Incident Response for SMEs: From Alert to Post-Mortem Without a Dedicated Team

A three-person IT team can respond to a security incident in under four hours by following a playbook based on NIST SP 800-61 and using open-source tools. The difference between containing ransomware in minutes and losing days to recovery lies in documenting four phases—preparation, detection, containment, and post-mortem—not in the budget.

Why Small Teams Respond Faster Than Large Ones

Latin American SMEs respond to incidents 37% faster than companies with dedicated security teams, according to 2023 data from CyberShield. The reason isn’t technical—it’s organizational. A team of 1-3 people has no layers of approval, alignment meetings, or bureaucratic escalations. But that same agility turns to chaos without a written playbook.

In 2022, a Mexican logistics SME lost 18 hours containing a ransomware attack because its sole systems administrator tried to "fix it" by rebooting servers without isolating them first. The malware spread to backups. The company paid the ransom not for lack of tools, but for lack of process. CyberShield’s documentation shows that 82% of incidents in Latin American SMEs worsen due to improvised actions in the first two hours.

NIST SP 800-61 Rev 2 defines four phases for incident response. In small teams, these phases aren’t sequential—they’re parallel. While one member isolates an endpoint, another notifies the national CSIRT, and the third documents the ticket. The key lies in dividing responsibilities by skills, not roles.

Phase 1: Preparation—The One-Page Playbook

A useful playbook for SMEs must have three characteristics: it should be short, executable by non-security specialists, and printed in a visible location. The template CyberShield uses for clients follows this format:

1. Initial Detection
- Tool: Wazuh (open source) with customized rules for Latin America (e.g., Spanish-language phishing detection).
- Action: If Wazuh generates a "High" or "Critical" alert, the team must:
a) Verify in the Wazuh console if the event correlates with others.
b) Take a screenshot of the dashboard and attach it to the ticket.
c) Notify the designated point of contact (e.g., "Juan is the POC for incidents this week").

2. Containment
- Endpoint: Disconnect the device from the network (physical cable or WiFi). Do not power off.
- Server: Isolate the VLAN on the switch (command: switchport access vlan 999).
- Cloud: Revoke temporary IAM permissions and rotate API keys.

3. Communication
- Internal: WhatsApp/Telegram group for all employees. Pre-approved message: "Security incident in progress. Do not open emails or download files until further notice."
- External: Client notification template (see Section 5).
- CSIRT: Submit initial report to the national CSIRT within the first 2 hours (mandatory in Mexico, Colombia, and Chile).

The playbook should also include:

• Contact list: National CSIRT, hosting provider, data protection attorney.
• Inventory of critical assets: Server IPs, domains, databases containing PII.
• Emergency credentials: Local admin user on servers, cloud recovery keys.

Essential open-source tools for this phase:

• Wazuh: Lightweight SIEM with preconfigured rules for ransomware and phishing detection.
• TheHive: Incident management platform with MISP integration for threat intelligence.
• Velociraptor: Remote forensics for evidence collection on endpoints.

CyberShield has verified that a two-person team can deploy these tools in under four hours using Docker containers. Cost: zero, plus configuration time.

Phase 2: Detection—How to Distinguish a False Positive from a Real Attack in 15 Minutes

68% of alerts in SMEs are false positives, according to ENISA data. The difference between ignoring a real alert and wasting time on a false one lies in three questions:

1. Does the event affect a critical asset? (e.g., billing server, customer database).
2. Is there correlation with other events? (e.g., a failed login on a server + an unknown process running).
3. Is the behavior anomalous for that user/device? (e.g., an accountant suddenly running PowerShell).

Practical rule: If two of these three questions are answered affirmatively, the event is an incident until proven otherwise.

Concrete example: In 2023, an Argentine SME received a Wazuh alert about a mimikatz.exe process on a server. The administrator dismissed it as a false positive because "the server has no interactive users." The attack escalated to ransomware in three hours. The company lost access to five years of electronic invoicing. The correct response would have been:

1. Verify in Wazuh if other events occurred on that server (there were: multiple failed RDP login attempts).
2. Isolate the server immediately (command iptables -A INPUT -s SERVER_IP -j DROP).
3. Run Velociraptor to collect evidence (velociraptor -v collect Windows.KapeFiles.Targets --output evidence.zip).

Tools to accelerate detection:

• Sigma rules: Open-format detection rules importable into Wazuh or TheHive. Example: rule to detect lsass.exe accessing other processes’ memory (a common Mimikatz technique).
• MISP: Threat intelligence platform to correlate IPs, domains, and hashes with public feeds (e.g., AlienVault OTX, Abuse.ch).
• RITA: Network traffic analysis to detect beaconing (periodic communication with C2).

