Detection, Response & GRC
Incident Response
4 min read
Incident response is a critical skill tested in security interviews. This lesson covers the incident lifecycle, response procedures, and common scenarios.
NIST Incident Response Lifecycle
Based on NIST SP 800-61r3 (April 2025):
┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Preparation │ ──▶ │ Detection │ ──▶ │ Containment │ ──▶ │ Post-Incident│
│ │ │ & Analysis │ │ Eradication │ │ Activity │
│ │ │ │ │ Recovery │ │ │
└──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘
│ │
└───────────────────── Lessons Learned ─────────────────────────┘
Phase Details
| Phase | Key Activities |
|---|---|
| Preparation | IR plan, tools, training, playbooks |
| Detection & Analysis | Alert triage, scope determination, evidence collection |
| Containment | Isolate affected systems, prevent spread |
| Eradication | Remove threat, patch vulnerabilities |
| Recovery | Restore systems, verify clean state |
| Post-Incident | Root cause analysis, lessons learned |
Interview Question: IR Scenario
Q: "You receive an alert that a user's workstation is communicating with a known C2 server. Walk me through your response."
Structured Answer:
1. Initial Triage (Minutes 0-15)
• Verify alert validity (reduce false positive)
• Identify affected user and system
• Check user's role (privileged user? access to sensitive data?)
• Document initial findings with timestamps
2. Scope Assessment (Minutes 15-30)
• Query SIEM for related activity
- Other hosts contacting same C2
- User's recent login locations
- File downloads/executions
• Check EDR for process tree
• Review authentication logs
3. Containment (Minutes 30-60)
• Isolate workstation from network (EDR isolation or network block)
• Disable user account (if compromise confirmed)
• Block C2 domain/IP at firewall
• Preserve evidence (memory dump, disk image)
4. Investigation
• Analyze malware sample (if found)
• Determine initial access vector
- Phishing email?
- Drive-by download?
- Insider threat?
• Map lateral movement
• Identify data accessed/exfiltrated
5. Eradication & Recovery
• Reimage affected workstation
• Reset user credentials
• Patch identified vulnerabilities
• Verify clean state before reconnection
6. Post-Incident
• Document timeline
• Update detection rules
• Brief leadership
• File report (legal/compliance if needed)
Incident Severity Classification
| Severity | Description | Response Time | Example |
|---|---|---|---|
| P1 - Critical | Active data breach, widespread impact | Immediate (24/7) | Ransomware, data exfiltration |
| P2 - High | Compromised system, limited spread | < 4 hours | Single compromised host |
| P3 - Medium | Potential threat, no confirmed impact | < 24 hours | Suspicious activity |
| P4 - Low | Minor policy violation | < 72 hours | Unauthorized software |
Evidence Collection
Order of Volatility
Most Volatile (collect first)
│
▼
1. CPU registers, cache
2. Routing tables, ARP cache
3. Running processes, memory
4. Network connections
5. Temporary files
6. Disk contents
7. Remote logs, monitoring data
│
▼
Least Volatile (collect last)
Chain of Custody
Evidence Item:
ID: IR-2026-001-HDD-001
Description: "256GB SSD from workstation WS-1234"
Collected By: John Smith, Security Analyst
Date/Time: 2026-01-05 14:32 UTC
Hash (SHA-256): a1b2c3d4e5f6...
Storage Location: Evidence locker #3
Access Log:
- 2026-01-05 14:35: John Smith - initial collection
- 2026-01-05 15:00: Jane Doe - forensic imaging
Common Attack Scenarios
Ransomware Response
IMMEDIATE ACTIONS:
1. Isolate infected systems (network isolation)
2. Identify ransomware variant
3. Preserve encrypted samples
4. Check for backup integrity
5. Determine encryption scope
DO NOT:
• Pay ransom without legal counsel
• Attempt decryption on production data
• Delete encrypted files (may need for recovery)
• Communicate with attacker without authorization
Phishing Incident
INVESTIGATION:
1. Quarantine email across organization
2. Identify all recipients
3. Determine who clicked/submitted credentials
4. Check for lateral movement from compromised accounts
REMEDIATION:
1. Reset compromised passwords
2. Revoke active sessions
3. Block sender domain/IP
4. Update email filters
Data Breach Response
LEGAL REQUIREMENTS:
• GDPR: 72-hour notification to supervisory authority
• HIPAA: 60 days for breach notification
• State laws: Vary by jurisdiction
NOTIFICATION CHECKLIST:
□ Legal/Privacy team informed
□ Regulatory notification (if required)
□ Customer notification plan
□ PR/Communications brief
□ Credit monitoring (if applicable)
IR Playbooks
Playbook Structure
playbook:
name: "Compromised Credentials"
severity: high
triggers:
- alert_type: "impossible_travel"
- alert_type: "credential_stuffing"
steps:
- name: "Verify Alert"
action: "Check if legitimate travel/VPN"
tools: ["HR records", "Travel system"]
- name: "Contain"
action: "Disable account, revoke tokens"
tools: ["Azure AD", "Okta"]
- name: "Investigate"
action: "Review login history, accessed resources"
tools: ["SIEM", "Cloud audit logs"]
- name: "Remediate"
action: "Reset password, enable MFA"
tools: ["IAM console"]
- name: "Document"
action: "Create incident report"
tools: ["Ticketing system"]
escalation:
- condition: "Privileged account compromised"
action: "Page incident commander"
Tabletop Exercise
Interviewers may ask you to walk through a tabletop:
Scenario: "It's Friday at 5 PM. Your SIEM alerts on unusual database queries from a web server. The queries are extracting customer PII. What do you do?"
Key Considerations:
- Business impact (production system)
- Regulatory requirements (PII exposure)
- After-hours response (team availability)
- Evidence preservation vs. rapid containment
Interview Tip: In IR scenarios, always verbalize your thought process. Show that you balance speed with thoroughness, and that you consider business impact alongside security requirements.
Next, we'll cover compliance and GRC frameworks. :::