# Incident Response Playbook Creator

**Version**: 2.2.0
**Category**: Security
**Author**: Diego Consolini

---

## Overview

This skill generates comprehensive, customized incident response playbooks based on authoritative templates from **NIST SP 800-61r3** (April 2025), **CISA** guidance, and specialized NIST publications (SP 800-161r1, SP 800-190, SP 800-82r3, SP 800-218). It creates professional, ready-to-use playbooks for 11 different incident scenarios with built-in GDPR and HIPAA compliance considerations.

### What This Skill Does

- ✅ Generates complete incident response playbooks in Markdown format
- ✅ Includes detection indicators, response procedures, recovery actions, and communication templates
- ✅ Incorporates NIST CSF 2.0 alignment and compliance requirements (GDPR, HIPAA)
- ✅ Customizes playbooks for specific organizations and industries
- ✅ Provides role-based responsibilities and escalation procedures
- ✅ Based on 100% real, authoritative content (no mock data)

### Available Incident Scenarios (11 Total)

**Traditional Attacks:**
1. **Ransomware Attack** (Critical)
2. **Data Breach / Exfiltration** (Critical)
3. **Phishing / Business Email Compromise** (High)

**Modern Attack Vectors:**
4. **AI/ML Security Incident** (High)
5. **Supply Chain Attack** (Critical)
6. **Container/Kubernetes Security Incident** (High)

**Critical Infrastructure & Cloud:**
7. **IoT/OT Security Incident** (Critical)
8. **Cloud Security Breach** (Critical)
9. **API Security Incident** (High)

**Insider & Availability Threats:**
10. **Insider Threat** (Critical)
11. **DDoS Attack** (High)

---

## When to Use This Skill

This skill should be activated when the user:

- Asks to create an incident response playbook
- Mentions they need IR documentation or procedures
- Asks about incident response for specific scenarios (ransomware, data breach, phishing, DDoS, etc.)
- Wants to prepare for security incidents
- Needs compliance-aligned incident response procedures
- Asks about NIST SP 800-61 or CISA incident response guidance

**Example Triggers**:

*Traditional Attacks:*
- "Create an incident response playbook for ransomware"
- "I need IR procedures for data breaches"
- "Generate incident response documentation"
- "Help me prepare for a phishing attack"

*Modern Attack Vectors:*
- "Create playbook for AI/ML security incidents"
- "I need response procedures for supply chain attacks"
- "Generate IR playbook for software supply chain compromise"
- "Help with container security incident response"
- "Kubernetes security breach procedures"
- "Docker security incident playbook"

*Critical Infrastructure & Cloud:*
- "IoT security incident response"
- "OT security breach procedures"
- "Industrial control system incident playbook"
- "SCADA security incident response"
- "Cloud security breach playbook"
- "S3 bucket breach incident response"
- "IAM compromise procedures"
- "API security incident playbook"
- "API vulnerability response procedures"

*Insider & Availability Threats:*
- "Insider threat response playbook"
- "Malicious insider incident procedures"
- "Employee data theft response"
- "DDoS attack incident response"
- "Denial of service attack playbook"

---

## How to Use This Skill

### Step 1: Browse Available Scenarios (Optional)

First, you can show the user what scenarios are available:

```bash
python3 scripts/browse_scenarios.py --list
```

This displays all available incident types with descriptions, severity levels, and compliance flags.

For detailed information about a specific scenario:

```bash
python3 scripts/browse_scenarios.py --detail ransomware
```

### Step 2: Collect Organization Information

Use the **AskUserQuestion** tool to collect the required information from the user. This provides a beautiful, user-friendly interface for gathering customization details.

**IMPORTANT**: Always use AskUserQuestion for gathering this information. Do NOT just ask in text.

#### Question 1: Incident Scenario Selection

Present scenarios in groups for better organization. You can use multiple questions or present options by category.

**Option A: Single Question with All Scenarios (11 options - use if user hasn't specified)**
```python
AskUserQuestion(questions=[
    {
        "question": "Which incident scenario do you need a playbook for?",
        "header": "Scenario",
        "multiSelect": false,
        "options": [
            {
                "label": "Ransomware Attack",
                "description": "Malware that encrypts files and demands payment. Critical severity, GDPR/HIPAA applicable."
            },
            {
                "label": "Data Breach",
                "description": "Unauthorized access and data theft. Critical severity, comprehensive compliance guidance."
            },
            {
                "label": "Phishing / BEC",
                "description": "Email-based social engineering and fraud. High severity."
            },
            {
                "label": "AI/ML Security",
                "description": "Adversarial attacks on machine learning models. High severity."
            },
            {
                "label": "Supply Chain Attack",
                "description": "Compromise through third-party software/services. Critical severity."
            },
            {
                "label": "Container/Kubernetes",
                "description": "Container escape or cluster compromise. High severity."
            },
            {
                "label": "IoT/OT Security",
                "description": "Industrial control systems and SCADA security. Critical severity."
            },
            {
                "label": "Cloud Breach",
                "description": "S3 exposure, IAM compromise, cloud misconfigurations. Critical severity."
            },
            {
                "label": "API Security",
                "description": "API vulnerabilities and data exposure. High severity."
            },
            {
                "label": "Insider Threat",
                "description": "Malicious or negligent insider actions. Critical severity."
            },
            {
                "label": "DDoS Attack",
                "description": "Distributed denial of service attacks. High severity."
            }
        ]
    }
])
```