Phase 3: Containment—Isolate Without Destroying Evidence

Containment has two contradictory objectives: stop the attack and preserve evidence. For small teams, this translates to:

1. Immediate containment (minutes):
   - Endpoints: Disconnect from the network (do not power off).
   - Servers: Isolate VLAN or block IP at the firewall.
   - Cloud: Revoke IAM permissions and rotate API keys.
   - Email: Block sender domain at the email gateway (e.g., postfix access).
2. Medium-term containment (hours):
   - Create a snapshot of the virtual machine or hard drive.
   - Run remote forensics tools (Velociraptor, KAPE).
   - Change all privileged account passwords.

Common mistake: Powering off a compromised device. This erases volatile memory, where critical artifacts like ransomware encryption keys or active C2 connections often reside. Instead, use tools like dd to create a forensic disk image:

dd if=/dev/sda of=/mnt/backup/evidence.img bs=4M status=progress

In the cloud, take snapshots of instances and volumes before any action. Example for AWS:

aws ec2 create-snapshot --volume-id vol-1234567890abcdef0 --description "Pre-incident snapshot"

Mandatory documentation during containment:

• Exact time of each action (for forensic timeline).
• Commands executed (for reproducibility).
• Hashes of critical files (for evidence integrity). Example: sha256sum evidence.img.

Phase 4: Post-Mortem—The Report That Saves the Company (and the Team)

The post-mortem isn’t a formality—it’s the document that determines whether the company survives the incident. It must answer three questions:

1. What happened? (Detailed timeline with times and actions).
2. Why did it happen? (Root cause: exploited vulnerability, human error, lack of process).
3. What will we do to prevent recurrence? (Concrete actions with owners and deadlines).

SME post-mortem template (based on ENISA Good Practice Guide):

1. Executive Summary
- Incident date and time: [DD/MM/YYYY HH:MM].
- Incident type: [Ransomware/Phishing/Data breach/etc.].
- Impact: [e.g., "Lost access to 3 servers for 8 hours. Customer data not compromised"].
- Detection time: [Minutes/hours from incident onset].
- Containment time: [Minutes/hours from detection].

2. Timeline
| Time | Event | Owner | Evidence | |------------|------------------------------------------------------------------------|-------------|--------------------| | 14:32 | Wazuh alert: mimikatz.exe process on SRV-DB-01 | Ana | Screenshot #1 | | 14:35 | SRV-DB-01 isolated from network (VLAN 999) | Luis | Switch logs | | 14:45 | Velociraptor collects evidence on SRV-DB-01 | Carlos | evidence.zip | | 15:10 | Notification sent to national CSIRT | Ana | Ticket #INC-2023-04|

3. Root Cause
- Exploited vulnerability: [e.g., "Admin account with weak password (Password123)"].
- Attack vector: [e.g., "Phishing: employee clicked malicious link"].
- Process failure: [e.g., "No MFA on privileged accounts"].

4. Corrective Actions
| Action | Owner | Deadline | Status | |---------------------------------------------|-------------|------------|------------| | Implement MFA on all admin accounts | Luis | 7 days | Pending | | Phishing training for employees | HR | 14 days | Pending | | Update Wazuh rules for Mimikatz detection | Ana | 3 days | Completed |

The post-mortem must be reviewed by company leadership and shared with the national CSIRT if the incident involved personal data. In Mexico, the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) requires notification to INAI in cases of security breaches. The above template meets documentation requirements for such notifications.

Communicating with the National CSIRT: What to Say and What Not to Say

National CSIRTs (e.g., CSIRT-MX in Mexico, CSIRT-COL in Colombia) are allies, not auditors. Their goal is to help contain the incident and prevent similar attacks on other companies. What to include in the initial report (within the first 2 hours):

• Incident type (ransomware, phishing, data breach, etc.).
• Involved IPs/domains (if known).
• Detected malware tools (e.g., LockBit, QakBot).
• Initial impact (e.g., "5 encrypted servers, customer data unaffected").
• Actions taken so far (e.g., "Servers isolated, evidence collected").

What not to include in the initial report:

• Speculation about the attacker ("we believe it was a disgruntled employee").
• Unverified technical details ("the attack came from Russia").
• Confidential company information (e.g., client names, contracts).

Example initial report to CSIRT-MX (via email or web form):

Subject: Incident Report - LockBit Ransomware - [Company Name]

Dear CSIRT-MX Team,

We are reporting a security incident at [Company Name] that occurred on [date] at [time]. Details:

• Incident type: Ransomware (LockBit 3.0).
• Involved IPs: 192.168.1.100 (compromised server), 185.143.223.43 (suspected C2).
• Impact: 3 encrypted servers. Customer data not compromised.
• Actions taken: Servers isolated from the network, evidence collected with Velociraptor.

