A complete, three-hour study companion: condensed lecture review, ten realistic case studies with worked answers, and seventy-five exam-style questions across all six chapters of the course.
This is a study companion, not a substitute for the lecture notes. It walks you through everything that has been covered in class, then puts you in the hot seat with case studies and a 75-question practice exam. The recommended order is the order it is written:
A small note on style. Abbreviations are spelled out the first time they appear, and again whenever enough material has gone past that you might have lost track. Every external organisation, regulator, framework, or named tool is hyperlinked to its official site so you can verify the source for yourself rather than taking my word for it. Always scan unfamiliar URLs through VirusTotal before clicking — a habit that costs three seconds and has saved careers.
Lesson-by-lesson walk-through of all six chapters. Each chapter and each lesson can be unfolded individually; the unfold/fold control follows you down the page as you scroll, so you can collapse from anywhere.
The opening lecture sets the vocabulary that the entire course is built on. If you only remember one sentence from Day 01, make it this: incident handling is the disciplined, documented process of dealing with the inevitable. Every organisation eventually has an incident; the well-prepared ones survive the others.
Three nouns that students confuse, and that you cannot afford to confuse in a write-up:
Incident handling, sometimes called incident response (IR), is the disciplined process of detecting, analysing, containing, eradicating, recovering from, and learning about those incidents. The authoritative reference is NIST Special Publication 800-61 (NIST = National Institute of Standards and Technology) — the Computer Security Incident Handling Guide — which defines the classic six-phase lifecycle. NIST is a US federal agency that publishes technical standards used worldwide.
Why does anybody pay for this work? Three reasons in roughly descending order of how much they should be reversed: money (the IBM Cost of a Data Breach Report consistently shows organisations with mature IR programmes save one to two million US dollars per incident compared to those without), regulation (under GDPR (General Data Protection Regulation) the breach-notification clock is 72 hours from awareness — not from confirmation), and trust (a transparent, fast response often preserves a company's reputation; a hidden one ends in a courtroom).
The CIA triad — Confidentiality, Integrity, Availability — is the trio of properties every security control ultimately defends:
Three vocabulary terms revolve around the triangle:
Risk = Likelihood × Impact. That is the qualitative formula every CISO (Chief Information Security Officer) you ever meet will recite. Risk is never purely technical; the same vulnerability in a public-facing production database is a much bigger risk than in a test system holding fake data, because impact differs by orders of magnitude. The companion methodology is NIST SP 800-30 — Guide for Conducting Risk Assessments.
A control is a safeguard that reduces risk. Three families: preventive (stop the thing happening), detective (notice it when it does), corrective (clean up afterwards). A mature programme uses all three. An asset is anything the organisation values enough to protect — data, systems, people, reputation, intellectual property.
The seven incident families you will see in the wild, in roughly decreasing order of frequency:
Every incident gets classified along four axes: severity (how loud should the alarm ring — typically Low/Medium/High/Critical), scope (how far does it reach — narrow or broad), category (which of the seven families above, since category drives runbook selection), and sensitivity (was regulated data — personal data, protected health information, cardholder data — touched).
The SOC (Security Operations Center) is the front line. SOC analysts monitor the SIEM (Security Information and Event Management) platform, triage alerts, and resolve or escalate. SOCs run in tiers: Tier 1 does first-pass triage, Tier 2 does deeper analysis and minor incident response, Tier 3 does forensic investigation and malware reverse engineering. Most enterprise SOCs run 24×7 with follow-the-sun shifts because attackers do not respect office hours.
The CSIRT (Computer Security Incident Response Team) owns the incident from confirmation through lessons learned. In small organisations, the CSIRT is a subset of the SOC; in large ones, a separate unit reporting to the CISO. Two cousin acronyms: CERT (Computer Emergency Response Team) is older and still used for many national teams like CERT-EU; the CERT trademark belongs to Carnegie Mellon University, which is why most corporate teams now prefer CSIRT. PSIRT (Product Security Incident Response Team) is the team inside a software vendor that handles vulnerabilities in their own products.
Around the SOC and CSIRT sit the supporting cast: the CISO owns the executive-level security programme, Legal counsel decides what can be said publicly and asserts privilege over forensic reports, Communications/PR (Public Relations) writes the breach-notification letter and the press release, Human Resources handles insider cases and out-of-hours staff matters, IT operations know the infrastructure and must be befriended long before the breach, and External partners (a digital-forensics retainer with firms like Mandiant, CrowdStrike, or Unit 42, a breach-notification law firm, a PR agency) get called when the incident exceeds in-house capacity. Law enforcement (the FBI and its Internet Crime Complaint Center (IC3), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and Canada's Royal Canadian Mounted Police National Cybercrime Coordination Unit (RCMP NC3)) gets engaged when the incident is serious enough that the intelligence outweighs the headache.
If you remember one non-technical word from Lesson 4, make it tabletop exercise — a two-hour meeting where the IR team walks through a simulated incident with no keyboards and no real systems. Tabletops surface the playbook gaps that no documentation review will reveal. Every organisation that runs them quarterly handles real incidents dramatically better than those that do not.
Modern incident handling has a stopwatch attached. The four frameworks you must know on day one of the job:
The practical consequence: every incident has a clock. The instant an incident is confirmed, two questions must be asked — "is personal or regulated data implicated?" and "when does the clock start?". Write those two questions on a sticky note on your monitor.
The classic six-phase IH&R lifecycle is the model you will see on every certification exam — CEH (Certified Ethical Hacker), GCIH (GIAC Certified Incident Handler), ECIH (EC-Council Certified Incident Handler) — and on most job descriptions:
The classic three nouns that students confuse: Event (anything observable), Incident (event(s) that violate or threaten security policy), Breach (an incident where confidentiality of data is proven lost). Mixing these up in a boardroom is how careers end.
A real IRP (Incident Response Plan) is a living document, not a PDF gathering dust on a SharePoint. Seven sections at minimum: purpose/scope/authority, roles and responsibilities (in the form of a RACI matrix — Responsible / Accountable / Consulted / Informed — by title, not by name), incident classification and severity matrix (typically SEV-1 through SEV-4 with crystal-clear definitions and time-to-notify SLAs — Service Level Agreements), six-phase playbook references, communication and escalation protocol, legal and regulatory reporting obligations (Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) reported to the Office of the Privacy Commissioner of Canada (OPC), Quebec's Law 25 where Quebec residents are affected, U.S. state breach-notification laws reported to the relevant state Attorney General — for example California, New York, Illinois — plus the U.S. Federal Trade Commission (FTC) and sector-specific bodies), and plan maintenance with an owner and review schedule.
When you build an IRP from scratch, do it in this order: map crown-jewel assets, define the severity matrix in terms of business impact (a SEV-1 means "this is costing money or reputation right now", not "this is a cool zero-day"), draft roles with named deputies, write one playbook per top-five incident type (the SANS Reading Room and the CISA playbooks are excellent starting templates), get legal and HR to review the relevant sections in writing, then tabletop-test, break, and rewrite annually.
