Computer NetworksDefense Strategies

Network Defense Strategies

LevelAdvanced

Duration120 mins

TopicDefense Strategies

4 / 5

Incident Response: Structured Processes for Security Events

When Detection Becomes Action

At 2:47 AM, your SIEM generates an alert: a privileged administrator account just authenticated from an IP address in a country where you have no operations. What happens next—in the next minutes, hours, and days—determines whether this becomes a footnote in a weekly report or a front-page breach.

Incident Response (IR) is the disciplined process of identifying, containing, eradicating, and recovering from security incidents. It transforms detection into action, ensuring that when threats are identified, organizations respond effectively rather than chaotically.

Without structured incident response:

Attacks continue while teams argue about who's responsible
Evidence is destroyed through well-intentioned but uninformed actions
Containment is incomplete, allowing re-compromise
Lessons aren't learned, and similar incidents recur
Legal and regulatory obligations are missed

With mature incident response:

Roles and responsibilities are clear; action begins immediately
Evidence is preserved for investigation and potential legal action
Containment is methodical and verified
Root cause is identified and addressed
Organization emerges stronger, with improved defenses

This page covers the complete incident response lifecycle—from preparation through lessons learned—providing the framework for effective security operations.

What You Will Learn

By the end of this page, you will understand incident classification and severity, the NIST and SANS incident response frameworks, team structures and roles, investigative techniques, containment and eradication strategies, recovery procedures, and post-incident analysis. You'll be equipped to develop, evaluate, and execute incident response programs.

Incident Classification and Severity

Not all security events are incidents, and not all incidents require the same response. Clear classification enables appropriate resource allocation and response urgency.

Event vs. Incident

Security Event: Any observable occurrence in a system or network—a login, a firewall rule trigger, an antivirus detection. Events are routine; organizations generate millions daily.

Security Incident: An event or series of events that violates security policies, acceptable use policies, or standard security practices. Incidents require investigation and response.

Examples:

Event (Not Incident)	Incident
Failed login attempt	Successful login after 100 failed attempts
Antivirus blocking known malware	Malware executing before detection
Firewall denying external scan	Firewall rule changed without authorization
User visiting suspicious URL	User credentials phished and used

Incident Categories

Malware:

Ransomware, trojans, worms, viruses
Cryptocurrency miners, backdoors
Response: Contain, eradicate, recover

Unauthorized Access:

Compromised credentials
Privilege escalation
Unauthorized data access
Response: Contain, investigate scope, reset credentials

Denial of Service:

Volumetric attacks
Application-layer attacks
System resource exhaustion
Response: Mitigate, maintain availability

Insider Threat:

Malicious insider activity
Policy violations
Data theft
Response: Coordinate with HR/Legal, contain, investigate

Data Breach:

Confirmed data exfiltration
Exposed databases or storage
Lost/stolen devices with data
Response: Contain, assess scope, notify as required

Incident Severity Levels
Severity	Definition	Examples	Response Time	Escalation
Critical (P1)	Active, widespread impact on critical systems or data	Active ransomware, confirmed data breach, widespread outage	Immediate (24/7)	CISO, Legal, Executive team
High (P2)	Potential significant impact, contained but active threat	Compromised privileged account, targeted attack in progress	< 1 hour (business hours), < 4 hours (off-hours)	Security management
Medium (P3)	Limited impact, threat contained or potential threat	Malware on isolated system, policy violation, attempted attack	< 4 hours (business hours)	Security team lead
Low (P4)	Minimal impact, informational	Failed attacks, minor policy violations, suspicious activity	Next business day	Analyst handling

Severity Determination Factors

Impact Assessment:

Data sensitivity: PII, financial data, intellectual property, public data
System criticality: Revenue-generating, safety-critical, supporting systems
Scope: Single host, department, enterprise-wide
Operational impact: System availability, business process interruption
Legal/regulatory: Notification requirements, compliance violations

Threat Assessment:

Actor sophistication: Script kiddie vs. APT
Active vs. contained: Ongoing attack vs. contained incident
Persistence: Point-in-time vs. established foothold
Intent: Opportunistic vs. targeted

Triage Process

Initial detection: Alert received from monitoring system
Validation: Is this a real incident or false positive?
Classification: What category of incident?
Severity assessment: What's the potential/actual impact?
Assignment: Who will handle this incident?
Initial notification: Who needs to know now?

Severity Can Change

Initial severity assessment is based on available information. As investigation progresses, severity may increase (malware on one host was actually on fifty) or decrease (suspicious access was actually authorized maintenance). Build processes that allow severity changes and appropriate escalation when scope expands.

Incident Response Frameworks: NIST and SANS

Two frameworks dominate incident response practice: NIST SP 800-61 and SANS Incident Handling. Both describe similar processes with slightly different phase definitions.

NIST SP 800-61 Phases

1. Preparation: Everything done before an incident to enable effective response:

Incident response plan documented and approved
IR team identified and trained
Tools and resources ready
Communication channels established
Relationships with stakeholders defined

2. Detection and Analysis: Identifying incidents and understanding them:

Alert triage and validation
Initial scope assessment
Evidence collection
Impact and severity determination
Documentation of findings

3. Containment, Eradication, and Recovery: Stopping the attack and returning to normal:

Short-term containment (limit immediate damage)
Evidence preservation
Long-term containment (prepare for eradication)
Remove attack artifacts and access
Restore systems to production
Verify successful recovery

4. Post-Incident Activity: Learning from the incident:

Lessons learned meeting
Root cause analysis
Process improvement
Detection rule creation
Report documentation

Converting Mermaid diagram...

SANS 6-Step Process

SANS separates the containment/eradication/recovery phase into distinct steps:

1. Preparation: Same as NIST—readiness activities

2. Identification: Detecting and validating incidents

3. Containment: Limiting the scope of damage:

Short-term: Isolate affected systems
Long-term: Prepare for eradication while maintaining evidence

4. Eradication: Removing the threat:

Remove malware, backdoors, persistence mechanisms
Reset compromised credentials
Patch exploited vulnerabilities

5. Recovery: Returning to normal operations:

Restore from clean backups if needed
Rebuild compromised systems
Return systems to production
Monitor for re-compromise

6. Lessons Learned: Improving for next time:

Timeline reconstruction
Root cause analysis
Process improvement identification
Documentation and reporting

Framework Comparison

Aspect	NIST 800-61	SANS 6-Step
Phases	4	6
Detail Level	High-level guidance	More granular steps
Containment/Eradication/Recovery	Combined	Separate phases
Audience	All organizations	Security practitioners
Prescriptiveness	Flexible	More specific
Documentation	Comprehensive publication	Training-focused

Both frameworks work well; choose based on organizational preference and existing practices.

Framework Adaptation

Frameworks are starting points, not rigid prescriptions. Adapt phases to your organization's structure, risk profile, and existing processes. The value is in having a defined, practiced process—not in strict adherence to any particular model. Document your chosen approach in your incident response plan.

