Home Lab IR SOP v1.0

Standard operating procedures that get written after the fact, in calm conditions, tend to sound like they were written by someone who wasn't there. This one wasn't. It was drafted during a real incident, iterated between actions, and field-tested in the same hour it was written.

That's intentional. The only SOPs worth having are the ones that work when you're tired, stressed, and making decisions in a parking lot on your phone.

Purpose

This SOP defines the standard, repeatable process for responding to a suspected or confirmed security incident. Goals: contain impact quickly, preserve evidence, prevent lateral movement, restore trusted operations, capture lessons learned. Calm execution over panic remediation.

Guiding principles (non-negotiable)

• Containment beats cleanup. Stopping spread is more valuable than understanding scope in the first few minutes.
• Trust is rebuilt, not assumed. A "clean" scan does not restore trust. A rebuild does.
• Endpoints are disposable. Servers are authoritative. Never treat them with equal urgency.
• Silence in logs is meaningful data. No alerts after isolation is a good signal, not absence of evidence.
• Calm execution prevents secondary damage. The second incident is usually caused by the response to the first.

Phase model

Phase 0 — Detection & Declaration

• 1Declare incident active. Record exact date/time of detection.
• 2Identify suspected affected systems. Do not expand scope beyond evidence.
• 3Freeze non-essential changes to all systems until scope is understood.

Phase 1 — Containment

• 1Endpoint: Disconnect network immediately. Remove NIC or disable Wi-Fi. Leave system powered on unless unsafe.
• 2Network: Remove all port forwarding. Disable public ingress. Restrict to LAN or VPN only.
• 3Do not attempt remediation before containment is confirmed.

Phase 2 — Clean Room Tooling

• 1Identify a known-clean machine with no password reuse, no inbound services, no browser credential storage.
• 2Build IR USB over hotspot (not home LAN). Structure: scanners/, sysinternals/, docs/.
• 3USB is one-way. Never reinsert into clean machine after contact with affected system.

Phase 3 — Endpoint Verification

• 1Run offline malware scan (Malwarebytes, then Defender, then ESET).
• 2Inspect persistence: Autoruns, Scheduled Tasks, Startup folders, AppData/Temp entries.
• 3Decision gate: If stealer confirmed, stop. Backup documents only. Proceed to wipe. If no findings, still recommend wipe if EXE was confirmed to have executed.

Phase 4 — Account Stabilization

• 1Change passwords from clean devices only. Assume all browser-saved passwords are compromised.
• 2Force sign-out of all sessions. Remove unknown devices. Audit OAuth and third-party app access.
• 3Enable or re-verify MFA. Regenerate recovery codes. Confirm recovery email and phone.

Phase 5 — Infrastructure Verification

• 1Verify no new users, no SSH key changes, no cron additions, no sudoers changes.
• 2Confirm agents are healthy and reporting. Absence of alerts is meaningful data.
• 3Do not make changes unless evidence exists. Verification, not remediation.

Phase 6 — Recovery

• 1Full OS reinstall on affected endpoint. New local user. Hardened baseline before any credentials are entered.
• 2Gradual reintroduction of network access. Public exposure only via approved gateway.
• 3Do not restore from backup unless backup predates the compromise window.

Phase 7 — Lessons Learned

• 1Within 72 hours of closure: document root cause and detection gap.
• 2Identify control improvements. Update this SOP if required.
• 3Write it while it's fresh. The incident that doesn't become a document teaches nothing.

Closure criteria

An incident may be closed when: affected systems are rebuilt or verified, credentials are stabilized, no anomalous activity has been observed for 48+ hours, and documentation is complete.