The IRP decays. Every new SaaS (Software as a Service) tool, every reorganisation, every new regulation (the EU's NIS2 and DORA — Digital Operational Resilience Act — are two recent examples) rots a piece of it. Schedule a minor review every quarter, a major review annually, and an unscheduled review after any SEV-1 or SEV-2.
Activation is a formal act, not a mood. Triggers: any confirmed SEV-1 or SEV-2, credible external notification, detection of high-impact TTPs (Tactics, Techniques, and Procedures) such as domain-wide Kerberoasting or a ransomware note on any host, or executive decision by the CISO. First moves: declare, assemble, stabilise, communicate.
Most of the damage in a major breach comes from communication failures, not technical failures. The attacker exfiltrated in six minutes; the legal team learned about it from Twitter; the PR team contradicted the CEO's TV statement; customer service was telling people "everything is fine" while the website was publicly defaced. Look at the post-mortems of Equifax or Target and you will see exactly this pattern.
Three communication axes run in parallel during a live incident, each with different rules:
Escalation — moving the incident up the severity ladder or up the seniority ladder — has two rules every junior responder should memorise. First: when in doubt, escalate. The cost of escalating a false positive is a slightly grumpy manager; the cost of not escalating a real one ends careers. Second: escalation is not a blame transfer — you still own the technical response after escalating. You are asking for authority, resources, and visibility, not for someone to take the pain away.
A sane escalation matrix maps severity to "time to notify", "who must be told", and "who decides". Each row maps to a pre-written, pre-approved message template so the on-call analyst at 02:14 on a Saturday is not composing prose with shaking hands.
The single rule that has bitten me once and that I will never break again: never assume your primary communication channel is safe during an active incident. If an attacker has email access, they are reading your incident email thread. Always have an out-of-band fallback — a private Signal or WhatsApp group set up in peacetime, a conference-bridge number printed on a laminated card in the jump bag, an alternate ticketing system. This is not paranoia. The Lapsus$, Colonial Pipeline, and Uber 2022 breach playbooks all confirm attackers eavesdrop on the response when they can.
Lawyers have a phrase incident responders should tattoo on their forearms: if it is not documented, it did not happen. Documentation has four distinct purposes — operational (telling the next analyst what has been done), forensic (building an admissible chain-of-custody trail), regulatory (satisfying GDPR Article 33, the SEC cyber-incident rule, HIPAA, NIS2, PCI-DSS), and strategic (feeding lessons-learned and metrics back into the programme). Mixing them — for example, putting forensic hypotheses in the regulator notification — creates legal exposure.
A minimum documentation set, phase by phase:
The reporting clock you must internalise: GDPR Article 33 — 72 hours from awareness to the lead supervisory authority; SEC 8-K Item 1.05 — four business days from materiality determination; PCI-DSS — "immediately" to your acquiring bank; HIPAA — 60 days for breaches affecting 500 or more individuals; NIS2 — 24-hour early warning to the national CSIRT. These deadlines start from the moment you become aware, not from the moment it is convenient.
Most organisations do the first five phases. Many quietly skip Lesson Six. The lessons-learned meeting gets scheduled, then cancelled, then forgotten. Skipping it is the single most expensive mistake in security: every incident is a free, fully-funded research project into how your defences fail, and throwing that research in the bin is indefensible.
A proper PIR (Post-Incident Review) is blameless (about systems, not individuals), timed (within two weeks of recovery, before memory decays), multi-disciplinary (IR, IT Ops, SOC, application owners, business owners, legal, HR — the gaps live at the seams between disciplines), data-driven (real metrics from the SIEM and ticketing system, not war stories), and action-oriented (every PIR produces a written list of items with owners and deadlines).
Two root-cause-analysis techniques worth knowing. The 5 Whys — ask "why did this happen?" five times in a row, and the fifth answer is what you actually fix. Why did the attacker get in? Because a contractor's VPN account had MFA disabled. Why? Because IT turned it off six months ago "temporarily". Why was the temporary change not reverted? Because there was no expiry on the exception ticket. Why? Because the exception-ticket template has no expiry field. Why? Because nobody has reviewed the template in three years. The fix is the template, not the contractor. The second technique is the Fishbone (Ishikawa) diagram, which splits causes into categories — People, Process, Technology, Environment — and forces the team to populate each branch (ASQ has a good primer).
Metrics that actually matter (and a couple that do not):
Vanity metrics that look impressive but are worthless: number of alerts generated (volume is not quality) and number of blocked connections at the firewall (that is internet noise, not defensive value).
Every PIR action item belongs to one of four buckets — Detection (a new SIEM rule, a new EDR signature), Prevention (a patch, a config change, a new control), Process (an updated playbook, a new training module, a new checklist), and People (a hire, a re-org, a new external retainer). Tag every action item; at the next quarterly review, count the closures per bucket. If your programme is leaning entirely on Detection (the sexy bucket), you have a maturity problem.
And finally — publish a sanitised internal PIR report to your whole IT organisation. Engineers reading "here is how we got beaten last month and here is what we are doing about it" build security instincts faster than any classroom training. Secrecy breeds repetition.
The dirty secret of incident response is that, by the time the news writes about a breach, the company has already won or lost. Not in the boardroom, not in the courtroom, but in the panicky first ninety minutes when an over-eager admin reboots the box "to clear it up", or a helpdesk technician scans the suspicious file on the live system, or somebody screenshots the alert into a Slack channel where the attacker — still inside — is reading every word.
A useful rule veteran responders pass to juniors: the alert is not the incident; the alert is a hypothesis. Modern SIEM platforms throw off thousands of correlations a day — most are noise, a few are real. Your job in the first ninety seconds is to decide which.
Five steps in a specific order, drilled into every reputable playbook from NIST SP 800-61, ENISA, and SANS:
A 1995 California criminal trial — famously — turned on a forensic detective who could not, in the end, account for who had been holding a piece of physical evidence during a few hours between collection and lab analysis. The defence pounced. The judge sustained an objection. The evidence was excluded.
Now imagine your turn on the stand. The case is corporate; your company is suing a former employee for stealing source code on his last day. The crucial evidence is a forensic image of his laptop drive, made by you during off-boarding eighteen months earlier. Opposing counsel leans forward and asks if you can account for who had physical custody, when, and what they did with the drive. If you can — every transfer, every signature, every hash — your evidence stays in. If you cannot — even one unsigned form, one missing hash — the judge may exclude it, and with it the case.
This is not theoretical. The bodies that write cybercrime evidence rules — the International Organization on Computer Evidence (IOCE), the Council of Europe Budapest Convention on Cybercrime, the US Department of Justice CCIPS (Computer Crime and Intellectual Property Section), ENISA — converge on the same principle: evidence is admissible if and only if its integrity, authenticity, and continuity can be demonstrated.
The five non-negotiable principles:
A defensible chain-of-custody form contains, at minimum: a unique case identifier, a precise description ("SRV-FIN-03 RAM dump, 32 GiB, file SRV-FIN-03_mem.raw" — not "a memory dump"), a hash record with algorithm and digest, a custody log with one row per transfer including UTC timestamps and signatures from both parties, a storage record describing the bag, seal number, safe location, and access control, and a disposition record.