Incident Response Team Structure and Roles

Effective incident response requires a defined team with clear roles. During high-stress incidents, uncertainty about who does what creates delays and dropped balls.

Core IR Team Roles

Incident Commander (IC):

Overall incident leadership and coordination
Decision authority during incident
Stakeholder communication
Resource allocation
Escalation decisions

Technical Lead:

Technical investigation leadership
Analysis coordination
Technical decision authority
Tool and technique selection

Analysts/Investigators:

Evidence collection and analysis
Malware analysis
Log review
Timeline construction
Technical documentation

Communications Lead:

Internal stakeholder updates
External communications (if needed)
Status reporting
Documentation coordination

Legal Representative:

Legal guidance on response actions
Notification obligations
Evidence preservation for litigation
Law enforcement coordination

HR Representative (if insider-related):

Employee-related decisions
Disciplinary process coordination
Interview procedures

Extended Stakeholders by Incident Type
Stakeholder	When Involved	Role During Incident
Executive Leadership	Critical (P1) incidents	Strategic decisions, external communication approval
Legal/General Counsel	Data breaches, potential litigation	Legal guidance, notification decisions
Public Relations	Public-facing incidents	External communication, media handling
Human Resources	Insider threats, employee involvement	Employee relations, disciplinary coordination
Business Unit Leaders	Business process impact	Business continuity decisions
IT Operations	System containment/recovery	System access, restoration execution
Third-Party Vendors	Vendor products involved	Technical support, forensics assistance
Law Enforcement	Criminal activity, regulatory requirement	Investigation coordination
Cyber Insurance	Significant incidents	Coverage, breach response services

Team Models

Dedicated IR Team:

Full-time incident responders
Rapid response capability
Deep specialization
Expensive; requires sufficient incident volume

Virtual/Hybrid Team:

Primary roles with IR as additional duty
Activated when incidents occur
More common in mid-size organizations
Requires clear activation procedures

Outsourced/Retainer:

External IR firm on retainer
Provides expertise on-demand
Cost-effective for low incident volume
May lack organization-specific knowledge

On-Call and Escalation

On-Call Rotation:

24/7 coverage for critical systems
Clear escalation paths
Contact information always current
Regular rotation to prevent burnout

Escalation Matrix:

Severity	Initial Responder	Escalation (30 min no progress)	Executive Notification
Critical	IR Lead + On-call	CISO immediately	CEO, Legal within 1 hour
High	On-call analyst	IR Lead	Security management
Medium	Scheduled analyst	On-call if complex	Weekly report
Low	Scheduled analyst	Lead if needed	Monthly report

Communication During Incidents

Internal Communication:

Dedicated channel (Slack channel, bridge line)
Regular status updates (hourly for critical)
Clear handoff procedures for shift changes
Executive summary separate from technical details

External Communication:

All external communication through Communications Lead
Pre-approved holding statements
Legal review before public statements
Coordinate with PR for media inquiries

Practice Makes Prepared

An IR team that has never practiced together will struggle during a real incident. Regular tabletop exercises, simulated incidents, and role-playing critical scenarios build muscle memory. During an actual crisis, there's no time to figure out how communication channels work or who has authority for what decision.

Investigation and Forensics Techniques

Investigation seeks to understand what happened, how it happened, what was impacted, and whether the threat is contained. This requires systematic evidence collection and analysis.

Evidence Collection Principles

Order of Volatility: Collect evidence in order of how quickly it may be lost:

CPU registers, cache — Lost immediately on power off
Memory (RAM) — Lost on reboot or power off
Network state — Changes constantly
Running processes — May terminate
Disk contents — Persistent but may be overwritten
Remote logs — Persistent, may age out
Archival media — Most persistent

Chain of Custody:

Document every transfer of evidence
Who collected it, when, how
Hash values for integrity verification
Secure storage with access logging
Essential for legal proceedings

Evidence Preservation:

Create forensic images, don't analyze originals
Write-blocking during acquisition
Document acquisition process
Store securely with access controls

Memory Forensics

Memory analysis reveals running processes, network connections, and malware that may not persist on disk.

What Memory Reveals:

Running processes and command lines
Loaded DLLs and injected code
Network connections
Registry keys accessed
Decrypted data (malware in memory is unencrypted)
User credentials

Memory Acquisition:

Tools: WinPmem, LiME, Comae
Must be done on live system (volatile evidence)
May impact system performance
Large files (full RAM size)

forensic-investigation-commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# Windows Forensic Triage - Quick Assessment Commands
# Run these to gather initial evidence before imaging
 
# ===== SYSTEM INFORMATION =====
# Basic system info
systeminfo | Out-File -FilePath C:\IR\systeminfo.txt
 
# Current user and privileges
whoami /all | Out-File -FilePath C:\IR\whoami.txt
 
# ===== NETWORK INFORMATION =====
# Current network connections
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} |
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, 
                  OwningProcess, @{n='ProcessName';e={(Get-Process -Id $_.OwningProcess).ProcessName}} |
    Export-Csv -Path C:\IR
etwork_connections.csv
 
# DNS cache (recently resolved domains)
Get-DnsClientCache | Export-Csv -Path C:\IR\dns_cache.csv
 
# ARP cache (local network discovery)
Get-NetNeighbor | Export-Csv -Path C:\IR\arp_cache.csv
 
# ===== PROCESS INFORMATION =====
# Running processes with command lines
Get-WmiObject Win32_Process | 
    Select-Object ProcessId, Name, CommandLine, ParentProcessId, 
                  CreationDate, ExecutablePath |
    Export-Csv -Path C:\IR\processes.csv
 
# Services (persistence mechanism)
Get-Service | Select-Object Name, DisplayName, Status, StartType |
    Export-Csv -Path C:\IR\services.csv
 
# ===== PERSISTENCE MECHANISMS =====
# Scheduled tasks
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} |
    Export-Csv -Path C:\IR\scheduled_tasks.csv
 
# Startup items (Run keys)
$runKeys = @(
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
)
foreach ($key in $runKeys) {
    if (Test-Path $key) {
        Get-ItemProperty $key | Out-File -Append -FilePath C:\IR\run_keys.txt
    }
}
 
# ===== USER ACTIVITY =====
# Recent PowerShell history (if enabled)
Get-Content (Get-PSReadLineOption).HistorySavePath -ErrorAction SilentlyContinue |
    Out-File -FilePath C:\IR\powershell_history.txt
 
# Recently accessed files
$shell = New-Object -ComObject Shell.Application
$shell.NameSpace('shell:::{22877A6D-37A1-461A-91B0-DBDA5AAEBC99}').Items() |
    Select-Object Name, Path | Export-Csv -Path C:\IR\recent_files.csv
 
# ===== SECURITY EVENTS =====
# Failed logins (last 24 hours)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-1)} -MaxEvents 100 |
    Export-Csv -Path C:\IR\failed_logins.csv
 
# Successful logins (last 24 hours)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=(Get-Date).AddDays(-1)} -MaxEvents 100 |
    Export-Csv -Path C:\IR\successful_logins.csv
 
Write-Host "Triage collection complete. Review C:\IR\ for results."

