Incident Response Team Coordination Playbook

December 16, 20233 min read

Playbook Objectives:

  • To simulate a sophisticated cyber-attack on Globex Corporation’s network to assess and improve the efficiency of the company’s Incident Response Team (IRT).
  • To test the IRT’s ability to detect, analyze, contain, eradicate, and recover from the incident efficiently and effectively.
  • To identify the strengths and weaknesses in the current incident response plan and procedures.
  • To ensure effective communication and coordination among the IRT members and other stakeholders during a cyber incident.
  • To validate and enhance the security controls and measures currently in place.
  • To create a sense of realism that helps team members understand their roles and responsibilities during an actual breach.

Difficulty Level:

  • Advanced – This exercise requires participants to have a solid understanding of incident response protocols and cybersecurity practices.


  • Globex Corporation, a high-tech innovative company specializing in AI and machine learning technologies, has recently experienced an upsurge in targeted cyber threats. The fictional scenario involves an Advanced Persistent Threat (APT) group, known as SilenceInTheWires, launching a multi-staged campaign against Globex Corporation. The attack is sophisticated, aimed specifically at acquiring the company’s proprietary AI algorithms and compromising sensitive customer data.
  • SilenceInTheWires starts by conducting a spear-phishing campaign against key employees, moving laterally across the network to gain higher privileges and ultimately exfiltrate data. At the same time, they deploy ransomware in parts of the network as a diversion. This coordinated attack challenges the IRT to demonstrate skills in threat hunting, digital forensics, and crisis management while maintaining business continuity.


  • Incident Response

Exercise Attack Steps:

  • Phase 1: Reconnaissance
    • Perform social engineering to gather intelligence on key employees.
    • Identify vulnerabilities in public-facing applications.
  • Phase 2: Initial Compromise
    • Execute a spear-phishing campaign targeting members of the research and development team.
    • Exploit a known but unpatched vulnerability in an external application to gain initial access.
  • Phase 3: Establish Foothold
    • Install backdoors and additional payloads for persistent access.
    • Escalate privileges to obtain administrator-level access.
  • Phase 4: Lateral Movement
    • Explore the network to locate the AI algorithms and sensitive data.
    • Use credential dumping techniques to gain credentials for higher-level accounts.
  • Phase 5: Data Exfiltration
    • Compress and encrypt sensitive data for exfiltration.
    • Use a combination of direct exfiltration and covert channels to transfer data to an external command and control (C2) server.
  • Phase 6: Obfuscation/Diversion
    • Deploy ransomware in non-critical systems to divert attention and resources.
    • Carry out intermittent DDoS attacks on the company’s public resources.
  • Phase 7: Maintain Presence
    • Continuously monitor communications and adapt to changes in the network security environment to maintain access.
    • Position for long-term strategic intelligence gathering and potential future attacks.
Through this Cyber Range exercise, Globex Corporation aims to bolster its defenses by ensuring that the Incident Response Team is well-prepared to handle sophisticated attacks, minimize potential damage, and quickly restore normal operations. The company understands that ongoing training and realistic simulations are crucial to maintaining and strengthening the overall security posture of the organization.