Two practical points students under-appreciate. First: timestamps must be in UTC. CET vs PST timestamps in a single case file at 03:00 cause confusion attackers exploit. Second: handwriting must be legible and in permanent ink. Pencil entries and erasable-ink (frixion) pens are inadmissible.
The senior responder's heuristic: at the moment of seizure, make at least two complete forensic images, hash both, lock the original copy in the safe with no further work done — it becomes the master. Keep one working copy in the analyst's hands; keep a second working copy as a recovery copy. The master is touched once, twelve months later in court, and at that point the only operation is a hash check that proves the working copy is identical.
A working day's worth of evidence is layered like a pyramid by half-life. CPU registers and cache decay in nanoseconds. ARP (Address Resolution Protocol) tables persist for seconds. Running-process and network-connection state persists for minutes to hours on a live system. RAM contents disappear at power-off (and sometimes faster, due to memory wear-leveling). Disk contents persist for days to years. Archival media persists for as long as the medium lasts.
The reference document is RFC 3227, the Internet Engineering Task Force guide on evidence collection priority. Its prescription, simplified: collect from the top of the pyramid down. Memory before disk, live network state before logs, kernel structures before user-space artefacts.
The lesson NotPetya 2017 hammered home: many administrators watching their fleets get destroyed shut machines down to "save" them. This was wrong. The malware had already encrypted the boot sector by the time the ransom note appeared, so shutdown saved nothing — but it destroyed the most valuable evidence: the contents of memory, which held the malware's running threads, decrypted strings, the hash-dump it had performed on lsass.exe (Local Security Authority Subsystem Service), the credentials it had stolen, and the list of remote hosts it was about to attack via PsExec and Windows Management Instrumentation (WMI). Almost none of that was recoverable from a powered-off disk.
Memory forensics with Volatility and similar tools lets you, hours or days later, list every process running at the moment of capture, find parent-child relationships that look wrong (cmd.exe spawned by winword.exe is rarely good news), pull command-line arguments, extract injected shellcode, recover loaded DLLs (Dynamic Link Libraries), and sometimes reconstruct browser tabs and chat windows that the user had open. None of that is on the disk.
The notebook is the responder's alibi. When a regulator asks the data controller, under GDPR Article 33, to demonstrate that the 72-hour breach-notification clock was respected, the proof is the notebook. When a HIPAA auditor asks why the affected database was kept online for ninety extra minutes, the answer is in the notebook. When the chief executive asks, six months later, why the e-commerce site was not pulled during Black Friday, the answer is in the notebook.
Five practical disciplines beginners must internalise:
13:47:12Z — CORRECTION: the IP recorded at 13:42:08Z was 10.0.0.42, not 10.0.0.24. Source: arp -a re-checked. The corrected notebook is unforgeable in a way the silently-fixed one is not.The mechanical implementation can be a paper composition book with consecutive page numbers, or a private Git repository with signed commits, or an append-only file with hash-chained entries (each entry includes the SHA-256 of the previous one, blockchain-style). All are valid. What matters is that entries cannot be plausibly altered after the fact.
The 2019 Capital One breach is the published case study where documentation quality won the day. The bank produced for the US Office of the Comptroller of the Currency a precise UTC timeline of when the suspicious access pattern was first noticed (an external researcher's email, archived with full headers), when the affected bucket was first restricted, when each cloud key was rotated, when each affected customer cohort was identified, and when each external notification was sent. The regulator still fined the bank — eighty million US dollars — but the documentation itself was treated as evidence of a mature response, and that mattered for the size of the fine.
The single most common cause of evidence contamination during the first hour is not malice and not incompetence — it is enthusiasm. Three people who all want to help reach for the same machine. The desktop technician opens the user's mailbox to "see what came in" and overwrites the access timestamp on the malicious attachment. The system administrator restarts the suspect server and destroys running malware in memory. The security analyst browses to the attacker's command-and-control domain from the corporate network and tips off the adversary. None did anything wrong by their own job description. They simply did not coordinate.
The classic six-role structure derived from NIST SP 800-61 Rev. 2 and the SANS Incident Handler's Handbook:
The tool that codifies the boundaries is the RACI matrix — every action down one axis, every role across the other, each cell filled with one of four letters (Responsible, Accountable, Consulted, Informed). Print it on A3, laminate it, and stick it to the wall of the war room. When the question "who restarts the server?" is asked at 03:14, the answer is not a debate; it is in the matrix.
The 2017 Equifax breach is the textbook role-confusion case. The published US House of Representatives report reads, in places, like a checklist of role failures: no clearly-named Incident Commander when the breach was first detected internally, decisions taken by committee, the website set up for affected consumers was hosted on a domain not owned by Equifax (making it indistinguishable from a phishing site — a Communications Lead with authority would have rejected that), and the Scribe role was effectively absent so the Congressional report had to assemble the timeline from email archives instead of a contemporaneous notebook. Equifax ultimately settled with the US Federal Trade Commission and a coalition of state attorneys general for approximately seven hundred million US dollars.
Malware research has many sub-categories, but for incident handling six core families cover almost everything. Memorise them — they appear on every certification exam and every job interview:
ps, Task Manager, or netstat. Rarely comes alone; usually brings spyware or backdoors with it.The lines blur in real malware: WannaCry was a worm that delivered ransomware. Emotet started as a banking trojan and finished its life as a malware-loader-as-a-service. NotPetya looked like ransomware but was a wiper — destruction was the goal and the ransom note was theatre. When you classify, classify the primary behaviour right now.
An IoC (Indicator of Compromise) is any forensic artefact observed on a network or in an operating system that, with high confidence, indicates an intrusion has occurred. The phrase was popularised around 2010 by Mandiant (now part of Google Cloud) when they published their work on the APT1 (Advanced Persistent Threat) group. Before that, intrusion detection was mostly signature-based and event-by-event; IoC thinking turned it into pattern-of-life thinking.
Five categories of IoC:
C:\Users\Public\ is suspicious because the real one lives in C:\Windows\System32\), file size and timestamps.xkrjvbsiq.duckdns.org are often DGA — Domain Generation Algorithm — C2/Command-and-Control), URLs, TLS (Transport Layer Security) fingerprints (JA3 and JA3S hash the way a client/server negotiates TLS).HKCU\Software\Microsoft\Windows\CurrentVersion\Run is the classic Windows persistence spot), scheduled tasks, services, mutexes (the WannaCry mutex Global\WannaCryptor is a famous example).The single most quoted concept in IoC work is David Bianco's Pyramid of Pain (2013), which ranks IoCs by how much pain it costs the attacker to change them. From easiest (and most worthless from a defender's standpoint) to hardest:
Implication for your career: signature-based blocking on hashes and IPs is necessary but cheap to defeat. Behavioural detection lasts months instead of hours. The senior SOC analyst is the one who writes the behavioural rule.
In practical sweep work, three independent IoCs from different categories pointing at the same target equals rope — escalate. One IoC in isolation might be a false positive. Three is not.