Timeline Analysis

Timeline construction sequences events from multiple sources to understand attack progression.

Timeline Data Sources:

File system timestamps (MACB times)
Event logs (Security, System, Application)
Web browser history
Registry modifications
Network logs
Memory artifacts

Timeline Creation:

Collect timestamps from all sources
Normalize to common timezone (UTC)
Merge into single timeline
Identify key events (initial access, lateral movement, exfiltration)
Correlate with external events (alerts, user reports)

Tools:

Plaso/log2timeline: Multi-source timeline creation
Timeline Explorer: Timeline visualization
Elastic Timeline: SIEM-integrated timeline

Indicator Extraction

Extract indicators of compromise (IOCs) for detection and intelligence:

Network Indicators:

IP addresses
Domain names
URLs
JA3/JA3S hashes (TLS fingerprints)

Host Indicators:

File hashes (MD5, SHA1, SHA256)
File paths and names
Registry keys
Service names
Scheduled task names

Behavioral Indicators:

Command line patterns
Process chains
Network behavior patterns

Don't Investigate on Live Production

Forensic analysis on live systems risks contaminating evidence and alerting attackers. After initial triage, work from forensic images and memory dumps. If extended live analysis is needed, preserve volatile evidence first and document any changes your investigation causes.

Containment and Eradication Strategies

Containment stops the bleeding—preventing further damage while investigation continues. Eradication removes the threat completely. Both require careful execution to avoid alerting attackers or causing additional damage.

Containment Objectives

Stop Active Damage:

Halt ongoing data exfiltration
Stop ransomware encryption spread
Prevent lateral movement

Preserve Evidence:

Maintain systems for analysis
Don't destroy forensic artifacts
Enable continued investigation

Maintain Operations:

Minimize business disruption
Keep critical systems running if safe
Enable workarounds for isolated systems

Containment Techniques

Network Isolation:

Complete Isolation:

Physically disconnect from network
Most secure but most disruptive
Use for critical, confirmed compromise

Segmentation:

Firewall rules blocking affected systems
Allows continued monitoring and investigation
May leak if attacker has other footholds

VLAN Quarantine:

Move to isolated VLAN with limited connectivity
Balance between access for investigation and containment
Requires network infrastructure support

Credential Actions:

Reset compromised passwords
Revoke compromised sessions/tokens
Force re-authentication
Consider: May alert attacker if they're monitoring

Endpoint Actions:

EDR isolation (endpoint can't reach network but can be managed)
User logoff
Process termination
Service stopping
Consider: Immediate vs. coordinated action

Containment Strategy Selection
Factor	Aggressive Containment	Measured Containment
Damage Active	Yes - ongoing encryption/exfiltration	No - historical compromise
Scope Known	Unknown - assume worst case	Well-understood, limited
Evidence Preserved	May sacrifice some evidence	Evidence collection priority
Attacker Sophistication	Unsophisticated - won't notice	Sophisticated - may react
Business Impact	Acceptable - safety first	Must minimize disruption
Recovery Ready	Have known-good backups	Need affected systems for recovery

Eradication

Eradication removes all attacker access and artifacts from the environment.

Eradication Actions:

Remove malware: Delete malicious files, quarantine artifacts
Remove persistence: Clear scheduled tasks, services, registry keys, authorized SSH keys
Reset credentials: All potentially compromised accounts, not just confirmed
Patch vulnerabilities: Close the door that let attackers in
Review similar systems: Check for spread to similar configurations

Eradication Challenges:

Incomplete Scope:

Not all compromised systems identified
Attacker left backdoors you didn't find
Solution: Thorough investigation before eradication

Tipping Off Attacker:

Attacker notices you're cleaning up
Creates new backdoors, accelerates damage
Solution: Coordinated, simultaneous action

Missed Persistence:

Complex persistence mechanisms (firmware, hypervisor)
Custom backdoors without known signatures
Solution: Consider rebuild vs. clean

Rebuild vs. Clean

When to Rebuild (Scorched Earth):

High-value/high-sensitivity systems
Advanced persistent threats
Uncertainty about eradication completeness
Systems can be quickly rebuilt

When to Clean (Surgical):

Large number of affected systems
Can't rebuild quickly
Well-understood, simple malware
Confidence in eradication completeness

Recommendation: For critical systems and advanced threats, always prefer rebuild from known-good state.

The Coordinated Strike

For sophisticated adversaries, piece-by-piece containment allows them to notice and respond. Instead, plan containment actions for all systems, then execute simultaneously: 'At 2:00 AM, we will isolate these 47 systems, reset these 200 accounts, and block these 15 external IPs—all at once.' This requires preparation but prevents adversary adaptation.

Recovery and Return to Operations

Recovery returns the organization to normal operations with confidence that the threat is eliminated. Rushing recovery invites re-compromise.

Recovery Phases

Phase 1: Validation

Before returning systems to production:

Verify eradication complete (re-scan, verify IOC removal)
Confirm patches applied
Validate credentials reset
Test security controls functioning
Review configurations for security

Phase 2: Restoration

Restore systems to production:

From Backup:

Ensure backup predates compromise
Restore to clean infrastructure
Apply patches before going live
Verify backup integrity

Rebuild:

Fresh OS installation
Known-good application deployment
Configuration from version control/baseline
Data restore from clean backups

Phase 3: Monitoring

Enhanced monitoring for signs of re-compromise
Watch for attacker return (same TTPs, same targets)
Validate new detections trigger properly
Extended logging/retention during observation period

Phase 4: Return to Normal

Transition from incident to normal operations
Reduce enhanced monitoring to sustainable level
Close incident officially
Transition to lessons learned phase

Recovery Checklist

•Eradication verified — All IOCs removed, no persistence remaining, vulnerability patched
•Clean state established — Systems rebuilt or restored from known-good backup
•Credentials rotated — All potentially compromised credentials changed, sessions invalidated
•Access reviewed — User and service account access revalidated
•Security controls verified — EDR, AV, firewall rules, logging all functioning
•Enhanced monitoring active — Additional alerting for related TTPs and IOCs
•Stakeholders notified — Business units, management aware of restoration status
•Documentation complete — Recovery actions documented for lessons learned
•Observation period defined — How long enhanced monitoring will continue
•Success criteria clear — What indicates incident is truly over

Business Continuity During Recovery

Prioritization:

Critical business processes first
Consider dependencies (database before application server)
Balance speed with thoroughness

Interim Operations:

Manual workarounds for automated processes
Alternative communication channels
Degraded-mode operations where acceptable

Communication:

Set realistic expectations with business
Provide regular updates
Don't promise timelines you can't meet

Ransomware-Specific Recovery

Ransom Payment Decision:

Business decision with legal input
Consider: No guarantee of decryption, may fund future attacks, may not get all data back
FBI recommends against payment when possible
Understand legal restrictions on paying sanctioned entities

Recovery Without Payment:

Restore from backups (ensure they're not encrypted too)
Check for decryptors (No More Ransom project)
Rebuild from scratch if no clean backup
Accept some data loss if necessary

If Paying (as last resort):

Use experienced negotiators
Verify decryption capability before full payment
Assume attacker still has access—rebuild anyway

The Re-Compromise Trap

Recovery is the most dangerous phase for re-compromise. Attackers often leave backdoors triggered by recovery. If you restore from a backup that contains their persistence mechanism, they're right back in. If you bring systems online before patching, they exploit the same vulnerability. Validate every recovery action against the possibility of re-entry.

