Incident Command System Deployment Playbook

December 17, 20234 min read

Playbook Objectives:

  • To simulate a complex cyber-attack on a corporate network to test the incident response capabilities of the security team
  • To assess the effectiveness of the Incident Command System (ICS) in orchestrating a coordinated response to contain, eradicate, and recover from a cyber-attack
  • To identify gaps in current security posture and incident response plans
  • To enhance teamwork, communication, and operational procedures of the incident response team
  • To increase the resilience of the company’s network against future cyber attacks through hands-on practice

Difficulty Level:

  • Advanced


  • “GlobalTech Inc.”, a leading tech company known for its innovative products in artificial intelligence and machine learning, has recently become the target of a sophisticated cyber-attack. The company’s recent success has not only attracted customers but also malicious actors seeking access to proprietary data and intellectual property.
  • Late Thursday evening, Maria Rodriguez, a senior network engineer, noticed unusual traffic patterns on the network management system. By Friday morning, several critical systems, including the development servers and the customer relationship management (CRM) platform, began exhibiting erratic behavior.
  • A highly skilled adversary, using a combination of spear-phishing, social engineering, and zero-day exploits, has managed to compromise the security perimeter and is currently exfiltrating highly sensitive data. The attacker has managed to escalate privileges and is moving laterally across the network to compromise additional systems and establish multiple persistences.
  • The company’s leadership has decided to activate the Incident Command System (ICS) and conduct a cyber range exercise simulating the unfolding events to prepare their team for a real-life cybersecurity crisis. The exercise will require the security team to deploy ICS protocols to mitigate the attack, maintain business continuity and secure the company’s network.


  • Cyber Incident Response and Management

Exercise Attack Steps:

  • Initial Compromise:
    1. Simulate a spear-phishing attack targeting several employees with access to sensitive information.
    2. Establish a foothold on a single workstation through a malicious email attachment and user execution.
  • Privilege Escalation:
    1. Exploit a local vulnerability to gain elevated privileges on the compromised workstation.
    2. Gain access to admin accounts using credential dumping techniques.
  • Lateral Movement:
    1. Spread to adjacent systems in the network using the stolen credentials.
    2. Compromise a development server and the CRM system to simulate control over critical company infrastructure.
  • Data Exfiltration:
    1. Set up covert channels to exfiltrate sensitive data from the development server.
    2. Monitor and collect data being exfiltrated to quantify the simulated loss.
  • Persistence Establishment:
    1. Install backdoors on multiple systems to ensure continued access even after the initial compromised vectors are identified and mitigated.
  • Infrastructure Tampering:
    1. Inject malicious code into the operational technology (OT) network, thereby simulating an attack on the company’s physical infrastructure.
  • ICS Deployment:
    1. Activate the Incident Command System and assign roles and responsibilities to the incident response team.
    2. Respond to the simulated attack by observing the ICS structure—stabilizing the situation, containing the threat, and starting recovery operations.
  • Post-Incident Analysis:
    1. Conduct a simulated post-incident debriefing to discuss the effectiveness of the response, lessons learned, and improvements to be made.