The golden rule, written in capitals because it is the rule everything else builds on:
CONTAIN, DO NOT POWER OFF.
Pulling the plug on an infected host feels right, is fast, is decisive — and is one of the worst things you can do. You destroy RAM (which holds running processes, network connections, decryption keys, injected code, cached SSO — Single Sign-On — credentials). You break the timeline. You teach the malware (modern malware detects shutdown signals and triggers anti-analysis or wiper code paths). You cannot easily un-power-off — once it is off, the only way back is a reboot, and reboot is exactly when persistence mechanisms re-engage.
Instead, isolate the host while keeping it running. Network segmentation, EDR "contain device" buttons, firewall rules on pfSense or OPNsense — all of them keep memory and processes alive while cutting off the attacker.
NIST splits containment into three time horizons:
Crown-jewel protection matters: when a malware outbreak begins, you protect the high-value assets first — domain controllers, finance systems, anything with regulated data — even if the active fire is somewhere else. Attackers do not stay where they landed; they move toward value.
Containment buys time. Communication wins or loses the rest of the game. The most technically perfect response can still cost the company executives, market cap, and regulatory penalties if the comms are clumsy.
The picture: 02:14, ransomware on a payments server. Wrong answer — post in the corporate Slack #incidents channel, because if the attacker has been inside for a week (and average dwell time is roughly two to three weeks depending on the report), they may be reading that channel and will accelerate before you finish typing. Right answer — pick up your work phone, call the IR lead's mobile (a number saved before this happened), and read the situation aloud in plain language. Out-of-band communication.
Communication has four axes — WHO (audience: internal-technical, internal-leadership, internal-support, external), WHAT (message structure), WHEN (cadence by severity), HOW (channel ranked by integrity), and WHY (regulatory clock).
The SBAR pattern, borrowed from emergency medicine, works perfectly for an incident message:
That format works for a pager, an email, a phone call, and a board update.
Channels ranked by integrity (highest first): face-to-face → personal mobile voice call → encrypted out-of-band messenger (a dedicated Signal group set up in peacetime) → personal email → corporate phone (VoIP) → corporate Slack/Teams → corporate email. Once an incident is confirmed, assume corporate channels are compromised and discuss IoCs only in a separate private war-room channel with restricted membership.
The regulatory clock summary, by region: GDPR — 72 hours from awareness; UK GDPR + Data Protection Act 2018 (enforced by ICO — Information Commissioner's Office) — 72 hours; HIPAA Breach Notification Rule — 60 days to individuals, "without unreasonable delay"; PCI-DSS — typically 24 hours to your acquirer; PIPEDA (Canada — Personal Information Protection and Electronic Documents Act) — "as soon as feasible" after determining real risk of significant harm; NIS2 — 24-hour early warning, 72-hour full notification. The key skill is not memorising the laws; it is knowing that legal counsel is one of your first calls, not your last.
The Verizon Data Breach Investigations Report has been telling us for over a decade that the same recurring root cause shows up year after year in real-world breach reports: someone clicked something in an email. So we stop treating phishing as "the awareness team's problem" and start treating it as the technical, multi-stage attack chain that it is.
In casual conversation people use "phishing" for everything. In an incident report you cannot — the four terms describe genuinely different attacks with different victim profiles, detection signatures, and financial impacts.
Every phishing attack — laziest mass-mail to elegant BEC — decomposes into three sequential stages. Memorising them pays back in incident triage because they map cleanly onto which artefact you collect, which control failed, and which mitigation you apply.
paypa1.com with a numeric "1", homograph attacks using Cyrillic characters that look Latin, sub-domain trickery like paypal.com.attacker.io), compromised legitimate mailbox, and adjacent channels (smishing — SMS phishing; vishing — voice; quishing — QR-code; chat-platform phishing on Slack, Teams, WhatsApp). The defender's job during this phase is to make hook delivery fail before it reaches the user.The three-stage model maps roughly onto the Lockheed Martin Cyber Kill Chain (Reconnaissance → Delivery → Exploitation/Installation/Actions on Objectives) and the MITRE ATT&CK framework. When you write up a phishing incident, you fill in details for those three stages — a clean report structure.
When email was designed in the 1970s, nobody verified the sender. SMTP (defined in RFC 5321) trusts the sender to tell the truth about who they are. The "From:" line is structurally just text the sender wrote. The internet has been retroactively bolting on authentication ever since.
cyber.soho.example publishes a DNS (Domain Name System) TXT record listing every IP authorised to send for that domain — for example v=spf1 ip4:203.0.113.0/24 include:_spf.google.com -all (the -all is a "hard fail" — anything not on the list is asserted not to be us). What SPF does not protect against: an attacker who has compromised your real mail server, or one using a look-alike domain (a different domain entirely, so SPF does not even apply). Subtle gotcha: SPF breaks on email forwarding — the forwarding server appears as the sender to the final destination.default._domainkey.cyber.soho.example. The corresponding private key sits on the sending mail server. When the sending server emits an email, it signs selected headers and the body and attaches a DKIM-Signature: header. The receiver fetches the public key and verifies. DKIM survives forwarding (the signature stays attached) but breaks if a mailing list modifies the email by adding a footer or rewriting the subject._dmarc.cyber.soho.example TXT v=DMARC1; p=reject; rua=mailto:dmarc@cyber.soho.example; pct=100. The p= tag is the policy — none (monitor only), quarantine (deliver to spam), or reject (refuse outright). The rua= tag points to where aggregate reports go — daily summaries of every IP claiming to be your domain. DMARC also enforces alignment — the SPF or DKIM domain must match the visible "From:" domain, closing the loophole where an attacker passes SPF/DKIM for some other domain they control while showing your domain in the From line.A small consultancy with no SPF, no DKIM, no DMARC is structurally spoofable — an attacker on a $5-a-month VPS (Virtual Private Server) can send a perfect-looking invoice email purporting to be from accounts@mapleleafcode.example and the receiver has nothing to evaluate against. After publishing the three records with p=reject, the same attack returns 550 5.7.1 DMARC policy violation at the SMTP layer and never reaches the inbox. Cost to the company: roughly an hour of DNS configuration. Value: every spoof attempt against the domain now bounces at the receiver's edge.
A magic email gateway that blocked 99.9% of phishing emails sounds amazing, until you do the maths: a 5,000-employee company processing 91 million emails a year still sees 91,000 phishing emails reach inboxes annually. The only way to bring residual risk down is to train the humans. The cybersecurity industry's saying — "the user is the last line of defence — and also the first" — captures it: the user is first because they receive the lure, last because if every technical control has failed, only the user clicking or not clicking remains.
A bad awareness program is the one most companies still run: a 25-minute mandatory video once a year, multiple-choice quiz, certificate emailed to HR (Human Resources), checkbox ticked. Compliance achieved, behaviour unchanged.
A good awareness program (aligned with CISA's awareness materials and NIST SP 800-50 on building information-technology security awareness and training programmes) has these characteristics:
What good training is not: not punishment, not a substitute for technical controls (SPF/DKIM/DMARC, MFA, email gateways, EDR all stay in place — awareness is a layer, not a replacement), not a one-time fix, and not just for non-technical staff (engineers and IT staff fall for phishing too, and their access tends to be more dangerous).