Post-Incident Analysis and Improvement

The incident isn't truly over until lessons are extracted and improvements implemented. This phase is often skipped under pressure to move on, but it's where lasting security improvement happens.

Lessons Learned Meeting

When: Within 1-2 weeks of incident closure (memories still fresh)

Who: All incident participants, relevant stakeholders

Goals:

Reconstruct timeline of events
Identify what worked well
Identify what could improve
Capture action items
Avoid blame—focus on process

Agenda Structure:

Timeline review: Walk through incident chronologically
What happened: Root cause, attack path, impact
What went well: Effective responses, good decisions
What could improve: Gaps, delays, confusion
Action items: Specific improvements with owners and dates

Root Cause Analysis

Five Whys Technique:

Problem: Ransomware encrypted servers

Why? → Malicious email attachment was executed
Why? → Email bypassed filtering and user clicked
Why did it bypass? → New malware variant, no signature
Why did user click? → Convincing phishing, no recent training
Why did it spread? → Flat network, credentials reused

Root causes: Detection gaps for novel threats, user awareness, network segmentation, credential hygiene

Contributing Factors:

Most incidents have multiple contributing factors:

Technical (vulnerability, misconfiguration)
Human (mistake, social engineering success)
Process (missing procedure, failed control)
Organizational (training gap, resource limitation)

incident-report-template
Incident Report Template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# INCIDENT REPORT
 
**Incident ID:** INC-2025-0042
**Classification:** Malware - Ransomware
**Severity:** Critical (P1)
**Status:** Closed
 
## Executive Summary
 
On January 15, 2025, ransomware was executed on 47 systems following 
a phishing attack. The incident was contained within 4 hours and 
systems were recovered from backup within 72 hours. No data 
exfiltration was confirmed. This report details the incident, 
response actions, and improvement recommendations.
 
## Timeline
 
| Date/Time (UTC) | Event |
|-----------------|-------|
| Jan 15, 08:14 | Phishing email received by user jsmith |
| Jan 15, 08:22 | User opens attachment, malware executes |
| Jan 15, 08:23 | Malware establishes C2, downloads ransomware |
| Jan 15, 08:25-09:15 | Lateral movement via compromised credentials |
| Jan 15, 09:15 | Ransomware begins encryption |
| Jan 15, 09:18 | EDR alert: Suspicious file encryption activity |
| Jan 15, 09:22 | SOC analyst validates alert, escalates to IR |
| Jan 15, 09:30 | Incident Commander activated, war room opened |
| Jan 15, 09:45 | Network isolation of affected segments |
| Jan 15, 10:30 | Scope assessment: 47 systems encrypted |
| Jan 15, 13:00 | Containment verified, eradication begins |
| Jan 16-18 | System restoration from backup |
| Jan 18, 14:00 | All systems returned to production |
| Jan 18, 16:00 | Incident closed, monitoring period begins |
 
## Attack Path
 
1. **Initial Access:** Phishing email with malicious Word document
2. **Execution:** User enabled macros, PowerShell payload executed
3. **Persistence:** Scheduled task created for backup C2
4. **Credential Access:** Mimikatz used to dump credentials
5. **Lateral Movement:** PsExec used with domain admin credentials
6. **Impact:** Files encrypted with Conti ransomware variant
 
## Impact Assessment
 
- **Systems Affected:** 47 workstations and servers
- **Data Impact:** Files encrypted; no confirmed exfiltration
- **Business Impact:** 72-hour disruption to finance department
- **Financial Impact:** Estimated $150,000 (recovery costs, lost productivity)
 
## Response Actions Taken
 
- Network isolation of affected VLANs
- All domain credentials reset
- Affected systems reimaged from golden images
- Data restored from backup (RPO: 4 hours before incident)
- Vulnerability patched across environment
- Phishing indicators blocked at email gateway
 
## Root Cause Analysis
 
**Primary Cause:** Malicious macro executed in phishing email
 
**Contributing Factors:**
1. Email filtering did not block novel phishing variant
2. User security training was 8 months old
3. Macro execution was not disabled by policy
4. Flat network allowed lateral movement
5. Domain admin credentials stored in LSASS
 
## Lessons Learned: What Worked Well
 
- EDR detected ransomware activity within 3 minutes
- SOC escalation was rapid and appropriate
- IR team assembled quickly, communication was clear
- Backups were intact and recovery was successful
- Stakeholder communication was timely
 
## Lessons Learned: Areas for Improvement
 
- Phishing detection should be enhanced
- User training frequency should increase
- Macros should be disabled or restricted
- Network segmentation needs improvement
- Privileged access should use PAM solution
 
## Action Items
 
| # | Action | Owner | Due Date | Status |
|---|--------|-------|----------|--------|
| 1 | Implement macro blocking via GPO | IT Ops | Feb 15 | Open |
| 2 | Deploy advanced email filtering | SecOps | Mar 1 | Open |
| 3 | Quarterly phishing simulations | Training | Ongoing | Open |
| 4 | Network segmentation project | Network | Q2 2025 | Planned |
| 5 | PAM solution deployment | IAM Team | Q2 2025 | Planned |
| 6 | Add EDR detection for Mimikatz | SecOps | Jan 31 | Complete |
 
## Appendices
 
- A: Detailed IOCs (hashes, IPs, domains)
- B: Affected system list
- C: Evidence preservation log
- D: External communication records

Translating Lessons to Improvements

Detection Improvements:

New detection rules for observed TTPs
Tuning of alerts that missed or delayed detection
Additional log sources identified as needed

Prevention Improvements:

Patches for exploited vulnerabilities
Configuration changes to reduce attack surface
Policy updates to address gaps

Process Improvements:

Playbook updates based on what worked/didn't
Communication improvements
Tool or resource gaps addressed

Training Improvements:

User awareness topics identified
IR team skill gaps addressed
Tabletop scenarios based on incident

Metrics from Incidents

Track incident metrics over time:

Incident count by category: Trends in attack types
Mean time to detect (MTTD): Are we detecting faster?
Mean time to respond (MTTR): Are we responding faster?
Dwell time: How long were attackers present?
Business impact: Downtime, data loss, financial impact
Root cause patterns: Recurring causes to address

Blameless Post-Mortems

The goal of post-incident analysis is improvement, not punishment. Blaming individuals discourages reporting and honest analysis. Focus on process and controls rather than personnel failures. 'User clicked phishing email' isn't root cause—'controls didn't prevent or rapidly contain compromise from user action' is actionable. Create psychological safety for honest assessment.

