We covered the second phase of incident response, that is, identification & scoping or detection phase. In the detection phase, the SOC team spots the incident through event notifications or continuous log monitoring and then works on scoping the incident by identifying the impact of the incident on the assets and the data stored in those assets. Through this phase, the SOC team collects the evidence and extracts the artefacts from the infected or compromised machine. This was part of SOC level 2 track in TryHackMe , Identification & Scoping room.
Web Hacking & Pentesting Study Notes
Definition of Incident Response in Cyber Security
Incident response, also known as incident handling, is a cyber security function that uses various methodologies, tools and techniques to detect and manage adversarial attacks while minimising impact, recovery time and total operating costs. Addressing attacks requires containing malware infections, identifying and remediating vulnerabilities, as well as sourcing, managing, and deploying technical and non-technical personnel.
Event vs Incident
- Event: This is an observed occurrence within a system or network. It ranges from a user connecting to a file server, a user sending emails, or anti-malware software blocking an infection.
- Incident: This is a violation of security policies or practices by an adversary to negatively affect the organisation through actions such as exfiltrating data, encrypting through ransomware, or causing a denial of services.
The Cyber Security Incident Response Phases
- Preparation: Ensures that the organisation can effectively react to a breach with laid down procedures.
- Identification: Operational deviations must be noted and determined to cause adverse effects.
- Analysis or Scoping: The organisation determines the extent of a security incident, including identifying the affected systems, the type of data at risk, and the potential impact on the organisation.
- Containment: Damage limitation is paramount, therefore, isolating affected systems and preserving forensic evidence is required.
- Eradication: Adversarial artefacts and techniques will be removed, restoring affected systems.
- Recovery & Lessons Learned: Business operations are to resume fully after removing all threats and restoring systems to full function. Additionally, the organisation considers the experience, updates its response capabilities, and conducts updated training based on the incident.
Identification & Scoping Phase
Security Alerts, also referred to as Event Notifications, are crucial signals that may hint at the presence of a potential threat or the occurrence of an actual security incident. These are pivotal in triggering the Incident Response Process and ensuring security and safety.Understanding the nature of these alerts, including their type and severity, is vital in guiding the incident response process. This understanding is nurtured through technical expertise, effective use of security tools, and a culture of continuous learning and vigilance.Following the proper procedures when handling these alerts ensures that the right individuals are alerted, bolstering incident response effectiveness.
Once an incident has been identified, the subsequent step is determining its scope.
Scoping involves grasping the extent of the incident, including which systems are affected, what data is at risk, and how the incident impacts the organisation.
The transition from identification to scoping is crucial in the Incident Response Process, demanding clear communication, effective collaboration, and a well-defined process. The insights gained from the identification phase will prove instrumental in facilitating this transition and strengthening the effectiveness of the incident response process.
Room Answers | TryHackMe Preparation
What is the Subject of Ticket#2023012398704232?
Weird Error in Outlook
According to your colleague John, the issue outlined on Ticket#2023012398704232 could be related to what?
SPF, DKIM & DMARC records
Your colleague requested what kind of data pertaining to the machine WKSTN-02?
Web Proxy logs
Based on Ticket#2023012398704231 and Asset Inventory shown in this task, who owns the computer that needs Endpoint Protection definitions updated?
Derick Marshall
Based on the email exchanges and SoD shown in this task, what was the phishing domain where the compromised credentials in Ticket#2023012398704232 were submitted?
b24b-158-62-19-6.ngrok-free.app
Based on Ticket#2023012398704233, what phishing domain should be added to the SoD?
kennaroads.buzz
WConcerning Ticket#2023012398704232 and according to your colleague John, what domain should be added to the SoD since it was used for email spoofing?
emkei.cz
Concerning the available artefacts gathered for analysis of Ticket#2023012398704232, who is the other user that received a similar phishing email but did not open a ticket nor report the issue?
alexander.swift@swiftspend.finance
Concerning Ticket#2023012398704232, what additional IoC could be added to the SoD and be used as a pivot point for discovery?
sales.tal0nix@gmail.com
Based on the email exchanges and attachments in those exchanges, what is the password of the compromised user?
Passw0rd!
Video Walkthrough | Identification & Scoping Phase | TryHackMe