Incident Handling Process

Now that we are familiar with the cyber kill chain and its stages, we can better predict/anticipate the next steps in an attack and suggest appropriate countermeasures.

Just like the cyber kill chain, incident response follows a structured process. The incident handling process helps organizations prepare, detect, and respond to security events. However, its stages do not correspond directly to the cyber kill chain stages.

---

Stages of the Incident Handling Process

According to NIST, the incident handling process consists of four distinct stages:

1. Preparation

   • Organizations establish security policies, train employees, and implement monitoring tools.

   • This is a continuous process to improve defenses and readiness.

2. Detection & Analysis

   • Security teams detect potential incidents using logs, alerts, and anomaly detection.

   • Proper analysis ensures accurate classification of incidents.

3. Containment, Eradication & Recovery

   • Contain the threat to prevent further damage.

   • Eradicate malware and compromised accounts.

   • Recover systems to resume normal operations.

4. Post-Incident Activity

   • Conduct lessons learned meetings.

   • Improve defenses based on findings.

   • Document the full incident report.

Key Points to Remember

• Most time is spent in Preparation and Detection & Analysis stages.

• The process is cyclic, not linear, meaning new evidence can shift priorities.

• Skipping steps can lead to incomplete containment and tip off attackers.

• So, incident handling has two main activities, which are investigating and recovering.

• Investigation focuses on identifying patient zero, adversary tools, and compromised systems.

• Recovery ensures business continuity with a structured remediation plan.

• Final reports and lessons learned help prevent future incidents.

---

Quiz

1. What is the primary goal of the incident handling process?

   • a) To document all security incidents

   • b) To prepare, detect, and respond to malicious events

   • c) To track all network activity

   • d) To prevent hackers from scanning the network

2. Which of the following is NOT a stage of the incident handling process?

   • a) Detection & Analysis

   • b) Preparation

   • c) Lateral Movement

   • d) Post-Incident Activity

3. What is the main focus during the Preparation stage?

   • a) Blocking all external traffic

   • b) Training employees, setting policies, and implementing security tools

   • c) Investigating attack sources

   • d) Removing malware from infected machines

4. Why is skipping steps in the incident handling process dangerous?

   • a) It saves time but reduces the efficiency of the recovery process

   • b) It can alert the attacker that they have been detected

   • c) It allows security teams to move faster

   • d) It helps contain the incident immediately

5. What is the purpose of post-incident activities?

   • a) To determine if an attack is still ongoing

   • b) To learn from the incident and improve security measures

   • c) To track attacker activity in real-time

   • d) To restore systems after an incident

---

Incident Handling Process Quiz Answers

1. b) To prepare, detect, and respond to malicious events

2. c) Lateral Movement

3. b) Training employees, setting policies, and implementing security tools

4. b) It can alert the attacker that they have been detected

5. b) To learn from the incident and improve security measures