Summary: Incident Response

Incident response transforms security detection into security action. It provides the structured processes that ensure organizations respond effectively to threats rather than chaotically, ensuring damage is minimized and recovery is swift.

Key Takeaways

•Incident classification distinguishes events from incidents and assigns appropriate severity for resource allocation
•NIST and SANS frameworks provide structured phases for incident handling—choose one and customize to your organization
•Clear team roles eliminate confusion during high-stress situations; practice through tabletops and simulations
•Forensic investigation follows order of volatility, preserves evidence integrity, and constructs timelines for understanding
•Containment balances stopping damage with preserving evidence and may require coordinated simultaneous action
•Eradication removes all attacker access; consider rebuild vs. clean based on threat sophistication and confidence
•Recovery validates eradication, restores from clean state, and monitors for re-compromise
•Lessons learned translate incident experience into lasting security improvements—the true value of incident response

What's Next:

With incident response procedures established, we'll conclude this module with Security Best Practices—the consolidated wisdom of security operations that ties together defense in depth, policy, monitoring, and incident response into a coherent operational security program.

Page Complete

You now understand how to structure and execute incident response from detection through lessons learned. The true measure of a security program isn't whether incidents occur—they will—but how effectively the organization responds. Preparation, clear processes, practiced teams, and commitment to improvement transform inevitable incidents into manageable events rather than organizational crises.

4 / 5

Loading learning content...

Computer NetworksDefense Strategies

Network Defense Strategies

LevelAdvanced

Duration120 mins

TopicDefense Strategies

4 / 5

Incident Response: Structured Processes for Security Events

When Detection Becomes Action

Without structured incident response:

Attacks continue while teams argue about who's responsible
Evidence is destroyed through well-intentioned but uninformed actions
Containment is incomplete, allowing re-compromise
Lessons aren't learned, and similar incidents recur
Legal and regulatory obligations are missed

With mature incident response:

Roles and responsibilities are clear; action begins immediately
Evidence is preserved for investigation and potential legal action
Containment is methodical and verified
Root cause is identified and addressed
Organization emerges stronger, with improved defenses

This page covers the complete incident response lifecycle—from preparation through lessons learned—providing the framework for effective security operations.

What You Will Learn

Incident Classification and Severity

Not all security events are incidents, and not all incidents require the same response. Clear classification enables appropriate resource allocation and response urgency.

Event vs. Incident

Security Event: Any observable occurrence in a system or network—a login, a firewall rule trigger, an antivirus detection. Events are routine; organizations generate millions daily.

Security Incident: An event or series of events that violates security policies, acceptable use policies, or standard security practices. Incidents require investigation and response.

Examples:

Event (Not Incident)	Incident
Failed login attempt	Successful login after 100 failed attempts
Antivirus blocking known malware	Malware executing before detection
Firewall denying external scan	Firewall rule changed without authorization
User visiting suspicious URL	User credentials phished and used

Incident Categories

Malware:

Ransomware, trojans, worms, viruses
Cryptocurrency miners, backdoors
Response: Contain, eradicate, recover

Unauthorized Access:

Compromised credentials
Privilege escalation
Unauthorized data access
Response: Contain, investigate scope, reset credentials

Denial of Service:

Volumetric attacks
Application-layer attacks
System resource exhaustion
Response: Mitigate, maintain availability

Insider Threat:

Malicious insider activity
Policy violations
Data theft
Response: Coordinate with HR/Legal, contain, investigate

Data Breach:

Confirmed data exfiltration
Exposed databases or storage
Lost/stolen devices with data
Response: Contain, assess scope, notify as required

Incident Severity Levels
Severity	Definition	Examples	Response Time	Escalation
Critical (P1)	Active, widespread impact on critical systems or data	Active ransomware, confirmed data breach, widespread outage	Immediate (24/7)	CISO, Legal, Executive team
High (P2)	Potential significant impact, contained but active threat	Compromised privileged account, targeted attack in progress	< 1 hour (business hours), < 4 hours (off-hours)	Security management
Medium (P3)	Limited impact, threat contained or potential threat	Malware on isolated system, policy violation, attempted attack	< 4 hours (business hours)	Security team lead
Low (P4)	Minimal impact, informational	Failed attacks, minor policy violations, suspicious activity	Next business day	Analyst handling

Severity Determination Factors

Impact Assessment:

Data sensitivity: PII, financial data, intellectual property, public data
System criticality: Revenue-generating, safety-critical, supporting systems
Scope: Single host, department, enterprise-wide
Operational impact: System availability, business process interruption
Legal/regulatory: Notification requirements, compliance violations

Threat Assessment:

Actor sophistication: Script kiddie vs. APT
Active vs. contained: Ongoing attack vs. contained incident
Persistence: Point-in-time vs. established foothold
Intent: Opportunistic vs. targeted

Triage Process

Initial detection: Alert received from monitoring system
Validation: Is this a real incident or false positive?
Classification: What category of incident?
Severity assessment: What's the potential/actual impact?
Assignment: Who will handle this incident?
Initial notification: Who needs to know now?

Severity Can Change

Incident Response Frameworks: NIST and SANS

Two frameworks dominate incident response practice: NIST SP 800-61 and SANS Incident Handling. Both describe similar processes with slightly different phase definitions.

NIST SP 800-61 Phases

1. Preparation: Everything done before an incident to enable effective response:

Incident response plan documented and approved
IR team identified and trained
Tools and resources ready
Communication channels established
Relationships with stakeholders defined

2. Detection and Analysis: Identifying incidents and understanding them:

Alert triage and validation
Initial scope assessment
Evidence collection
Impact and severity determination
Documentation of findings

3. Containment, Eradication, and Recovery: Stopping the attack and returning to normal:

Short-term containment (limit immediate damage)
Evidence preservation
Long-term containment (prepare for eradication)
Remove attack artifacts and access
Restore systems to production
Verify successful recovery

4. Post-Incident Activity: Learning from the incident:

Lessons learned meeting
Root cause analysis
Process improvement
Detection rule creation
Report documentation

Converting Mermaid diagram...

SANS 6-Step Process

SANS separates the containment/eradication/recovery phase into distinct steps:

1. Preparation: Same as NIST—readiness activities

2. Identification: Detecting and validating incidents

3. Containment: Limiting the scope of damage:

Short-term: Isolate affected systems
Long-term: Prepare for eradication while maintaining evidence

4. Eradication: Removing the threat:

Remove malware, backdoors, persistence mechanisms
Reset compromised credentials
Patch exploited vulnerabilities

5. Recovery: Returning to normal operations:

Restore from clean backups if needed
Rebuild compromised systems
Return systems to production
Monitor for re-compromise

6. Lessons Learned: Improving for next time:

Timeline reconstruction
Root cause analysis
Process improvement identification
Documentation and reporting

Framework Comparison

Aspect	NIST 800-61	SANS 6-Step
Phases	4	6
Detail Level	High-level guidance	More granular steps
Containment/Eradication/Recovery	Combined	Separate phases
Audience	All organizations	Security practitioners
Prescriptiveness	Flexible	More specific
Documentation	Comprehensive publication	Training-focused

Both frameworks work well; choose based on organizational preference and existing practices.

