Zanreal Labs Logo
Get in touch
Legal

Security Incident Response Procedures

Last updated May 30, 2025

ZanReal Labs ("ZanReal Labs", "we", "us", or "our") has established comprehensive incident response procedures to ensure rapid detection, containment, investigation, and recovery from information security incidents. These procedures support our commitment to maintaining the confidentiality, integrity, and availability of all information assets.

Purpose and Scope

These procedures apply to all information security incidents affecting:

  • ZanReal Labs systems, networks, and applications
  • Customer data and personal information
  • Third-party services and cloud infrastructure
  • Physical and virtual assets
  • Personnel and contractors

Incident Classification

Severity Levels

Critical (P1) - Immediate Response Required

  • Major data breach or unauthorized access to sensitive data
  • Complete system or service outage affecting critical business operations
  • Ransomware or destructive malware affecting core systems
  • Confirmed advanced persistent threat (APT) activity
  • Regulatory notification required

High (P2) - Response within 2 hours

  • Partial system compromise or unauthorized access
  • Significant service degradation affecting customers
  • Suspected data exfiltration or unauthorized data access
  • DDoS attacks affecting service availability
  • Privileged account compromise

Medium (P3) - Response within 8 hours

  • Malware detected and contained
  • Minor unauthorized access attempts
  • Policy violations with security impact
  • Suspicious network activity
  • Vendor security incidents affecting our environment

Low (P4) - Response within 24 hours

  • Security tool alerts requiring investigation
  • Minor policy violations
  • Potential security vulnerabilities
  • Informational security events

Incident Categories

  1. Data Breach: Unauthorized access, use, or disclosure of personal or sensitive data
  2. System Compromise: Unauthorized access to systems or applications
  3. Malware: Detection of malicious software or code
  4. Network Intrusion: Unauthorized network access or suspicious network activity
  5. DDoS Attack: Distributed denial of service attacks
  6. Insider Threat: Malicious or negligent actions by authorized users
  7. Physical Security: Unauthorized physical access or equipment theft
  8. Third-Party Incident: Security incidents at vendors or service providers
  9. Regulatory Violation: Non-compliance with security regulations or standards

Incident Response Team

Core Team Members

Incident Commander

  • Overall incident response coordination
  • Communication with executive leadership
  • Decision-making authority for response actions
  • External communication coordination

Security Lead

  • Technical investigation and analysis
  • Evidence collection and preservation
  • Security tool coordination (Wazuh SIEM, Nessus, Bitdefender)
  • Threat intelligence analysis

IT Operations Lead

  • System containment and isolation
  • Service restoration and recovery
  • Infrastructure changes and updates
  • Cloud platform coordination (AWS, Azure, GCP)

Legal/Compliance Officer

  • Regulatory notification requirements
  • Legal implications assessment
  • Evidence handling oversight
  • Customer notification coordination

Communications Lead

  • Internal communications
  • Customer communications
  • Media relations (if required)
  • Stakeholder updates

Extended Team (As Required)

  • Human Resources
  • Business Unit Leaders
  • External Legal Counsel
  • Forensics Specialists
  • Law Enforcement Liaisons

Incident Response Process

Phase 1: Detection and Analysis

Detection Sources

  • Wazuh SIEM: Automated threat detection and alerting
  • Cloudflare Security: Network-level threat detection
  • Bitdefender GravityZone: Endpoint protection alerts
  • Nessus Professional: Vulnerability scan findings
  • User Reports: Employee and customer incident reports
  • Third-Party Notifications: Vendor security alerts
  • Threat Intelligence: External threat feeds and indicators

Initial Analysis Steps

  1. Verify Incident: Confirm legitimate security incident vs. false positive
  2. Initial Classification: Assign preliminary severity and category
  3. Scope Assessment: Determine affected systems, data, and users
  4. Timeline Establishment: Identify when incident likely began
  5. Evidence Preservation: Secure logs and system state information

Documentation Requirements

  • Incident ticket creation with unique identifier
  • Initial incident report with timeline
  • Evidence collection log
  • Communication log
  • Decision log

Phase 2: Containment, Eradication, and Recovery

Short-term Containment

  • Immediate Actions: Isolate affected systems using Cloudflare Zero Trust controls
  • Account Security: Disable compromised accounts and force password resets
  • Network Isolation: Segment affected network segments
  • System Isolation: Quarantine compromised endpoints using Bitdefender
  • Service Shutdown: Temporarily disable affected services if necessary

Evidence Collection

  • System Images: Create forensic images of affected systems
  • Log Collection: Gather logs from Wazuh SIEM and all relevant systems
  • Network Captures: Collect network traffic data
  • Memory Dumps: Capture system memory for analysis
  • Documentation: Record all evidence collection activities

Long-term Containment

  • System Rebuilding: Rebuild compromised systems from clean backups
  • Configuration Updates: Apply security patches and configuration changes
  • Monitoring Enhancement: Increase monitoring on affected systems
  • Access Review: Review and update access controls