Generic IH&R applies, but email incidents have specific quirks: the artefact lives in cloud mailboxes (Microsoft 365, Google Workspace, Exchange Online) and is collected via API; the blast radius is everyone (a campaign rarely targets just one person — by the time one user reports, the same email is in 50 other inboxes); the attacker may already have the credentials and may notice when you start pulling logs; MFA bypass is now common (Adversary-in-the-Middle / AITM kits harvest the post-authentication session cookie, so password reset alone is insufficient — you must revoke active sessions); and the supply-chain effect is real (a compromise of a finance mailbox can pivot into BEC against the company's customers within hours).
The email-specific 6-phase playbook:
The first 30 minutes cheat-sheet when a user clicks "Report" on something real:
| Minute | Action |
|---|---|
| 0–2 | Acknowledge user's report; tell them not to delete the email yet (you need it as evidence). |
| 2–5 | Read the email; capture the original .eml file or message-id and sender headers. |
| 5–10 | Run a message trace to find every internal recipient of the same message. |
| 10–15 | If credentials submitted: disable account, then revoke active sessions, then reset password (in that order). |
| 15–20 | Purge the email from all recipient mailboxes; block sender domain and malicious URLs. |
| 20–25 | Check sign-in logs for the affected accounts during the suspected window — note unusual locations or User-Agent strings. |
| 25–30 | Open the formal incident ticket; notify the on-call manager; loop in legal/communications if data exposure is suspected. |
In the 2024 Verizon DBIR, web applications were the single most-targeted asset class for the third year running, accounting for roughly four out of every ten breaches involving an external attacker. Web-app incidents are not exotic zero-day artistry; the same five or six bug classes get re-exploited year after year because they are in the design, in the framework defaults, and in the developer's first job.
OWASP (the Open Worldwide Application Security Project) is a non-profit foundation, federated through hundreds of local chapters worldwide including OWASP Toronto and OWASP Boston. Its mission is the boring, important kind: gather what application-security practitioners actually see, distil it into checklists, training, free tools and standards, and give all of it away. The most-cited piece of work they publish is the OWASP Top 10, a ranked list of the ten most critical web-application security risks. The current edition is the OWASP Top 10 — 2021, and the next refresh is in active drafting.
The Top 10 is ten categories of risk, not "the ten worst vulnerabilities" — buckets, not bugs. Each bucket holds many specific CWE (Common Weakness Enumeration) entries maintained by MITRE. It is a floor, not a ceiling — necessary but not sufficient. Treating it as a compliance checklist ("we ticked all ten, we are safe") is a common, expensive mistake.
The 2021 list:
| Rank | ID | Name | Plain-language description |
|---|---|---|---|
| 1 | A01 | Broken Access Control | A user can reach data or actions they should not be allowed to reach. |
| 2 | A02 | Cryptographic Failures | Sensitive data sent or stored without proper encryption. |
| 3 | A03 | Injection | Untrusted text treated as code by an interpreter — SQL, OS shell, LDAP, NoSQL. |
| 4 | A04 | Insecure Design | The architecture itself is the bug — no patch can fix it after the fact. |
| 5 | A05 | Security Misconfiguration | Default credentials, verbose errors, debug mode in production. |
| 6 | A06 | Vulnerable & Outdated Components | A library or framework with a public CVE entry. |
| 7 | A07 | Identification & Authentication Failures | Weak login, predictable session tokens, no MFA. |
| 8 | A08 | Software & Data Integrity Failures | Updates or dependencies trusted without verifying their origin. |
| 9 | A09 | Security Logging & Monitoring Failures | Either no logs, or logs nobody reads. |
| 10 | A10 | Server-Side Request Forgery (SSRF) | The server fetches a URL the attacker controls and reaches places they cannot. |
Three buckets dominate breach reports year after year: A01 Broken Access Control (the boring, devastating one — change ?invoice_id=42 to ?invoice_id=43 and read someone else's invoice; OWASP's own statistics across half a million applications found access-control failures in roughly 55% of tested apps); A03 Injection (SQL injection is genuinely declining as frameworks default to parameterised queries, but XSS — Cross-Site Scripting — is everywhere and command injection is having a renaissance through insecure server-side template engines); A06 Vulnerable & Outdated Components (the Equifax category — running a web framework with a public CVE for which a patch exists).
A nuance to internalise: most common ≠ most damaging. SSRF (A10) is rare in absolute terms — maybe one in ten apps — but in a cloud environment it can pivot into stolen cloud credentials in minutes, as it did in the Capital One breach in 2019.
' OR '1'='1' -- turns SELECT * FROM users WHERE name='[input]' into a query that matches every user. Detection signatures include unusual single-quote density in URL parameters, UNION SELECT in request bodies, error responses leaking SQL syntax, and User-Agent strings like sqlmap/1.7. Response: identify whether any requests returned a 200 OK with payload content (those are confirmed reads), block the source IP at the WAF (Web Application Firewall), check the database query log for the rows the attacker actually saw, and escalate. Long-term remediation: parameterised queries (the default API of every database driver — the vulnerable form exists only because programmers reach for string concatenation out of habit).<script> tags in URL parameters, javascript: schemes, encoded variants like %3Cscript%3E. Response: invalidate active sessions, force password resets if cookies were exfiltrated, and remediate by output-encoding all user-supplied content.A WAF (Web Application Firewall) like ModSecurity sits in front of the application and applies rule sets such as the OWASP Core Rule Set (CRS), scoring every request and blocking or alerting when the score crosses a threshold. The five-step detection-and-response loop on a WAF alert: triage (is fourteen hits in five minutes a typo or a campaign?), pivot to the source (reverse DNS, threat-intel reputation), pivot to the target (which endpoint, what payload), confirm whether anything got through (status=200 and payload content is the rope), escalate.
A line worth writing on the inside of your forehead: "the logs are not the truth; the logs are evidence; the analyst builds the truth from them." Logs are written by the very systems an attacker is trying to fool. A skilled attacker tries to delete, rotate, or poison the log. A novice leaves a confession. Most attackers fall in the middle.
Six layers of logs an incident responder pivots between:
access.log, Nginx access.log, IIS (Internet Information Services) *.log. HTTP method, URL, status code, response size, User-Agent.The NCSA Combined Log Format is the default for most web servers:
203.0.113.42 - - [04/May/2026:23:11:02 +0200] "GET /api/v1/login?u=admin'+OR+1=1-- HTTP/1.1" 200 412 "-" "sqlmap/1.7"
Read left to right: source IP, identity (almost always -), authenticated user (almost always -), timestamp with timezone offset, request method, request line including the suspicious payload, HTTP status code (200 here means the SQLi worked), response size in bytes, referer, User-Agent (the attacker did not even bother to hide they were using sqlmap).
Status-code patterns worth watching: a sudden burst of 404s from one IP is reconnaissance (the attacker is probing for paths). A string of 500s is the application crashing on malformed input — possibly an exploit attempt. A 200 after a long string of 401s and 403s is a successful brute-force or authentication bypass.
