systems to ensure the attacker doesn't return. For example, the SOC reimages the workstation, re-joins it to the domain, and restores data from clean backups. They increase logging temporarily to watch for reinfection. Business operations resume once validation is complete.

Post-Incident Activity (Lessons Learned)

This phase improves the organization based on what went well and what failed during the incident. Teams meet, analyze gaps, and update procedures and controls. For example, they discover logging coverage was missing on several laptops and update deployment scripts. Playbooks get refined and new detection rules are created. A final report is produced to strengthen future response.

NIST Cybersecurity Framework (CSF) 2.0 Functions

Govern

Govern focuses on setting policies, assigning responsibilities, and defining risk management expectations. An organization establishes a cybersecurity charter, assigns a CISO, and defines reporting lines. For example, the board mandates MFA everywhere and requires quarterly risk assessments. Governance also ensures third-party risk controls and legal requirements are documented. This phase sets the foundation for all cybersecurity work.

Identify

Identify aims to understand the organization's assets, risks, and business environment. Teams inventory devices, map business processes, and identify critical systems like ERP, EHR, or payment platforms. For example, a hospital maps its MRI systems and patient record servers as high-impact assets. They evaluate threats like ransomware affecting clinical operations. This phase ensures you know what must be protected before incidents occur.

Protect

Protect includes the controls and safeguards applied to reduce the likelihood or impact of an incident. This includes access control, secure configuration, backups, and user training. For example, a company deploys EDR, enforces least privilege, runs regular patching, and educates users on phishing. Firewalls and data encryption are also implemented. These protections limit attacker success even if a threat appears.

Detect

Detect focuses on identifying abnormal or malicious activity quickly and accurately. This includes logging, continuous monitoring, and use-case development. For example, the SOC detects unusual RDP attempts, suspicious PowerShell execution, or abnormal data transfer. SIEM correlation rules trigger alerts when lsass.exe is accessed unexpectedly. Fast detection reduces the attacker's dwell time and limits damage.

Respond

Respond involves taking action after an incident is detected to contain and mitigate its impact. This includes communication, analysis, and coordinated response plans. For example, the SOC isolates a compromised server, resets accounts, blocks C2 domains, and notifies leadership. IR teams follow playbooks and use ticketing to coordinate actions. The goal is to limit spread and restore control.

Recover

Recover focuses on restoring normal business operations and learning from the incident. This includes system restoration, validation, and user communication. For example, IT restores servers from clean backups, validates integrity, and brings applications back online. They monitor for re-infection and increase log visibility temporarily. Afterward, lessons learned feed back into governance and Identify/Protect improvements.

Privileged Access Management Architecture

Jump Server Infrastructure

Organizations implement jump servers for secure privileged access management. Jump Server soc-01 operates as an internal server at 10.3.4.5 with privileged user account access for SIEM monitoring. Jump Server soc-02 runs at 10.3.4.6 also with privileged user account access for SIEM monitoring. Jump Server soc-03 operates at 10.3.4.7 with privileged admin account access for SIEM management.

PAM software manages access through username, password, and MFA using OTP or authentication apps to enforce security controls.

Zero Trust Principles

Zero Trust Model operates on three core principles. Least Privilege ensures users and systems have only the minimum access necessary. Verify Explicitly means always authenticate and authorize based on all available data points. Assume Breach operates under the assumption that attackers are already present, requiring constant validation and monitoring.

Process Access Detection

Detection rules can identify suspicious process access patterns. A rule checking for unauthorized access to lsass.exe might look for scenarios where the ParentProcess is not equal to "inituser.exe" AND EventCode equals 10 AND ChildProcess equals "lsass.exe". This detects potential credential dumping attempts.

Windows systems with logging enabled capture when one process accesses another process through Sysmon with EventCode 10 based on the logging system configuration. EventCode 1 indicates application run or process creation events. For example, cmd.exe might have one parent process and one child process, calc.exe might spawn one parent and ten child processes, and suspicious executables like fun.xyz might show unusual parent-child relationships.

PCI DSS Compliance Scope

Point of Sale (POC) systems handle card insertion and data transactions flowing from the POC to the banking database to other machines and back to the POC. All machines within the same zone or subnet that have a machine within the PCI DSS scope should be included in compliance requirements and must be encrypted to protect cardholder data.