Eradication

  • Malware Removal: Remove malicious software using Bitdefender and manual methods
  • Vulnerability Patching: Address vulnerabilities identified by Nessus
  • Configuration Hardening: Implement additional security controls
  • Account Cleanup: Remove unauthorized accounts and access

Recovery

  • System Restoration: Restore systems from clean backups
  • Service Testing: Verify system functionality and security
  • Monitoring: Enhanced monitoring during recovery period
  • User Communication: Notify users of service restoration

Phase 3: Post-Incident Activities

Lessons Learned

  • Incident Review Meeting: Conduct post-incident review within 5 business days
  • Timeline Analysis: Create detailed incident timeline
  • Response Evaluation: Assess response effectiveness
  • Improvement Identification: Identify process and technology improvements

Documentation Updates

  • Procedure Updates: Revise incident response procedures
  • Playbook Updates: Update incident-specific playbooks
  • Training Updates: Modify training materials based on lessons learned
  • Technology Updates: Implement security tool improvements

Regulatory and Legal Requirements

  • Notification Timeline: Meet regulatory notification deadlines
  • Documentation Retention: Preserve incident documentation per legal requirements
  • Audit Preparation: Prepare documentation for potential audits
  • Insurance Claims: Coordinate with cyber insurance providers

Communication Procedures

Internal Communications

Executive Notification

  • Critical incidents: Immediate notification
  • High severity incidents: Within 1 hour
  • Medium severity incidents: Within 4 hours
  • Low severity incidents: Daily summary report

Customer Communications

  • Data breach notifications per regulatory requirements
  • Service outage notifications via status page
  • Security improvement communications
  • Incident resolution notifications

Regulatory Notifications

  • GDPR: Within 72 hours of awareness
  • CCPA: Without unreasonable delay
  • Sector-specific regulations as applicable
  • Law enforcement as required

External Communications

Template Communications

  • Customer breach notification templates
  • Regulatory notification templates
  • Media response templates
  • Vendor notification templates

Approval Process

  • Legal review for all external communications
  • Executive approval for regulatory notifications
  • Communications team approval for customer notifications

Training and Awareness

Regular Training Requirements

  • Annual incident response training for all personnel
  • Quarterly tabletop exercises
  • Annual full-scale incident simulation
  • Role-specific training for incident response team members

Awareness Programs

  • Security incident reporting procedures
  • Phishing and social engineering awareness
  • Insider threat indicators
  • Customer security education

Technology and Tools

Primary Tools

  • Wazuh SIEM: Central logging, monitoring, and alerting
  • Cloudflare Zero Trust: Network security and access control
  • Bitdefender GravityZone: Endpoint protection and response
  • Nessus Professional: Vulnerability management
  • AWS/Azure/GCP Security Tools: Cloud-specific security monitoring

Forensics Tools

  • Specialized forensics software for evidence analysis
  • Network analysis tools for traffic examination
  • Memory analysis tools for malware investigation
  • Mobile device forensics tools

Communication Tools

  • Secure incident communication channels
  • Emergency notification systems
  • Video conferencing for remote coordination
  • Encrypted messaging for sensitive communications

Quality Assurance and Continuous Improvement

Metrics and KPIs

  • Mean time to detection (MTTD)
  • Mean time to containment (MTTC)
  • Mean time to recovery (MTTR)
  • Incident volume and trends
  • Customer impact metrics
  • Regulatory compliance metrics

Regular Reviews

  • Monthly incident trend analysis
  • Quarterly procedure reviews
  • Annual tabletop exercises
  • Continuous threat landscape monitoring

Process Improvements

  • Technology capability enhancements
  • Training program updates
  • Communication process refinements
  • Cross-functional coordination improvements

Incident Response Playbooks

Data Breach Response Playbook

Immediate Actions (0-1 hours)

  1. Activate incident response team
  2. Assess scope of data potentially affected
  3. Contain the breach source
  4. Preserve evidence
  5. Begin preliminary impact assessment

Short-term Actions (1-24 hours)

  1. Complete detailed impact assessment
  2. Determine personal data categories affected
  3. Identify affected individuals
  4. Assess regulatory notification requirements
  5. Begin customer impact analysis

Recovery Actions (24-72 hours)

  1. Implement containment measures
  2. Begin system restoration
  3. Prepare regulatory notifications
  4. Draft customer communications
  5. Coordinate with legal counsel

Ransomware Response Playbook

Immediate Actions (0-30 minutes)

  1. Isolate affected systems immediately
  2. Preserve system state for forensics
  3. Assess backup integrity
  4. Document ransom demands
  5. Coordinate with law enforcement

Short-term Actions (30 minutes - 4 hours)

  1. Complete network isolation
  2. Assess backup recovery options
  3. Determine business impact
  4. Coordinate with cyber insurance
  5. Develop recovery timeline

Recovery Actions (4+ hours)

  1. Begin system restoration from backups
  2. Implement additional security controls
  3. Verify system integrity
  4. Resume business operations
  5. Conduct post-incident review

Previous Versions

The previous versions of our Policies and other documents can be seen at GitHub