Day 18 – IR Process Overview

Objective: Review the incident response (IR) lifecycle stages and how they apply to phishing incidents.

Challenge Description: After identifying the phishing email and its payload, outline the IR workflow your SOC follows. This includes preparation, detection, containment, eradication, recovery, and lessons learned. For example, confirm that email filters and user training (Preparation) are in place. Then detail how the team handled this phishing attempt from initial detection through cleanup. Tools: Reference IR plans, SIEM dashboards, logs (email logs, endpoint logs), communication channels. Use Thunderbird just to show evidence of the phishing mail, but focus on the IR process itself.

Steps to Solve: 1. Preparation: Review policies and tools in place before the incident (email filtering, training, playbooks). 2. Detection & Analysis: Show how the phishing email was detected (e.g. user report or automated alert) and analyzed (as per Days 16–17). Document indicators (email headers, URLs, attachments) from analysis. 3. Containment: Explain how you stopped the threat. For a phishing email, this may include blocking the sender’s domain/IP, quarantining the email across the organization, resetting affected credentials, and isolating any infected endpoints. 4. Eradication: Describe removing the threat from affected systems (e.g. deleting malicious files, removing malware registry entries, uninstalling backdoors). Update email and endpoint signatures using identified IOCs. 5. Recovery: Restore normal operations. If any systems were taken offline or credentials changed, ensure they are clean and functioning. Continue to monitor for re-infection (e.g. the CoGUI kit used evasion, so extra vigilance is needed[11]). 6. Lessons Learned: Document what went well and improvements. For example, refine email filtering rules, update user training examples, and add logging if any gaps were found.

Simulated Lab: The IR timeline might be: 10:00 AM – Analyst receives the phishing report (Stage 1 Detection). 10:15 AM – Analyst extracts IOCs and confirms maliciousness (Stage 2 Analysis). 10:30 AM – Domain malicious-example.com is added to email block list; all similar emails are purged (Containment). 11:00 AM – The attachment on a test endpoint is removed, antivirus is run, and passwords for any clicked accounts are reset (Eradication). 11:30 AM – Systems are restored to normal. 12:00 PM – Team holds a quick after-action review: policies and user awareness are noted for improvement (Post-Event).

According to NIST/SP 800-61, incident response involves five phases: Preparation, Detection & Analysis, Containment, Eradication/Recovery, and Post-Incident[12]. As one reference notes, “Incident response (IR) is the process by which an organization handles a data breach or cyberattack…to quickly identify an attack, minimize its effects, contain damage, and remediate the cause”[13]. Throughout this scenario, maintain documentation of each step and use SIEM logs or EDR alerts to verify that the malware is gone and no new alerts appear (leveraging endpoint logs as needed).

Key Citations: A structured IR approach (Preparation, Detection/Analysis, Containment, Eradication, Recovery, and Lessons Learned) is recommended by NIST/SANS[12][14]. Effective IR “quickly identify[s] an attack, minimize[s] its effects, contain[s] damage, and remediate[s] the cause”[13].