Playbook 002: Confirmed Suspicious Activity (Escalation & Containment)

 

Playbook 002: Confirmed Suspicious Activity (Escalation & Containment)

This playbook builds directly on Playbook 001.

You open it only after you’ve determined that activity is likely not normal — even if you’re not 100% certain it’s malicious.

That uncertainty is expected.

Purpose

To guide your response when:

  • Activity is ongoing and

  • Normal explanations no longer fit and

  • Inaction could increase risk

This playbook focuses on controlled escalation, not panic response.

Trigger (When to Use This Playbook)

Open this playbook when one or more of the following is true:

  • Repeated abnormal behavior across multiple time windows

  • A system attempts lateral movement across VLANs

  • Multiple alerts correlate to the same source

  • A system behaves outside its defined role

  • Blocking one path causes the behavior to shift elsewhere

This is your signal that something is actively trying — not just misbehaving.

Context (Confirm the Scope)

Before acting, clearly define how big the problem is.

Write down:

  1. Affected systems

    • One host or many?

    • Workstation, server, or management system?

  2. Affected layers

    • Network only?

    • Identity (accounts)?

    • Endpoint behavior?

    • Logging visibility?

  3. Trust boundaries crossed

    • User → server?

    • Server → management?

    • Lab → external?

This prevents overreaction and underreaction.

Actions (Escalated but Controlled)

Step 1: Increase Visibility

Before blocking anything new:

  • Expand SIEM time range

  • Look for failed attempts as well as successful ones

  • Check for authentication anomalies

  • Look for similar behavior from other systems

You are answering:

“Is this isolated, or spreading?”

Step 2: Contain at the Lowest Effective Layer

Containment should match the problem.

Preferred order:

  1. Network rules (block specific traffic)

  2. Account controls (disable or restrict)

  3. VLAN isolation

  4. System isolation

Avoid:

  • Rebuilding systems

  • Powering off hosts

  • Deleting evidence

Containment is about control, not cleanup.

Step 3: Preserve Evidence Explicitly

Do this before remediation.

  • Take VM snapshots

  • Export relevant logs

  • Record:

    • What you saw

    • When you saw it

    • What changed after containment

This step turns incidents into lessons instead of mysteries.

Step 4: Stabilize the Environment

Once behavior stops:

  • Verify no new alerts appear

  • Confirm normal services are still functional

  • Watch for delayed or secondary activity

You are not “done” yet — you are steady.

Step 5: Decide on Recovery

Ask:

  • Can this system be trusted as-is?

  • Is forensic learning more valuable than speed?

  • Is rebuild necessary, or optional?

Recovery options:

  • Restore from snapshot

  • Patch and harden

  • Credential resets

  • Full rebuild (last resort)

Make this a deliberate choice, not a reflex.

Outcome (What Success Looks Like)

You’re finished when:

  • Suspicious activity has stopped

  • Impact is limited

  • Visibility is intact

  • Evidence is preserved

  • A clear next step is documented

Certainty is not required.
Control is.

After-Action Review (Mandatory, Even in a Lab)

Answer honestly:

  • What triggered escalation?

  • What signals mattered most?

  • What slowed you down?

  • Where did you hesitate?

  • What should Playbook 001 or 002 clarify?

Update both playbooks if needed.

That loop is intentional.

How Playbook 001 and 002 Work Together

Think of them like gears:

  • Playbook 001 = Detection & Orientation

  • Playbook 002 = Escalation & Control

You should always enter through Playbook 001.
Playbook 002 is earned through evidence, not fear.

Why This Second Playbook Matters for Beginners

Most new operators fail in one of two ways:

  • They freeze and do nothing

  • They overreact and destroy evidence

This playbook teaches a third path:

  • Observe

  • Contain

  • Learn

  • Improve

That’s the core skill this lab is designed to build.

*Key Takeaway's

You don’t need perfect certainty to act.
You need structure, proportional response, and documentation.

These playbooks give you all three.

Location: Orangeburg, SC 29115, USA

Comments

Post a Comment

Got something to say? Drop a comment below — let’s chat!

Popular posts from this blog

Building a Secure Virtual OPNsense 26.1 Firewall with VLANs, DMZ, and CARP High Availability

  Building a Secure Virtual OPNsense 26.1 Firewall with VLANs, DMZ, and CARP High Availability In this guide, we’ll walk through setting up OPNsense 26.1 as a primary gateway in a virtualized environment using Hyper-V , with VLAN segmentation, a DMZ, staged VPN, and optional CARP failover for high availability. This architecture ensures strong isolation, centralized traffic control, and enterprise-grade security — all without joining the firewall or hypervisor to Active Directory , reducing the attack surface. 1️⃣ Architecture Overview Logical Design Internet │ [External vSwitch] │ WAN (OPNsense) ┌──────────────────┐ │ OPNsense │ │ VLAN Gateways + HA│ └──────────────────┘ │ [Internal vSwitch - Trunk] │ ┌───────────────┬──────...
Read more

Proxmox VE + full Kubernetes (kubeadm) step-by-step

  Production-ready guide: Proxmox VE + full Kubernetes (kubeadm) step-by-step A practical, end-to-end walkthrough to deploy a hardened Proxmox VE environment and run a production-grade Kubernetes control plane and worker nodes (kubeadm). Includes HA control-plane, etcd considerations, load-balancing, networking (Calico), storage (Longhorn + option for Ceph), security hardening, backups, and monitoring. This blog assumes you have basic Linux + virtualization familiarity and a small cluster of physical servers for Proxmox (3+ nodes recommended for HA). Where choices exist I explain trade-offs and give concrete commands and config snippets you can copy. Outline Goals & prerequisites Logical architecture (ASCII diagram) Prepare Proxmox VE hosts (install & base hardening) Proxmox networking and storage planning Create cloud-init VM template for Kubernetes nodes Deploy VMs for Kubernetes control plane and workers Provision HA load balancer for kube-api (H...
Read more

Monitoring Virtualized Environments with Graylog: A Complete Guide

  Monitoring Virtualized Environments with Graylog: A Complete Guide Virtualization has become the backbone of modern datacenters, but as environments grow, so does the challenge of monitoring them effectively. Whether you’re running VMware vSphere, Hyper-V, Proxmox, KVM, Xen, or Nutanix , log visibility is essential for performance, capacity planning, and security. Graylog , with its flexible pipelines, dashboards, and alerting capabilities, provides a powerful centralized logging solution for virtualized infrastructures of all sizes. This guide walks through everything you need to know to monitor your virtual environment using Graylog—from collecting hypervisor logs to building dashboards and alerts that actually matter. Why Graylog for Virtualization Monitoring? Virtualization platforms all generate significant amounts of structured and unstructured log data: Host health VM lifecycle changes Storage access Virtual network changes Failovers and migrations ...
Read more