**Option B: Category-Based Question (if user mentioned a category)**
```python
# If user mentioned "cloud" or "container" etc., show relevant options
AskUserQuestion(questions=[
    {
        "question": "Which modern attack scenario are you concerned about?",
        "header": "Scenario",
        "multiSelect": false,
        "options": [
            {
                "label": "AI/ML Security Incident",
                "description": "Model poisoning, adversarial attacks, inference manipulation"
            },
            {
                "label": "Supply Chain Attack",
                "description": "SolarWinds-style attacks, dependency vulnerabilities"
            },
            {
                "label": "Container/Kubernetes Security",
                "description": "Container escape, cluster compromise, orchestration attacks"
            }
        ]
    }
])
```

#### Question 2: Organization Information

```python
AskUserQuestion(questions=[
    {
        "question": "What is your organization name?",
        "header": "Organization",
        "multiSelect": false,
        "options": [
            {
                "label": "Provide name",
                "description": "Enter your organization's name for the playbook"
            }
        ]
    },
    {
        "question": "What industry sector are you in?",
        "header": "Industry",
        "multiSelect": false,
        "options": [
            {
                "label": "Healthcare",
                "description": "Medical, hospitals, healthcare providers (HIPAA applicable)"
            },
            {
                "label": "Finance",
                "description": "Banks, financial services, payment processing"
            },
            {
                "label": "Technology",
                "description": "Software, SaaS, IT services"
            },
            {
                "label": "Retail/E-commerce",
                "description": "Online/offline retail, customer data"
            },
            {
                "label": "Government",
                "description": "Public sector, government agencies"
            },
            {
                "label": "Education",
                "description": "Schools, universities, educational institutions"
            }
        ]
    }
])
```

#### Question 3: Contact Information (Optional)

```python
AskUserQuestion(questions=[
    {
        "question": "Do you want to customize contact information in the playbook?",
        "header": "Contacts",
        "multiSelect": false,
        "options": [
            {
                "label": "Use defaults",
                "description": "Use placeholder contact information (you can edit later)"
            },
            {
                "label": "Provide custom",
                "description": "Enter your security team email and phone number"
            }
        ]
    }
])
```

### Step 3: Generate the Playbook

After collecting the information, use the generate_playbook_markdown.py script to create the playbook.

**Basic Command**:
```bash
python3 scripts/generate_playbook_markdown.py \
  --scenario <scenario_id> \
  --org "<Organization Name>" \
  --industry "<Industry>"
```

**With Custom Contact Info**:
```bash
python3 scripts/generate_playbook_markdown.py \
  --scenario ransomware \
  --org "Acme Corporation" \
  --industry "Technology" \
  --contact-email "security@acmecorp.com" \
  --contact-phone "+1-555-SEC-RITY" \
  --output output/acme-ransomware-playbook.md
```

**Scenario ID Mapping**:
- "Ransomware Attack" → `ransomware`
- "Data Breach" / "Data Breach / Exfiltration" → `data_breach`
- "Phishing / BEC" → `phishing`
- "AI/ML Security" / "AI/ML Security Incident" → `ai_ml_attack`
- "Supply Chain Attack" → `supply_chain_attack`
- "Container/Kubernetes" / "Container/Kubernetes Security" → `container_kubernetes_security`
- "IoT/OT Security" / "IoT/OT Security Incident" → `iot_ot_security`
- "Cloud Breach" / "Cloud Security Breach" → `cloud_security_breach`
- "API Security" / "API Security Incident" → `api_security_incident`
- "Insider Threat" → `insider_threat`
- "DDoS Attack" → `ddos_attack`

### Step 4: Present the Results

After generation, you should:

1. **Confirm successful generation**: Show the user that the playbook was created successfully
2. **Show the file location**: Tell them where the file was saved
3. **Offer to display content**: Ask if they want to see the playbook content
4. **Suggest next steps**:
   - Review and customize the playbook for their specific environment
   - Share with their security team
   - Test the playbook with a tabletop exercise
   - Generate additional scenario playbooks

