🛡️ Incident Response Fundamentals – TryHackMe Write-Up

Cyber security incidents are no longer rare events — they are part of everyday organizational risk. In this room, Incident Response Fundamentals, we explored how security teams detect, analyze, contain, and recover from cyber incidents using structured frameworks and practical techniques.

This blog summarizes everything covered in the room, including key concepts and the hands-on lab experience.

---

📌 Understanding Incidents

Every device generates thousands of events daily. These events are simply logged activities performed by users or processes.

However, when a security solution detects suspicious activity from these events, it triggers an alert.

Alerts can be:

• False Positives – Suspicious but not actually harmful

• True Positives – Confirmed malicious activity

When a true positive is validated and requires action, it becomes an Incident.

Incidents are prioritized based on severity:

• Low

• Medium

• High

• Critical

Severity depends on business impact.

---

🚨 Types of Security Incidents

Cyber incidents come in different forms. Each has a unique impact depending on the organization.

1️⃣ Malware Infection

Malicious software that damages systems or steals data. Often delivered via phishing attachments.

2️⃣ Security Breach

Unauthorized access to confidential information.

3️⃣ Data Leak

Sensitive data exposed, either intentionally or accidentally.

4️⃣ Insider Attack

Malicious activity performed by someone inside the organization.

5️⃣ Denial of Service (DoS)

Flooding a system with traffic to make it unavailable to legitimate users.

Each incident type requires different handling and response strategies.

---

🔄 Incident Response Frameworks

Handling incidents without structure can lead to chaos. That’s why frameworks exist.

🛡️ SANS Incident Response (PICERL)

SANS uses six phases:

1. Preparation

2. Identification

3. Containment

4. Eradication

5. Recovery

6. Lessons Learned

PICERL is an easy way to remember them.

---

🏛️ NIST Incident Response Framework

NIST simplifies the lifecycle into four phases:

1. Preparation

2. Detection & Analysis

3. Containment, Eradication & Recovery

4. Post-Incident Activity

The main difference is that NIST merges some of the SANS stages.

---

🛠️ Incident Detection & Response Tools

Modern incident response relies heavily on security tools:

🔹 SIEM (Security Information and Event Management)

• Collects logs centrally

• Correlates events

• Generates alerts

🔹 Antivirus (AV)

• Detects known malware

• Performs routine scans

🔹 EDR (Endpoint Detection & Response)

• Installed on endpoints

• Detects advanced threats

• Can contain and eradicate threats

---

📘 Playbooks vs Runbooks

To ensure consistent response:

• Playbooks → High-level structured guidelines for handling specific incidents

• Runbooks → Detailed technical step-by-step execution procedures

Playbooks save time and reduce decision-making stress during real incidents.

---

🧪 Lab Work: Phishing Incident Investigation

In the hands-on lab, we simulated a phishing attack where a malicious email was sent to multiple employees.

🔍 Investigation Steps

1. Identify the malicious email sender

2. Determine the threat vector

3. Check how many hosts downloaded the attachment

4. Identify how many executed it

5. Analyze timeline events

6. Complete containment and investigation

🖥️ Key Findings

• The phishing email successfully reached multiple users

• Several hosts downloaded the attachment

• Only one system executed the malware

• The infected machine was analyzed through its event timeline

This lab demonstrated real-world SOC analyst responsibilities:

• Incident scoping

• Host analysis

• Containment decisions

• Evidence review

---

🎯 Conclusion

This room provided a strong foundation in Incident Response by combining theory with practical implementation.

We learned:

• How events become incidents

• Types of cyber incidents

• SANS and NIST response frameworks

• The role of SIEM, AV, and EDR

• The importance of playbooks

• Practical phishing incident investigation

Incident Response is not just about reacting — it’s about structured, intelligent handling of security threats to minimize business impact.

This room successfully introduced the mindset and workflow of a Blue Team professional.

---

🚩 Flags

THM{My_First_Incident_Response}