Framework Adaptation

Incident Response Team Structure and Roles

Effective incident response requires a defined team with clear roles. During high-stress incidents, uncertainty about who does what creates delays and dropped balls.

Core IR Team Roles

Incident Commander (IC):

Overall incident leadership and coordination
Decision authority during incident
Stakeholder communication
Resource allocation
Escalation decisions

Technical Lead:

Technical investigation leadership
Analysis coordination
Technical decision authority
Tool and technique selection

Analysts/Investigators:

Evidence collection and analysis
Malware analysis
Log review
Timeline construction
Technical documentation

Communications Lead:

Internal stakeholder updates
External communications (if needed)
Status reporting
Documentation coordination

Legal Representative:

Legal guidance on response actions
Notification obligations
Evidence preservation for litigation
Law enforcement coordination

HR Representative (if insider-related):

Employee-related decisions
Disciplinary process coordination
Interview procedures

Extended Stakeholders by Incident Type
Stakeholder	When Involved	Role During Incident
Executive Leadership	Critical (P1) incidents	Strategic decisions, external communication approval
Legal/General Counsel	Data breaches, potential litigation	Legal guidance, notification decisions
Public Relations	Public-facing incidents	External communication, media handling
Human Resources	Insider threats, employee involvement	Employee relations, disciplinary coordination
Business Unit Leaders	Business process impact	Business continuity decisions
IT Operations	System containment/recovery	System access, restoration execution
Third-Party Vendors	Vendor products involved	Technical support, forensics assistance
Law Enforcement	Criminal activity, regulatory requirement	Investigation coordination
Cyber Insurance	Significant incidents	Coverage, breach response services

Team Models

Dedicated IR Team:

Full-time incident responders
Rapid response capability
Deep specialization
Expensive; requires sufficient incident volume

Virtual/Hybrid Team:

Primary roles with IR as additional duty
Activated when incidents occur
More common in mid-size organizations
Requires clear activation procedures

Outsourced/Retainer:

External IR firm on retainer
Provides expertise on-demand
Cost-effective for low incident volume
May lack organization-specific knowledge

On-Call and Escalation

On-Call Rotation:

24/7 coverage for critical systems
Clear escalation paths
Contact information always current
Regular rotation to prevent burnout

Escalation Matrix:

Severity	Initial Responder	Escalation (30 min no progress)	Executive Notification
Critical	IR Lead + On-call	CISO immediately	CEO, Legal within 1 hour
High	On-call analyst	IR Lead	Security management
Medium	Scheduled analyst	On-call if complex	Weekly report
Low	Scheduled analyst	Lead if needed	Monthly report

Communication During Incidents

Internal Communication:

Dedicated channel (Slack channel, bridge line)
Regular status updates (hourly for critical)
Clear handoff procedures for shift changes
Executive summary separate from technical details

External Communication:

All external communication through Communications Lead
Pre-approved holding statements
Legal review before public statements
Coordinate with PR for media inquiries

Practice Makes Prepared

Investigation and Forensics Techniques

Investigation seeks to understand what happened, how it happened, what was impacted, and whether the threat is contained. This requires systematic evidence collection and analysis.

Evidence Collection Principles

Order of Volatility: Collect evidence in order of how quickly it may be lost:

CPU registers, cache — Lost immediately on power off
Memory (RAM) — Lost on reboot or power off
Network state — Changes constantly
Running processes — May terminate
Disk contents — Persistent but may be overwritten
Remote logs — Persistent, may age out
Archival media — Most persistent

Chain of Custody:

Document every transfer of evidence
Who collected it, when, how
Hash values for integrity verification
Secure storage with access logging
Essential for legal proceedings

Evidence Preservation:

Create forensic images, don't analyze originals
Write-blocking during acquisition
Document acquisition process
Store securely with access controls

Memory Forensics

Memory analysis reveals running processes, network connections, and malware that may not persist on disk.

What Memory Reveals:

Running processes and command lines
Loaded DLLs and injected code
Network connections
Registry keys accessed
Decrypted data (malware in memory is unencrypted)
User credentials

Memory Acquisition:

Tools: WinPmem, LiME, Comae
Must be done on live system (volatile evidence)
May impact system performance
Large files (full RAM size)

forensic-investigation-commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# Windows Forensic Triage - Quick Assessment Commands
# Run these to gather initial evidence before imaging
 
# ===== SYSTEM INFORMATION =====
# Basic system info
systeminfo | Out-File -FilePath C:\IR\systeminfo.txt
 
# Current user and privileges
whoami /all | Out-File -FilePath C:\IR\whoami.txt
 
# ===== NETWORK INFORMATION =====
# Current network connections
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} |
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, 
                  OwningProcess, @{n='ProcessName';e={(Get-Process -Id $_.OwningProcess).ProcessName}} |
    Export-Csv -Path C:\IR
etwork_connections.csv
 
# DNS cache (recently resolved domains)
Get-DnsClientCache | Export-Csv -Path C:\IR\dns_cache.csv
 
# ARP cache (local network discovery)
Get-NetNeighbor | Export-Csv -Path C:\IR\arp_cache.csv
 
# ===== PROCESS INFORMATION =====
# Running processes with command lines
Get-WmiObject Win32_Process | 
    Select-Object ProcessId, Name, CommandLine, ParentProcessId, 
                  CreationDate, ExecutablePath |
    Export-Csv -Path C:\IR\processes.csv
 
# Services (persistence mechanism)
Get-Service | Select-Object Name, DisplayName, Status, StartType |
    Export-Csv -Path C:\IR\services.csv
 
# ===== PERSISTENCE MECHANISMS =====
# Scheduled tasks
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} |
    Export-Csv -Path C:\IR\scheduled_tasks.csv
 
# Startup items (Run keys)
$runKeys = @(
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
)
foreach ($key in $runKeys) {
    if (Test-Path $key) {
        Get-ItemProperty $key | Out-File -Append -FilePath C:\IR\run_keys.txt
    }
}
 
# ===== USER ACTIVITY =====
# Recent PowerShell history (if enabled)
Get-Content (Get-PSReadLineOption).HistorySavePath -ErrorAction SilentlyContinue |
    Out-File -FilePath C:\IR\powershell_history.txt
 
# Recently accessed files
$shell = New-Object -ComObject Shell.Application
$shell.NameSpace('shell:::{22877A6D-37A1-461A-91B0-DBDA5AAEBC99}').Items() |
    Select-Object Name, Path | Export-Csv -Path C:\IR\recent_files.csv
 
# ===== SECURITY EVENTS =====
# Failed logins (last 24 hours)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddDays(-1)} -MaxEvents 100 |
    Export-Csv -Path C:\IR\failed_logins.csv
 
# Successful logins (last 24 hours)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=(Get-Date).AddDays(-1)} -MaxEvents 100 |
    Export-Csv -Path C:\IR\successful_logins.csv
 
Write-Host "Triage collection complete. Review C:\IR\ for results."