**Example Response**:
```
✅ Successfully generated Ransomware Attack playbook for Acme Corporation!

📄 **Output**: output/ransomware-playbook.md (7.2 KB)

The playbook includes:
- Detection indicators and monitoring guidance
- Step-by-step response procedures (Triage → Containment → Eradication)
- Recovery actions with validation checklist
- GDPR and HIPAA compliance considerations
- Communication requirements and templates
- Role-based responsibilities
- Contact information and escalation criteria

Would you like me to:
1. Display the playbook content
2. Generate a playbook for another incident type
3. Explain any section in detail
```

---

## Complete Workflow Example

Here's a complete interaction flow:

### 1. User Request
**User**: "I need an incident response playbook for ransomware attacks"

### 2. Scenario Browsing (Optional)
**You**: Let me show you the ransomware scenario details first.

```bash
python3 scripts/browse_scenarios.py --detail ransomware
```

**You**: This scenario includes [summarize key points from output]

### 3. Information Collection (Required)
**You**: I'll help you generate a custom playbook. Let me gather some information about your organization.

```python
# Use AskUserQuestion for organization name and industry
AskUserQuestion(questions=[...])
```

### 4. Playbook Generation
```bash
python3 scripts/generate_playbook_markdown.py \
  --scenario ransomware \
  --org "User's Organization" \
  --industry "User's Industry"
```

### 5. Results Presentation
**You**: ✅ Successfully generated your ransomware playbook!

[Show file location and summary of what's included]

### 6. Follow-up
**You**: Would you like me to:
- Generate playbooks for other incident types?
- Explain any section in detail?
- Show you how to use the playbook in a real incident?

---

## Important Notes

### Data Quality & Sources

All content in generated playbooks comes from authoritative sources:
- **NIST SP 800-61r3** (April 2025) - Primary incident response framework
- **NIST Cybersecurity Framework 2.0** - Function and category alignment
- **GDPR** (Articles 33-34) - EU data breach notification requirements
- **HIPAA** Breach Notification Rule - Healthcare breach requirements

**No mock or fake data** - Everything is extracted from real guidance documents.

### Compliance Disclaimers

Always remind users:
- ⚠️ These playbooks are templates and should be reviewed by legal counsel
- ⚠️ Compliance requirements vary by jurisdiction - verify with local regulations
- ⚠️ Playbooks should be customized for specific organizational needs
- ⚠️ Regular testing and updates are essential

### Limitations

- Generated playbooks are in Markdown format only (Word/PDF export planned)
- Does not include automated translation or localization
- Contact information uses placeholders by default
- Requires manual customization for organization-specific tools and systems

---

## Script Reference

### browse_scenarios.py

**Purpose**: Explore available incident scenarios and view detailed information

**Usage**:
```bash
# List all scenarios
python3 scripts/browse_scenarios.py --list

# Show detailed view
python3 scripts/browse_scenarios.py --detail ransomware

# Display metadata
python3 scripts/browse_scenarios.py --metadata

# Search scenarios
python3 scripts/browse_scenarios.py --search "data breach"
```

### generate_playbook_markdown.py

**Purpose**: Generate customized incident response playbooks

**Usage**:
```bash
# Generate playbook with required parameters
python3 scripts/generate_playbook_markdown.py \
  --scenario <scenario_id> \
  --org "<Organization Name>" \
  [--industry "<Industry>"] \
  [--contact-email "<email>"] \
  [--contact-phone "<phone>"] \
  [--output "<path>"]

# List available scenarios
python3 scripts/generate_playbook_markdown.py --list
```

**Required Parameters**:
- `--scenario` or `-s`: Scenario ID (see 11 scenarios above)
- `--org` or `-o`: Organization name

**Optional Parameters**:
- `--industry` or `-i`: Industry sector (default: "General")
- `--contact-email`: Security team email (default: security@organization.com)
- `--contact-phone`: Security team phone (default: (555) 123-4567)
- `--output`: Output file path (default: output/[scenario]-playbook.md)

---

## Troubleshooting

### Common Issues

**Issue**: "Scenario not found"
**Solution**: Use `--list` to see available scenario IDs

**Issue**: "Required file not found"
**Solution**: Ensure you're running from the plugin directory, or use `--scenarios-file` to specify path

**Issue**: "Invalid JSON"
**Solution**: The script defaults to using `incident_scenarios_v2.json` (v2.0.0+) which contains 11 validated scenarios

---

## Future Enhancements

Planned features for future versions:
- Multi-format export (Word .docx, PDF, HTML)
- Excel contact roster generation
- Playbook versioning and change tracking
- Tabletop exercise scenario generation
- Integration with ticketing systems (Jira, ServiceNow)
- Automated playbook testing and validation
- Custom scenario creation from templates
- Translation and localization support

---

**END OF SKILL DOCUMENTATION**

*For questions or issues, refer to the README.md or contact the plugin author.*