Containment is not a single action; it is a sequence. The seven-rung containment ladder, aligned with NIST SP 800-61 Rev. 2:
c99.php, r57.php, <?php system($_GET['c']); ?>); inventory and remove attacker-created accounts (operating-system and application); remove persistence (cron, systemd timers, scheduled tasks, .bashrc injections, modified startup scripts); rotate every credential the host had access to (database passwords, API keys, SSH keys, OAuth tokens).Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Law 25, and U.S. state breach-notification regimes (Colorado's 30-day rule, Illinois' PIPA, Massachusetts' 201 CMR 17.00, California's CCPA, and HIPAA's Breach Notification Rule for healthcare data), failure to demonstrate due diligence in the response phase can multiply the regulatory and civil exposure. Preservation is not optional bureaucracy; it is your defence. Whichever clock applies to your jurisdiction, it starts at "becoming aware" — or, in the Canadian phrasing, at "determining real risk of significant harm" — not at "fully understanding". As an incident responder you do not own the legal notification, but you do own the clock — and your manager will need an honest, documented "we became aware at this timestamp" entry in your timeline.
http://169.254.169.254/, the special address from which a virtual machine reads its own IAM (Identity and Access Management) credentials. The application politely fetched and returned the credentials. The attacker used them to read S3 (Simple Storage Service) buckets full of personal data. SSRF in 2010 was a curiosity; SSRF in a cloud environment in 2026 is a credential-theft tool. Block outbound requests to link-local and private ranges from your web tier, full stop, by default, before you even think about CVEs.The pattern across all three: none were prevented by perimeter security (all got through the firewall the legitimate way); all were detected by humans, not tools (tooling buys you the data; humans buy you the conclusion); all could have been contained faster; all triggered regulatory action.
The post-mortem on a small web-app incident has a specific shape — the IR lead opens with three sentences that are not decoration but the technical specification of a blameless review: "we are not here to assign blame; we are here to find what made this possible", "every name in this room is here because they have something to teach us, not because they did something wrong", "the output of this meeting is three runbook changes, not three resignations". Without those sentences, the meeting becomes a witch hunt and the organisation learns nothing.
The numbers you extract from the timeline, every time: TTD (Time to Detect), TTC (Time to Contain), total attacker dwell time. The IBM Cost of a Data Breach Report puts the industry mean time to identify a web-app breach above 200 days for several years running. Single-digit hours is world class; months is normal — and a clear improvement target.
Every official source linked from the chapters above, organised for quick recall.
Each case is fictional but built from real attack patterns. Read the scenario, attempt your own answer in a notebook, then unfold the worked answer to compare.
Scenario. Maple Logistics Inc. is a 420-employee logistics company headquartered in Toronto, Ontario. On a Tuesday at 02:14, the help-desk analyst on call receives three phone calls in four minutes: warehouse PCs are showing a red skull screen demanding 4 BTC (Bitcoin). The analyst confirms via Remote Desktop Protocol (RDP) into one of the PCs that file extensions have all been renamed to .locked. Roughly 90 minutes earlier, the SIEM had logged an rclone.exe process running on a warehouse PC that copied data to mega.nz. The initial access vector turns out to have been a contractor's VPN account whose MFA had been "temporarily" disabled six months earlier and never re-enabled.
Question. Walk through the IH&R lifecycle as it should have been applied — phase by phase, decision by decision — and identify the regulatory clocks that are now ticking.
Suggested answer.
The first observation is that this is a double-extortion ransomware case, not pure encryption — the rclone.exe to mega.nz activity 90 minutes before the encryption note is data exfiltration. That changes the regulatory profile from "availability incident" to "personal-data breach" the moment you confirm any customer or employee personal data was in the exfiltrated set. Two clocks start: under PIPEDA's Breach of Security Safeguards Regulations the controller must notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals "as soon as feasible" after determining a real risk of significant harm; if any customers are Quebec residents, Quebec's Law 25 imposes a parallel obligation to the Commission d'accès à l'information (CAI). And depending on whether any cardholder data was on those warehouse PCs, PCI-DSS notification to the acquiring bank may also apply.
Identification. The analyst verifies the alert is real by checking one host (correct — verification is two-source confirmation, not "I trust the alert"). The severity is escalated to SEV-1 because production is impacted and personal data may be in scope. An incident ID is opened and the IR lead is paged via the out-of-band channel (mobile phone, not corporate Slack).
Containment — short-term. The SOC pushes an EDR isolation policy to every host in the Toronto warehouse VLAN; affected hosts can talk to the EDR console only. Shared drives are dismounted at the file server. Critically, the analyst does not power off any host — RAM may contain decryption-key material and live attacker connections that forensics will need.
Containment — long-term. Firewall egress to mega.nz, anonfiles.com, and a small set of other cloud-storage providers is blocked at the perimeter while the team plans the eradication. The compromised contractor VPN account is disabled but not deleted (preserve the artefact). All other VPN accounts are audited for MFA status, with anything missing MFA disabled within the hour.
Eradication. Forensics confirms the initial vector was the contractor account. The account is deleted; the VPN concentrator is patched to the latest firmware. Persistence on the warehouse PCs is mapped (any scheduled tasks, registry Run keys, and services the malware created) and listed for the wipe-and-rebuild step.
Recovery. Warehouse PCs are re-imaged from the golden image. Data is restored from the immutable backup tier. Services come back in this order: domain controller health check → email → ERP (Enterprise Resource Planning) → warehouse scanning software → finally, the public-facing tracking portal. Each step is monitored for re-infection.
Lessons Learned. Within two weeks: a quarterly MFA audit becomes a process control with a named owner; mass-copy tools like rclone and megacmd get blocked at the application layer; nightly backups are upgraded to hourly snapshots for the file server. Action items are tagged Detection / Prevention / Process / People and tracked to closure.
Documentation discipline. Every action above is logged in UTC with the responder's name in an append-only notebook. Every evidence artefact (the rclone.exe binary, the memory dump from the first warehouse PC, the EDR audit log of containment actions) is hashed with SHA-256 and entered onto a chain-of-custody form. The analyst's own notebook is the alibi when the OPC asks how the "as soon as feasible" obligation was respected.
The lesson under the lesson: this incident is, technically, very ordinary. The discipline that turns it into a 4-million-euro regulatory question instead of a 40-million-euro one is process — naming the IC, paging the right people, isolating before erasing, documenting every action — none of which can be invented at 02:14 on a Tuesday.
Scenario. Boulder EdTech is an online-learning startup based in Boulder, Colorado. On Saturday at 11:17, a finance staff member clicks a link in a fake "Microsoft 365 password expiration" email. Twelve minutes later, the attacker is sending invoice-rerouting emails from the finance mailbox cfo-assist@boulder-edtech.com to three of the company's biggest customers. PagerDuty fires for "Suspicious OAuth consent grant + outbound mail volume anomaly". The on-call SOC analyst, just back from a morning run, picks up the page.