Multi-Tenant Customer Management

Security operations platforms manage multiple customers with different priority levels. For Company Potato, semo@Potato.com is designated as high priority CyberSec Engineer, zaid@Potato.com as critical priority CyberSec Manager, and ahmad@Potato.com as cc CyberSec Assistant. Company Tomato has identical role structures with semo@Tomato.com as high priority CyberSec Engineer, zaid@Tomato.com as critical priority CyberSec Manager, and ahmad@Tomato.com as cc CyberSec Assistant.

Antivirus vs EDR

Antivirus (AV) primarily detects and removes known threats using signatures, while Endpoint Detection and Response (EDR) uses behavioral analysis to detect and respond to both known and unknown threats, offering deeper visibility and more advanced response capabilities.

XDR Investigation Workflow

When conducting investigations through XDR platforms, analysts access the XDR console, select the customer such as Potato, choose the affected device like Po-PC-29, select isolation for the device, obtain a forensic image, perform analysis, and check files and artifacts including .evtx event logs. For RDP investigations, you might find connection attempts from Po-PC-29 to Po-PC-30 with success status indicating lateral movement.

Multi-Factor Authentication Defense in Depth

XDR access requires username and password as the first layer. If an attacker obtains these credentials, they still need an OTP sent to Outlook. To access Outlook and retrieve the OTP, the attacker needs the email address and password plus an OTP from an Authenticator App installed on the legitimate user's device. Opening the authenticator app requires biometric authentication locally on the device, creating multiple layers of defense.

Real-World Ransomware Incident Timeline

XYZ Bank Ransomware Attack

Day One began at 10:00 when the bank called to report the incident. At 10:05 a quick meeting was convened. By 10:10 the team checked alerts to understand the scope. At 10:30 they had an overview of infected machines and began isolating affected systems. From 10:30 until 7:30 PM the team conducted deep investigation covering Detection and Analysis through Containment and Eradication phases.

Day Two at 3:00 AM the attacker communicated a double extortion demand for 1M dollars in Bitcoin payable to a .onion address on the dark web. This escalation demonstrated the attacker's intent to both encrypt data and threaten to leak stolen information.

Security Documentation Application Scenario

Password Reuse Incident

A mid-size company notices several suspicious login attempts coming from overseas. One employee reports that their laptop is behaving strangely and browser tabs keep opening by themselves. The SOC begins an investigation and discovers the user's password was reused from an old breached site. The security team now needs to apply the organization's policy, standards, guidelines, and procedures to handle the incident correctly.

The Security Policy document clearly states that employees must not reuse passwords or use weak passwords. The Standard document defines the exact technical requirements for what a "strong password" must contain including length, complexity, and character types. The Guidelines document provides optional recommendations such as using a password manager or creating a passphrase to make strong passwords easier to remember. The Procedure document provides the exact step-by-step instructions for how the SOC analyst should reset the compromised password and force MFA re-enrollment.

CSF 2.0 Application Scenario

Azure Admin Account Compromise Attempt

A company using Azure notices 750 failed login attempts to an admin account from an unusual geographic region. An internal cloud engineer reveals they recently changed password settings manually for testing and did not follow organizational documentation. The security team now must rely on the CSF 2.0 functions, Govern, Identify, Protect, Detect, Respond, and Recover, and the organization's policy/standard/guideline/procedure structure to handle the incident correctly.

The Govern function ensures the company has a password policy and proper documentation that the cloud engineer should have followed. The Identify function helps the company understand that the admin account is a critical asset, and therefore misconfiguration of its password settings poses high risk. The Protect function would normally enforce the password standard and prevent engineers from creating weak or temporary passwords in the cloud environment. The Detect function triggers alerts about the abnormal login attempts and identifies that they originate from an unusual geographic location. Once the SOC confirms an attempted unauthorized access, the Respond function governs the actions taken to contain the threat, reset credentials, and follow the procedure. After the account is secured and the misconfiguration corrected, the Recover function ensures the environment is validated, monitored for reinfection, and returned to normal operation.