We have attached initial logs and are available to coordinate further actions.

Sincerely,
[Name]
[Position]
[Contact Phone]

The CSIRT may request additional information, such as malware samples or full logs. CyberShield’s data shows that SMEs collaborating with national CSIRTs contain incidents 40% faster, thanks to shared threat intelligence.

Client Notification: Template Compliant with Latin American Regulations

If the incident involved personal data, client notification is mandatory in most Latin American countries. The template must be clear, empathetic, and compliant with legal requirements. Example for Mexico (LFPDPPP):

Subject: Security Incident Notification - [Company Name]

Dear [Client Name],

At [Company Name], we take the security of your data very seriously. We regret to inform you that on [date], we detected a security incident that may have affected the confidentiality of some of your personal data stored in our systems.

What happened?
On [date] at [time], we detected unauthorized access to one of our servers. We immediately activated our incident response protocol and isolated the affected system. We have worked with cybersecurity experts to contain the incident and are collaborating with the relevant authorities.

What data may have been affected?
According to our investigation, the data that may have been compromised includes: [e.g., "name, email address, and phone number"]. We want to clarify that [e.g., "financial data such as credit card numbers or passwords were not affected"].

What are we doing?
We have taken the following measures to protect your data and prevent future incidents:

• Contained the incident and eliminated unauthorized access.
• Strengthened our security controls, including [e.g., "multi-factor authentication on all administrative accounts"].
• Are collaborating with INAI and CSIRT-MX to investigate the incident.

What can you do?
We recommend:

• Be alert to suspicious communications that may use your personal data.
• Change your passwords on other services if you use the same password as with [Company Name].
• Report any suspicious activity to [support email].

We understand the concern this type of situation may cause and sincerely regret any inconvenience. For any questions, please contact us at [phone] or [support email].

Sincerely,
[CEO or Responsible Party Name]
[Company Name]

Key regulations in Latin America requiring client notification:

• Mexico: Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP). Deadline: without undue delay.
• Colombia: Law 1581 of 2012. Deadline: 15 business days from detection.
• Chile: Law 19.628 on Protection of Private Life. Deadline: without delay.
• Argentina: Personal Data Protection Law 25.326. Deadline: 72 hours from detection.
• Brazil: General Data Protection Law (LGPD). Deadline: without delay.

Failure to comply with these notifications can result in fines of up to 4% of the company’s annual revenue (LGPD in Brazil) or criminal penalties (Law 1581 in Colombia).

At CyberShield, we provide 24/7 cybersecurity for Latin American SMEs using our own stack: multi-OS endpoint agent, real-time CVE monitoring, and 24/7 response. We’ve seen that companies implementing these processes not only respond faster to incidents but also reduce their exposure to regulatory fines. Preparation isn’t an expense—it’s insurance against business disruption.

Incident response for small teams isn’t about having more tools, but about having clear processes and trained people to execute them. A one-page playbook, well-configured open-source tools, and proactive communication with authorities and clients can make the difference between an incident contained in hours and a crisis that threatens business continuity. The next time a security alert sounds, the clock will start ticking. The question is: will your team be ready to act, or to improvise?

Sources

1. NIST Special Publication 800-61 Revision 2 (2012) — Computer Security Incident Handling Guide. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
2. ENISA (2018) — Good Practice Guide for Incident Management. https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management
3. CSIRT-MX (2023) — Guide for Reporting Security Incidents. https://www.gob.mx/cms/uploads/attachment/file/548932/Guia_Notificacion_Incidentes_Seguridad.pdf
4. INAI (2021) — Guide for Reporting Security Breaches. https://home.inai.org.mx/wp-content/uploads/2021/03/Guia-Notificacion-Brechas-Seguridad.pdf
5. CyberShield System (2023) — Annual Report on SME Incidents in Latin America. Internal data from 124 incidents responded to in 2022-2023. https://cybershieldsystem.site
6. Cichonski, P. et al. (2012) — Computer Security Incident Handling Guide. NIST Special Publication 800-61 Revision 2. https://doi.org/10.6028/NIST.SP.800-61r2
7. ENISA (2022) — Threat Landscape for Ransomware Attacks. https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-ransomware-attacks
8. Public case: Attack on Mexican logistics SME (2022). Source: Internal company statement (documented in CyberShield report).
9. Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), Mexico. https://www.diputados.gob.mx/LeyesBiblio/pdf/LFPDPPP.pdf
10. General Data Protection Law (LGPD), Brazil. http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm