Understanding the Concept of Runbooks
Security Incident Report - Unauthorized Access
This report documents an unauthorized access incident that occurred at AcmeTech Solutions.
The purpose of this document is to provide a clear record of what happened, how it was handled, and what improvements are needed.
1. Incident Overview
- Incident ID: ATS-IR-2025-091
- Date & Time Detected: 2025-09-08 02:14 UTC
- Reported By: Intrusion Detection System (IDS) alert
- Detected By: SOC Level 1 Analyst (J. Kim)
- Incident Handler: Security Engineer (M. Patel)
2. Incident Description
- Type of Incident: Unauthorized access attempt
- Description: The IDS flagged repeated failed login attempts on the corporate VPN from an external IP address, followed by a successful login using a valid employee account.
- Affected Systems/Assets:
- VPN Gateway (vpn.acmetechsolutions.com)
- Employee account: j.smith[at]acmetechsolutions.com
- Initial Impact Assessment:
- Possible credential compromise
- No evidence of data exfiltration at the time of detection
3. Timeline of Events
Date & Time (UTC) | Event Description | Person/Team Responsible |
---|---|---|
2025-09-08 02:14 | IDS alert triggered for brute-force attempts | IDS / SOC |
2025-09-08 02:16 | SOC analyst escalated incident to Tier 2 | SOC Analyst |
2025-09-08 02:20 | Compromised account disabled | Security Engineer |
2025-09-08 02:35 | VPN logs reviewed, no lateral movement detected | SOC Team |
2025-09-08 03:00 | Password reset enforced for affected user | IT Support |
2025-09-08 03:45 | Investigation concluded, account secured | Security Engineer |
4. Actions Taken
- Containment Measures: Disabled compromised account immediately upon detection.
- Eradication Steps: Blocked the attacker's IP address at the firewall.
- Recovery Actions: Forced company-wide VPN password reset and reviewed MFA logs.
- Communications Made:
- Internal: SOC notified IT and HR teams.
- External: No customer notification required (no confirmed data exposure).
5. Evidence Collected
- Logs: VPN gateway access logs (exported to SIEM).
- Screenshots: IDS alert screenshot attached.
- Network Captures: None (no active malicious traffic during containment).
- Chain of Custody Notes: Logs archived securely with hash verification for integrity.
6. Resolution
- Root Cause Identified: Employee reused corporate password on external service that was breached.
- Permanent Fix Applied: Enforced strict MFA policy for all VPN accounts.
- Systems Restored on: 2025-09-08 03:45 UTC
- Verification Performed By: SOC Lead (A. Johnson)
7. Lessons Learned
- What worked well: IDS effectively detected brute-force activity; SOC responded within 5 minutes.
- What could be improved: Faster escalation path for VPN-related alerts.
- Policy/Procedure Updates Needed: Mandatory security awareness training on password hygiene.
- Additional Security Controls to Implement: Enable anomaly-based detection for unusual login patterns.
8. Reporting & Compliance
- Regulatory Notifications Required: No (no personal data exfiltration confirmed).
- Authorities Notified: None.
- Customers/Partners Notified: None.
- Deadline for Compliance Reporting: Not applicable.
9. Approvals
- Incident Handler: M. Patel ✔️
- Security Manager: A. Johnson ✔️
- Executive Approval: COO - S. Reynolds ✔️
Appendix
- IDS Alert Screenshot
- VPN Access Logs Extract (2025-09-08 02:00-03:30 UTC)