Timeline Analysis

Timeline construction sequences events from multiple sources to understand attack progression.

Timeline Data Sources:

File system timestamps (MACB times)
Event logs (Security, System, Application)
Web browser history
Registry modifications
Network logs
Memory artifacts

Timeline Creation:

Collect timestamps from all sources
Normalize to common timezone (UTC)
Merge into single timeline
Identify key events (initial access, lateral movement, exfiltration)
Correlate with external events (alerts, user reports)

Tools:

Plaso/log2timeline: Multi-source timeline creation
Timeline Explorer: Timeline visualization
Elastic Timeline: SIEM-integrated timeline

Indicator Extraction

Extract indicators of compromise (IOCs) for detection and intelligence:

Network Indicators:

IP addresses
Domain names
URLs
JA3/JA3S hashes (TLS fingerprints)

Host Indicators:

File hashes (MD5, SHA1, SHA256)
File paths and names
Registry keys
Service names
Scheduled task names

Behavioral Indicators:

Command line patterns
Process chains
Network behavior patterns

Don't Investigate on Live Production

Containment and Eradication Strategies

Containment Objectives

Stop Active Damage:

Halt ongoing data exfiltration
Stop ransomware encryption spread
Prevent lateral movement

Preserve Evidence:

Maintain systems for analysis
Don't destroy forensic artifacts
Enable continued investigation

Maintain Operations:

Minimize business disruption
Keep critical systems running if safe
Enable workarounds for isolated systems

Containment Techniques

Network Isolation:

Complete Isolation:

Physically disconnect from network
Most secure but most disruptive
Use for critical, confirmed compromise

Segmentation:

Firewall rules blocking affected systems
Allows continued monitoring and investigation
May leak if attacker has other footholds

VLAN Quarantine:

Move to isolated VLAN with limited connectivity
Balance between access for investigation and containment
Requires network infrastructure support

Credential Actions:

Reset compromised passwords
Revoke compromised sessions/tokens
Force re-authentication
Consider: May alert attacker if they're monitoring

Endpoint Actions:

EDR isolation (endpoint can't reach network but can be managed)
User logoff
Process termination
Service stopping
Consider: Immediate vs. coordinated action

Containment Strategy Selection
Factor	Aggressive Containment	Measured Containment
Damage Active	Yes - ongoing encryption/exfiltration	No - historical compromise
Scope Known	Unknown - assume worst case	Well-understood, limited
Evidence Preserved	May sacrifice some evidence	Evidence collection priority
Attacker Sophistication	Unsophisticated - won't notice	Sophisticated - may react
Business Impact	Acceptable - safety first	Must minimize disruption
Recovery Ready	Have known-good backups	Need affected systems for recovery

Eradication

Eradication removes all attacker access and artifacts from the environment.

Eradication Actions:

Remove malware: Delete malicious files, quarantine artifacts
Remove persistence: Clear scheduled tasks, services, registry keys, authorized SSH keys
Reset credentials: All potentially compromised accounts, not just confirmed
Patch vulnerabilities: Close the door that let attackers in
Review similar systems: Check for spread to similar configurations

Eradication Challenges:

Incomplete Scope:

Not all compromised systems identified
Attacker left backdoors you didn't find
Solution: Thorough investigation before eradication

Tipping Off Attacker:

Attacker notices you're cleaning up
Creates new backdoors, accelerates damage
Solution: Coordinated, simultaneous action

Missed Persistence:

Complex persistence mechanisms (firmware, hypervisor)
Custom backdoors without known signatures
Solution: Consider rebuild vs. clean

Rebuild vs. Clean

When to Rebuild (Scorched Earth):

High-value/high-sensitivity systems
Advanced persistent threats
Uncertainty about eradication completeness
Systems can be quickly rebuilt

When to Clean (Surgical):

Large number of affected systems
Can't rebuild quickly
Well-understood, simple malware
Confidence in eradication completeness

Recommendation: For critical systems and advanced threats, always prefer rebuild from known-good state.

The Coordinated Strike

Recovery and Return to Operations

Recovery returns the organization to normal operations with confidence that the threat is eliminated. Rushing recovery invites re-compromise.

Recovery Phases

Phase 1: Validation

Before returning systems to production:

Verify eradication complete (re-scan, verify IOC removal)
Confirm patches applied
Validate credentials reset
Test security controls functioning
Review configurations for security

Phase 2: Restoration

Restore systems to production:

From Backup:

Ensure backup predates compromise
Restore to clean infrastructure
Apply patches before going live
Verify backup integrity

Rebuild:

Fresh OS installation
Known-good application deployment
Configuration from version control/baseline
Data restore from clean backups

Phase 3: Monitoring

Enhanced monitoring for signs of re-compromise
Watch for attacker return (same TTPs, same targets)
Validate new detections trigger properly
Extended logging/retention during observation period

Phase 4: Return to Normal

Transition from incident to normal operations
Reduce enhanced monitoring to sustainable level
Close incident officially
Transition to lessons learned phase

Recovery Checklist

•Eradication verified — All IOCs removed, no persistence remaining, vulnerability patched
•Clean state established — Systems rebuilt or restored from known-good backup
•Credentials rotated — All potentially compromised credentials changed, sessions invalidated
•Access reviewed — User and service account access revalidated
•Security controls verified — EDR, AV, firewall rules, logging all functioning
•Enhanced monitoring active — Additional alerting for related TTPs and IOCs
•Stakeholders notified — Business units, management aware of restoration status
•Documentation complete — Recovery actions documented for lessons learned
•Observation period defined — How long enhanced monitoring will continue
•Success criteria clear — What indicates incident is truly over

Business Continuity During Recovery

Prioritization:

Critical business processes first
Consider dependencies (database before application server)
Balance speed with thoroughness

Interim Operations:

Manual workarounds for automated processes
Alternative communication channels
Degraded-mode operations where acceptable

Communication:

Set realistic expectations with business
Provide regular updates
Don't promise timelines you can't meet

Ransomware-Specific Recovery

Ransom Payment Decision:

Business decision with legal input
Consider: No guarantee of decryption, may fund future attacks, may not get all data back
FBI recommends against payment when possible
Understand legal restrictions on paying sanctioned entities

Recovery Without Payment:

Restore from backups (ensure they're not encrypted too)
Check for decryptors (No More Ransom project)
Rebuild from scratch if no clean backup
Accept some data loss if necessary

If Paying (as last resort):

Use experienced negotiators
Verify decryption capability before full payment
Assume attacker still has access—rebuild anyway

The Re-Compromise Trap

Post-Incident Analysis and Improvement

The incident isn't truly over until lessons are extracted and improvements implemented. This phase is often skipped under pressure to move on, but it's where lasting security improvement happens.

