Incident Response Runbooks

Incident Response (IR) Runbooks are in-depth guides about how to prepare for and respond to a cyberattack. Runbook information supplements response actions and does not replace your IR team.

IR Runbooks contain information about:
  • Phases of a cyberattack
  • Which teams should be involved at different stages of the attack
  • Preventative actions
  • Containment
  • Restoration
  • Analysis of the attack
These types of runbooks are available:
  • General — A high-level runbook that prepares you for a variety of cybersecurity incidents. We recommend that you read the general runbook and document all findings, gaps, and communication weaknesses with your response team.
  • Ransomware — A runbook for an attack where malware encrypts your information to lock you out. These attacks are financially motivated, with the intent of making you pay a ransom to retrieve your information.
  • Business email compromise (BEC) — A runbook for when an attacker compromises your email accounts to steal data, commit wire fraud, and spread malware.
  • Surge — A runbook for a large-scale attack that affects multiple customers. Large-scale attacks can cause IR to be less available than usual. Your response needs to take that into consideration.
  • MSP — A runbook for Managed Service Providers (MSPs) to understand how they and their MSP customer organizations need to be involved during an incident.
    Note: This runbook is only available for MSPs.

Access runbooks

Note: Only prospects use the Cyber JumpStart Portal. Arctic Wolf customers use the Arctic Wolf Unified Portal to manage Incident Readiness and Response features. For more information, see Incident Response.
  1. Sign in to the Cyber JumpStart Portal.
  2. In the navigation menu, click Files.
  3. In the System Generated Files section, find the runbook that you want to view and click Download.
  4. Click Got it!.
    The file downloads.

Incident Response Runbook phases

Incident Response (IR) Runbooks are divided into different phases. Each phase highlights the response teams that should be involved, the actions that you and the IR team should take, and communication strategies.

Runbooks contain these phases:
  1. Education, Preparation, and Prevention — Information about the cyberattack and the actions you should take to prepare for a cyberattack.
  2. Detection & Identification — Indicators that a cyberattack occurred.
  3. Containment & Initial Investigation — Actions to safely contain the cyberattack.
  4. Eradication & Remediation — Actions to remove the threats from your network and remediate any underlying issues.
  5. Recovery & Restoration — Actions to recover lost data and restore systems to normal.
  6. Forensic Investigation — An overview of the investigation that the IR team performs.
  7. Reporting & Lessons Learned — An overview of the final analysis of the incident.