Incident Response Runbook Project

Introduction

This project simulates a real-world phishing attack within a live Google Workspace environment to demonstrate a structured, multi-phased incident response. The runbook covers the entire incident lifecycle, showcasing the practical application of Google's native security tools and GAM for advanced investigation.

Problem Statement

When a phishing attack occurs, speed and accuracy are critical. Without a formal runbook, responses can be chaotic, leading to greater impact. This project addresses the need for a systematic, documented, and efficient process for handling phishing incidents in a modern cloud environment.

Key Objectives

  • Develop a structured, step-by-step incident response runbook.
  • Utilize native Google Workspace security tools for investigation and analysis.
  • Leverage GAM for advanced, command-line based investigation tasks.
  • Execute a formal post-incident review to document lessons learned.

Project Analysis

The response is broken down into logical phases, reflecting industry-standard IR frameworks. The initial triage involves validating the threat by analyzing email headers, searching logs to determine the blast radius, and checking the security posture of the affected user's account, including 2FA status.

Design Details: Investigation Tools

  • Google Workspace Admin Console: Used for visually inspecting user security settings, reviewing OAuth applications, searching email logs, and investigating user login activity.
  • GAM (Google Apps Manager): Leveraged for performing a domain-wide search for the phishing email, a task demonstrating advanced administrative capability.

Containment & Remediation

The project demonstrates a clear understanding of containment strategies. The primary goal is to remove the threat, which involves deleting the phishing emails from all affected inboxes. A critical real-world element is highlighted: the `gam-error-log.txt` shows that organizational policies can prevent certain automated actions, forcing a pivot to manual deletion via the investigation tool.

Account Compromise Workflow

If an account is believed to be compromised, the runbook correctly prioritizes immediate remediation steps: password reset, revoking all active sessions, and auditing OAuth app access.

Post-Incident Review & Lessons Learned

A formal post-incident review was created, including a timeline of events and a summary of actions taken. The review identified actionable improvement points, such as enforcing stricter 2FA for high-risk departments and enhancing user training—key outcomes of any mature IR process. The attempt to use GAM for automated deletion also provided a critical insight into how organizational policies can impact IR workflows.

Conclusion

This project provides a robust and realistic demonstration of managing a phishing attack in a Google Workspace environment. It showcases a clear, systematic approach that combines technical investigation skills with formal documentation and communication, reflecting a mature, security-conscious mindset focused on continuous improvement.

Link to the Project