Tag
#incident-response
6 posts tagged #incident-response.
-
Analysis · Jul 8, 2026 · Colten Anderson
Your incident runbook is stored inside the system that just went down
Wikis, IR plans, and recovery steps usually live on the same infrastructure, identity provider, and cloud region that go dark during an incident. A runbook you cannot reach mid-incident is a bet, not a plan. Keep the critical ones out of band.
-
Field Note · Jun 30, 2026 · Colten Anderson
The Security Update Broke Production: A Rollback Runbook
A step-by-step runbook for when a security patch takes down production: pause the rollout, scope the damage, decide roll-back vs fix-forward, and keep the rolled-back host from becoming a silent unpatched asset.
-
Analysis · May 20, 2026 · Colten Anderson
CitrixBleed: the patch closed the leak but left the stolen keys working
CVE-2023-4966 leaked post-MFA session tokens from NetScaler. Organizations that patched and stopped there got breached anyway, because a stolen token still worked after the update. The action that mattered was killing every active session, and a lot of victims skipped it.
-
Field Note · May 20, 2026 · Colten Anderson
FortiClient EMS CVE-2023-48788: a SQL injection that talks the database into running SYSTEM commands
When a product runs on Microsoft SQL Server, a SQL injection is rarely just a data leak. The attacker turns on xp_cmdshell from inside the injection and gets OS command execution. On FortiClient EMS that's unauthenticated, as SYSTEM. Here's how to check, patch, and detect it.
-
Field Note · May 20, 2026 · Colten Anderson
Jenkins CVE-2024-23897: from 'limited file read' to your secret key
The KEV entry calls it 'limited read access to certain files.' On a Jenkins controller, the files include the cryptographic key that turns read into remote code execution. Here's how to check, patch, and what to rotate if you were exposed.
-
Field Note · May 15, 2026 · Colten Anderson
Recovering from a bad Intune deployment without making it worse
Stop the spread, unwind the damage, verify it took. A failure-mode-to-action playbook for when a config profile, app push, or CA policy goes sideways.