Question. Lay out the first 30 minutes of the response, mapped to the email-incident playbook, and explain the order of the three containment actions on the compromised mailbox.
Suggested answer.
The first practical move is to not delete the original phishing email — it is evidence. The analyst captures the .eml and the message-id, then runs a message trace to confirm scope: was this campaign delivered to other Boulder EdTech mailboxes? In a typical phishing campaign, the answer is "yes, several, most of whom did not report".
The severity matrix entry for unauthorised access to a finance mailbox with outbound impersonation is SEV-1. SEV-1 has a 15-minute notification SLA to the on-call IR lead and the CISO; the analyst sends a single pre-written message into the out-of-band IR war-room channel: "SEV-1 declared, BEC, mailbox cfo-assist, IRP activated, joining bridge in 60 seconds."
The order of the three containment actions on the compromised mailbox matters and is non-obvious. The correct order is: (1) disable the account to prevent any further sign-ins, (2) revoke all active sessions to invalidate any tokens the attacker is currently holding (this is the critical step — modern attackers use Adversary-in-the-Middle / AITM kits that harvest the post-authentication session cookie, so resetting the password alone is not sufficient), and only then (3) reset the password and force MFA re-enrollment. Reversing this order — resetting the password while the attacker still holds a valid session token — does nothing useful, because the token was issued before the reset and remains valid until explicitly revoked.
Additional containment steps in the same window: pull the mailbox audit log for the last 72 hours (an attacker often creates an inbox rule that auto-forwards or auto-deletes specific keywords like "invoice" so the legitimate user never sees the suspicious replies — that rule must be deleted). The Finance Director is paged through the Section 5 communications tree because invoice-rerouting emails did go out; the Finance Director immediately calls the three customers on a known phone number (out-of-band, because the email channel is now suspect) and tells them not to pay any invoice received in the last hour.
When the IR lead joins the bridge, the handover is two sentences: "SEV-1 BEC on cfo-assist, sessions killed, rule removed, three customers already notified by Finance." That is the IRP's handover protocol — one sentence for what, one sentence for what's next.
The deeper lesson: BEC is the FBI IC3's most financially damaging cybercrime category. There is often no malware to detect and no signature to block — only a contextual oddness that a trained human and a well-rehearsed playbook catch. Awareness training (Lesson 4 of Chapter 5) is what made the finance assistant report the click rather than hide it.
Scenario. Denver Retail runs a small U.S. e-commerce site out of Denver, Colorado. On Friday at 22:47, the SOC analyst's phone buzzes: ModSecurity has fired with anomaly score ≥ 8 on /api/v1/login, source IP 203.0.113.42, payload username=admin' UNION SELECT username,password FROM users-- &password=x, with 14 hits in the last 5 minutes. The analyst's access log query for that IP and status=200 returns three rows.
Question. Walk through the five-step detection-and-response loop, identify the OWASP category, and describe the seven-rung containment ladder you would now climb.
Suggested answer.
The five steps:
203.0.113.42 points to an IP block in a country Denver Retail has never sold to. The IP appeared in a DigitalOcean abuse list ten days ago. Score going up./api/v1/login is the customer-facing login endpoint. The payload is a textbook UNION-based SQL injection attempting to read the users table. The User-Agent string in the access log probably reads sqlmap/1.7 because the attacker did not bother to hide that they were using the standard automated SQLi tool.200 OK with payload content. Three rows of credentials walked out. Score goes critical.This is a clean OWASP A03 — Injection case. The technical fix is parameterised queries (the default API of every database driver); the existence of the bug means the developer reached for string concatenation. The remediation will land in the Patch & Harden rung, but it is not the first action.
The seven-rung ladder, with time budgets:
| Rung | Action | Budget |
|---|---|---|
| 1. Confirm | Replicate the payload against the host; confirm the SQLi is exploitable. | 10 min |
| 2. Isolate | Remove the affected web node from the load-balancer pool. | 5 min |
| 3. Preserve | Snapshot the disk. Capture memory with LiME (Linux Memory Extractor). Copy /var/log to a forensics share. |
25 min |
| 4. Eradicate | Identify any uploaded webshells (find /var/www -mtime -14). Rotate every credential the host had access to (DB passwords, API keys, OAuth tokens). |
30 min |
| 5. Patch & Harden | Replace the vulnerable concatenated query with a parameterised one. Add a server-side allow-list. Disable verbose error pages. | 60 min |
| 6. Restore | Redeploy from the build pipeline. Bring traffic back at 10%, 50%, 100% while watching the WAF logs. | 30 min |
| 7. Lessons Learned | Blameless post-mortem 5 days later with the dev team. Three concrete runbook updates. | 2 h |
Three independent regulatory clocks may now be ticking: under the Colorado Privacy Act and Colorado's breach-notification statute (C.R.S. § 6-1-716), notification of the Colorado Attorney General is required within 30 days for breaches affecting 500+ Colorado residents; PCI-DSS notification to the acquiring bank if any cardholder data could have been touched; and contractual notification to any business customer whose accounts were in the exfiltrated set. The 30-day clock starts at awareness (when the analyst confirmed three 200-OK rows), not at full understanding. The IR lead's notebook records that timestamp.
The deeper lesson: the technical fix here is a one-line code change. The reason this incident exists is a process failure — somewhere in the development lifecycle, code review and automated security testing did not catch a string-concatenation pattern that any half-decent linter flags. The post-mortem action item is not "fix the bug"; it is "add the linter rule and a regression test so the bug cannot return."
Scenario. Jessica is a senior developer at Mapleleaf Code Studio, a 12-person Ottawa, Ontario software consultancy. On Friday at 09:42 she receives an email apparently from GitHub: "Suspicious sign-in detected — verify your account or it will be locked in 24 hours." She clicks. The page looks exactly like the GitHub login. She types her credentials and only afterwards notices the URL is github-secure-login.support, not github.com. She immediately clicks the "Report Phishing" button in Outlook and phones the help desk. A quick check of GitHub sign-in logs shows a successful login from an IP in Bulgaria at 09:38, four minutes after Jessica submitted the form.
Question. Explain why MFA still bought the company time even though the credentials were leaked, and outline the eradication steps you would take on Jessica's GitHub account.
Suggested answer.
The credentials were compromised — the Bulgarian sign-in confirms that. What MFA did was prevent the attacker from completing the post-authentication step that GitHub requires for any sensitive action: pushing code, creating personal access tokens, modifying repository settings. The attacker has the password but does not have Jessica's MFA factor (a TOTP — Time-based One-Time Password — code or a hardware security key), so the session never reaches the privileged state. MFA bought the team a window of hours instead of a window of seconds. That is the entire reason MFA is non-negotiable for any account with code-base access.
Critically, however, MFA does not buy unlimited time. Modern AITM (Adversary-in-the-Middle) phishing kits can harvest the post-authentication session cookie alongside the password, in which case the attacker walks through MFA the same way Jessica does. The fact that Jessica's case was a static fake login page — not an AITM proxy — is what limited the damage. If the attacker had been running an AITM toolkit, the response would need to include immediate session-token revocation across all of Jessica's connected services, not just GitHub.