Lessons Learned Meeting

When: Within 1-2 weeks of incident closure (memories still fresh)

Who: All incident participants, relevant stakeholders

Goals:

Reconstruct timeline of events
Identify what worked well
Identify what could improve
Capture action items
Avoid blame—focus on process

Agenda Structure:

Timeline review: Walk through incident chronologically
What happened: Root cause, attack path, impact
What went well: Effective responses, good decisions
What could improve: Gaps, delays, confusion
Action items: Specific improvements with owners and dates

Root Cause Analysis

Five Whys Technique:

Problem: Ransomware encrypted servers

Why? → Malicious email attachment was executed
Why? → Email bypassed filtering and user clicked
Why did it bypass? → New malware variant, no signature
Why did user click? → Convincing phishing, no recent training
Why did it spread? → Flat network, credentials reused

Root causes: Detection gaps for novel threats, user awareness, network segmentation, credential hygiene

Contributing Factors:

Most incidents have multiple contributing factors:

Technical (vulnerability, misconfiguration)
Human (mistake, social engineering success)
Process (missing procedure, failed control)
Organizational (training gap, resource limitation)

incident-report-template
Incident Report Template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# INCIDENT REPORT
 
**Incident ID:** INC-2025-0042
**Classification:** Malware - Ransomware
**Severity:** Critical (P1)
**Status:** Closed
 
## Executive Summary
 
On January 15, 2025, ransomware was executed on 47 systems following 
a phishing attack. The incident was contained within 4 hours and 
systems were recovered from backup within 72 hours. No data 
exfiltration was confirmed. This report details the incident, 
response actions, and improvement recommendations.
 
## Timeline
 
| Date/Time (UTC) | Event |
|-----------------|-------|
| Jan 15, 08:14 | Phishing email received by user jsmith |
| Jan 15, 08:22 | User opens attachment, malware executes |
| Jan 15, 08:23 | Malware establishes C2, downloads ransomware |
| Jan 15, 08:25-09:15 | Lateral movement via compromised credentials |
| Jan 15, 09:15 | Ransomware begins encryption |
| Jan 15, 09:18 | EDR alert: Suspicious file encryption activity |
| Jan 15, 09:22 | SOC analyst validates alert, escalates to IR |
| Jan 15, 09:30 | Incident Commander activated, war room opened |
| Jan 15, 09:45 | Network isolation of affected segments |
| Jan 15, 10:30 | Scope assessment: 47 systems encrypted |
| Jan 15, 13:00 | Containment verified, eradication begins |
| Jan 16-18 | System restoration from backup |
| Jan 18, 14:00 | All systems returned to production |
| Jan 18, 16:00 | Incident closed, monitoring period begins |
 
## Attack Path
 
1. **Initial Access:** Phishing email with malicious Word document
2. **Execution:** User enabled macros, PowerShell payload executed
3. **Persistence:** Scheduled task created for backup C2
4. **Credential Access:** Mimikatz used to dump credentials
5. **Lateral Movement:** PsExec used with domain admin credentials
6. **Impact:** Files encrypted with Conti ransomware variant
 
## Impact Assessment
 
- **Systems Affected:** 47 workstations and servers
- **Data Impact:** Files encrypted; no confirmed exfiltration
- **Business Impact:** 72-hour disruption to finance department
- **Financial Impact:** Estimated $150,000 (recovery costs, lost productivity)
 
## Response Actions Taken
 
- Network isolation of affected VLANs
- All domain credentials reset
- Affected systems reimaged from golden images
- Data restored from backup (RPO: 4 hours before incident)
- Vulnerability patched across environment
- Phishing indicators blocked at email gateway
 
## Root Cause Analysis
 
**Primary Cause:** Malicious macro executed in phishing email
 
**Contributing Factors:**
1. Email filtering did not block novel phishing variant
2. User security training was 8 months old
3. Macro execution was not disabled by policy
4. Flat network allowed lateral movement
5. Domain admin credentials stored in LSASS
 
## Lessons Learned: What Worked Well
 
- EDR detected ransomware activity within 3 minutes
- SOC escalation was rapid and appropriate
- IR team assembled quickly, communication was clear
- Backups were intact and recovery was successful
- Stakeholder communication was timely
 
## Lessons Learned: Areas for Improvement
 
- Phishing detection should be enhanced
- User training frequency should increase
- Macros should be disabled or restricted
- Network segmentation needs improvement
- Privileged access should use PAM solution
 
## Action Items
 
| # | Action | Owner | Due Date | Status |
|---|--------|-------|----------|--------|
| 1 | Implement macro blocking via GPO | IT Ops | Feb 15 | Open |
| 2 | Deploy advanced email filtering | SecOps | Mar 1 | Open |
| 3 | Quarterly phishing simulations | Training | Ongoing | Open |
| 4 | Network segmentation project | Network | Q2 2025 | Planned |
| 5 | PAM solution deployment | IAM Team | Q2 2025 | Planned |
| 6 | Add EDR detection for Mimikatz | SecOps | Jan 31 | Complete |
 
## Appendices
 
- A: Detailed IOCs (hashes, IPs, domains)
- B: Affected system list
- C: Evidence preservation log
- D: External communication records

Translating Lessons to Improvements

Detection Improvements:

New detection rules for observed TTPs
Tuning of alerts that missed or delayed detection
Additional log sources identified as needed

Prevention Improvements:

Patches for exploited vulnerabilities
Configuration changes to reduce attack surface
Policy updates to address gaps

Process Improvements:

Playbook updates based on what worked/didn't
Communication improvements
Tool or resource gaps addressed

Training Improvements:

User awareness topics identified
IR team skill gaps addressed
Tabletop scenarios based on incident

Metrics from Incidents

Track incident metrics over time:

Incident count by category: Trends in attack types
Mean time to detect (MTTD): Are we detecting faster?
Mean time to respond (MTTR): Are we responding faster?
Dwell time: How long were attackers present?
Business impact: Downtime, data loss, financial impact
Root cause patterns: Recurring causes to address

Blameless Post-Mortems

Summary: Incident Response

Key Takeaways

•Incident classification distinguishes events from incidents and assigns appropriate severity for resource allocation
•NIST and SANS frameworks provide structured phases for incident handling—choose one and customize to your organization
•Clear team roles eliminate confusion during high-stress situations; practice through tabletops and simulations
•Forensic investigation follows order of volatility, preserves evidence integrity, and constructs timelines for understanding
•Containment balances stopping damage with preserving evidence and may require coordinated simultaneous action
•Eradication removes all attacker access; consider rebuild vs. clean based on threat sophistication and confidence
•Recovery validates eradication, restores from clean state, and monitors for re-compromise
•Lessons learned translate incident experience into lasting security improvements—the true value of incident response

What's Next:

Page Complete

4 / 5