**Purpose**: Respond to security breaches, DDoS attacks, and unauthorized access attempts.
Detects and contains security breaches, DDoS attacks, and unauthorized access. Provides immediate response protocols with diagnostic commands and mitigation steps for critical incidents.
/plugin marketplace add anton-abyzov/specweave/plugin install sw-infra@specweavePurpose: Respond to security breaches, DDoS attacks, and unauthorized access attempts.
IMPORTANT: For security incidents, SRE Agent collaborates with security-agent skill.
Immediate Actions (First 5 minutes):
DO NOT:
Symptoms:
Diagnosis:
# Check connections by IP
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head -20
# Check HTTP requests by IP (nginx)
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head -20
# Check requests per second
tail -f /var/log/nginx/access.log | awk '{print $4}' | uniq -c
Red flags:
# 1. Rate limiting (nginx)
# Add to nginx.conf:
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
limit_req zone=one burst=20 nodelay;
# 2. Block suspicious IPs (iptables)
iptables -A INPUT -s <ATTACKER_IP> -j DROP
# 3. Enable DDoS protection (CloudFlare, AWS Shield)
# CloudFlare: Enable "I'm Under Attack" mode
# AWS: Enable AWS Shield Standard/Advanced
# 4. Increase capacity (auto-scaling)
# Scale up to handle traffic (if legitimate)
Symptoms:
Diagnosis:
# Check authentication logs (Linux)
grep "Failed password" /var/log/auth.log | tail -50
# Check successful logins
grep "Accepted password" /var/log/auth.log | tail -50
# Check login attempts by IP
awk '/Failed password/ {print $(NF-3)}' /var/log/auth.log | sort | uniq -c | sort -nr
Red flags:
# 1. ISOLATE: Disable compromised account
# Application-level:
UPDATE users SET disabled = true WHERE id = <COMPROMISED_USER_ID>;
# System-level:
passwd -l <username> # Lock account
# 2. PRESERVE: Copy logs for forensics
cp /var/log/auth.log /forensics/auth.log.$(date +%Y%m%d)
cp /var/log/nginx/access.log /forensics/access.log.$(date +%Y%m%d)
# 3. ASSESS: Check what was accessed
# Database audit logs
# Application logs
# File access logs
# 4. NOTIFY: Alert security team
# Email, Slack, PagerDuty
# 5. DOCUMENT: Create incident timeline
Symptoms:
Diagnosis:
# Look for SQL injection patterns
grep -E "(SELECT|INSERT|UPDATE|DELETE).*FROM.*WHERE" /var/log/application.log
# Look for SQL errors
grep "SQLException\|SQL syntax" /var/log/application.log
# Check for malicious patterns
grep -E "(\'\s*OR\s*\'|\-\-|UNION\s+SELECT)" /var/log/nginx/access.log
Example Malicious Request:
GET /api/users?id=1' OR '1'='1
GET /api/users?id=1; DROP TABLE users;--
# 1. Block attacker IP
iptables -A INPUT -s <ATTACKER_IP> -j DROP
# 2. Enable WAF rule (ModSecurity, AWS WAF)
# Block requests with SQL keywords
# 3. Check database for unauthorized changes
# Compare current schema with backup
# Check audit logs for suspicious queries
# 4. Review application code
# Use parameterized queries, not string concatenation
Long-term Fix:
// BAD: SQL injection vulnerable
const query = `SELECT * FROM users WHERE id = ${req.query.id}`;
// GOOD: Parameterized query
const query = 'SELECT * FROM users WHERE id = ?';
db.query(query, [req.query.id]);
Symptoms:
Diagnosis:
# Check CPU usage by process
top -bn1 | head -20
# Check all processes
ps aux | sort -nrk 3,3 | head -20
# Check for suspicious processes
ps aux | grep -v -E "^(root|www-data|mysql|postgres)"
# Check network connections
netstat -tunap | grep ESTABLISHED
Red flags:
# 1. Kill malicious process
kill -9 <PID>
# 2. Find and remove malware
find / -name "<PROCESS_NAME>" -delete
# 3. Check for persistence mechanisms
crontab -l # Cron jobs
cat /etc/rc.local # Startup scripts
systemctl list-unit-files # Systemd services
# 4. Change all credentials
# Root password
# SSH keys
# Database passwords
# API keys
# 5. Restore from clean backup (if available)
Symptoms:
Diagnosis:
# Check database queries (large exports)
grep "SELECT.*FROM" /var/log/postgresql/postgresql.log | grep -E "LIMIT\s+[0-9]{5,}"
# Check file downloads (nginx)
awk '$10 > 10000000 {print $1, $7, $10}' /var/log/nginx/access.log
# Check SSH file transfers
grep "sftp\|scp" /var/log/auth.log
Red flags:
# 1. Disable account
UPDATE users SET disabled = true WHERE id = <USER_ID>;
# 2. Preserve evidence
cp /var/log/* /forensics/
# 3. Assess damage
# What data was accessed?
# What data was exported?
# What systems were compromised?
# 4. Legal/compliance notification
# GDPR: Notify within 72 hours
# HIPAA: Notify within 60 days
# PCI-DSS: Immediate notification
# 5. Incident report
When security incident detected:
SRE Agent Role:
Security Agent Role (handoff):
Handoff Protocol:
SRE: Detects security incident → Immediate containment
SRE: Preserves evidence → Creates incident report
SRE: Hands off to Security Agent
Security Agent: Forensic analysis → Legal compliance → Long-term fixes
SRE: Implements security fixes → Updates runbook
Detection Time:
Response Time:
False Positives:
security-agent skill - Full security expertise (handoff for forensics)For SRE Agent:
security-agent for forensic analysisLegal Compliance:
Evidence Preservation:
Designs feature architectures by analyzing existing codebase patterns and conventions, then providing comprehensive implementation blueprints with specific files to create/modify, component designs, data flows, and build sequences