Background: This document, will be an incident response runbook (aka. playbook o

Background: This document, will be an incident response runbook (aka. playbook or “use case”), a written guide for identifying, containing, eradicating, and recovering from cybersecurity incidents. An Incident Response Playbook (Runbook) is designed to provide a step-by-step walk-through for the most probable and impactful cyber threats to an organization. The playbook will ensure that specific steps of the Incident Response Plan are followed appropriately and serve as a reminder if particular steps in the IRP are not in place.
An end-user receives an email from the help desk stating that there was an irregular activity associated with their email account and that they can only send or receive emails once it is resolved. Several end users click the link in the email, and immediately items on their workstations act strangely. Suddenly none of the files on the workstation can be opened and now end in ”.crypt.” A message on the end user’s screen demands payment of 1.84 Bitcoins as a ransom for the organization’s now encrypted data. As of May 2021, Bitcoin is approximately $54,301/Bitcoin, making the ransom in this scenario shy of $100,000. 
Soon after that, other employees also report strange notes on their screens. Before long, all computers – workstations and servers – have the popup on their screens and cannot function. This is where the Incident Response process begins.
Instructions: please include the following
1.    An overview section of the identified threat details information about the threat.
2.    Preparation steps or triage processes are needed to prevent or recover from the threat:
o    Contact information of the in-house IR team
o    Communication tree
o    Escalation & notification procedures and reporting mechanism
3.    Detection, Identification, and Analysis of the likely symptoms from the type of threat:
o    Steps implemented for detection
o    Identification matrix for High, Medium, and Low threat categories
o    Incident validation – tools or systems used to confirm and verify the possible delivery vector of the threat
4.    Containment, Eradication, and Recovery:
The third phase, containment, is the initial attempt to mitigate the attacker’s actions. It has two major components: stopping the attack’s spread and preventing further system damage. An organization must decide which containment methods to employ early in the response. Organizations should have strategies and procedures for making containment-related decisions that reflect the level of risk acceptable to the organization according to the threat type.
5.    Post-Incident Activity/Lessons Learned:
Post-incident refers to identifying lessons to be learned after actions and review. This section needs to address questions such as:
o    What happened?
o    Have we done well in protecting the organization’s network?
o    What could we have done better?
o    What should we do differently next time?