Eradication on Jessica's GitHub account, in order:
Containment beyond Jessica's account: the phishing email is purged from the mailboxes of the three other developers who received it (a message-trace surfaces them). The sender domain github-secure-login.support and the second-stage URL are added to the email-gateway block list and the DNS filter. Multi-factor authentication enforcement on Mapleleaf Code's GitHub organisation is verified — if the org policy did not require MFA, that policy is now updated.
Lessons Learned action item: roll out FIDO2 hardware keys to all developers within 60 days; owner is the CTO; the deadline goes on the calendar. Add a developer-targeted micro-lesson on GitHub-style phishing to the awareness program. Three of four recipients did not report — even though click rate was low (only Jessica clicked), report rate is the metric that matters here, and it needs work.
Scenario. Cambridge BioTech, a biotechnology firm in Cambridge, Massachusetts, suffers a confirmed data breach at 09:00 Monday: roughly 80,000 customer records exfiltrated. Over the next 75 minutes the following sequence happens. 09:12 — a SOC analyst posts in the company-wide #general Slack channel: "FYI — we're investigating a possible data incident, more to follow." Hundreds of employees see it; some screenshot it. 09:27 — the Head of IT emails the entire IT department: "breach confirmed, please be vigilant." The attacker, still inside the company's Exchange server, reads the email. 09:35 — a junior marketing employee, alarmed, tweets from the corporate Twitter/X account: "We take security seriously and are looking into reports of an issue." No review, no approval. 09:48 — the CEO, who first hears about the incident from his wife after she saw the tweet, calls a journalist he trusts and gives an informal quote: "It's a minor issue, we've contained it." 10:15 — the IR Lead joins the war room.
Question. Identify the four communication mistakes by axis (technical / executive / external) and propose the single protocol rule that would have prevented all four.
Suggested answer.
The four mistakes, mapped to the three communication axes:
#general post leaked technical-axis content into general-employee channels. Hundreds of people who did not need to know now know, and some of them have screenshots that may end up on social media within the hour.The single protocol rule that would have prevented all four:
No communication about this incident occurs on any channel other than the designated out-of-band IR war-room until the Communications Lead releases pre-approved templates.
That sentence belongs in the IRP at the start of every incident playbook. It enforces three things at once: (a) all incident traffic moves to a private war-room channel where membership is restricted to people with a need to know, (b) the channel is out-of-band, so the corporate Exchange or Slack tenant is not the medium, and (c) the only person authorised to speak externally is the Communications Lead, working from pre-approved message templates. Pre-approved is the operative word — the templates are written on a calm day, vetted by Legal, and stored ready to go. Saturday at 09:00 is not the moment to compose a press statement.
The training implication: every employee who has access to the corporate Twitter/X account, every executive who might be tempted to call a journalist, every IT manager who instinctively reaches for "reply-all" — all of them need a 30-second internal protocol drilled into them through the awareness programme: "If something looks like an incident, do not post, do not tweet, do not email — call the security hotline."
Scenario. Months after a containment incident, Denver Retail's leadership decides to sue a former employee, Emma Walker, under U.S. criminal and civil law (including the Computer Fraud and Abuse Act (CFAA), the Defend Trade Secrets Act (DTSA) and Colorado's trade-secret statutes) for the alleged exfiltration of the company's customer database during her last week of employment. The IR lead, R. Mitchell, kept a Markdown lab notebook during the original incident. One key entry reads:
2026-03-14 21:47:12Z [CONTAINMENT] Author: R.Vega
Action: Isolated host WS-0412 via CrowdStrike Falcon console ("Contain Host").
Authorized by: M.Ruiz (IR Lead, ID badge #IR-4) per ticket INC-2026-0077.
Pre-state: Host online, last-seen 21:46:58Z, logged-in user SAMACC\e.torres (employee ID E-1029).
Post-state: Host isolated at 21:47:10Z per Falcon audit log, entry ID fac-9a4e1b.
Evidence captured before isolation: memory image WS-0412-mem-20260314T214701Z.lime
SHA-256: 5e6d...a91c (verified by Volatility 3.2.0 plugin hash check).
Chain-of-custody form signed at 21:52Z, stored in evidence safe E-04, form #COC-2026-017.
Why: EDR telemetry showed suspect process rclone.exe at 21:43Z targeting share \\FS-01\hr$.
The defence challenges the admissibility of the memory image.
Question. List the elements in this single notebook entry that defend against admissibility challenges, identify which of the five chain-of-custody principles each one addresses, and explain why a "Slack-message" record of the same actions would not survive the same legal scrutiny.
Suggested answer.
Element-by-element mapping to the five principles (Integrity, Authenticity, Continuity, Reproducibility, Minimality):
2026-03-14 21:47:12Z). Addresses Continuity and Authenticity. UTC eliminates daylight-saving and time-zone ambiguity; second-level precision lets the evidence be cross-referenced against external systems (the Falcon audit log, the EDR telemetry).R.Vega) and named authoriser (M.Ruiz, ID badge #IR-4, ticket INC-2026-0077). Addresses Continuity. The chain has identifiable, accountable custodians at every step; the badge ID and ticket number are the auditable trail.Isolated host WS-0412 via CrowdStrike Falcon console "Contain Host"). Addresses Reproducibility. An independent forensic expert can reproduce the action in their own environment because the tool, the host, and the operation are unambiguously identified.last-seen 21:46:58Z, Falcon audit log entry fac-9a4e1b). Addresses Authenticity. The notebook is not the only source of the action; an external system independently confirms it.WS-0412-mem-20260314T214701Z.lime) and SHA-256 hash recorded at the moment of capture (5e6d...a91c). Addresses Integrity. Any future hash check will either match the recorded value (proving the bytes are unchanged) or not match (proving tampering). Tool version is named (Volatility 3.2.0) — Reproducibility.COC-2026-017), evidence safe location (E-04), and signing time (21:52Z). Addresses Continuity. The custody hand-off from the responder to the safe is a documented event with a paper trail.EDR telemetry showed suspect process rclone.exe at 21:43Z targeting share \\FS-01\hr$). Addresses Minimality. The action was not a fishing expedition; it was a targeted response to an observed attacker behaviour, which justifies the scope of the evidence collected.A Slack-message record of the same actions would fail several of these tests:
Denver Retail's published industry comparison (referenced in the lecture): a comparable company that kept only Slack messages saw the defence successfully argue that chain of custody of the messages themselves had been broken; the case was dismissed. Same incident category, opposite outcome, different documentation discipline.
The takeaway: the seventeen-line notebook entry is not bureaucracy; it is a defensible artefact. Multiplied by 40 such entries across the whole incident, it produces a record a judge will accept without a second glance — which is exactly what happened here. The defendant settled before trial.
Scenario. MediCare Boston is a private healthcare provider in Massachusetts with around 3,500 patients. On a Wednesday at 14:30, a clinic receptionist clicks a link in an email that purports to be from the company's HR (Human Resources) department, asking her to "review the updated 2026 holiday calendar". She enters her Microsoft 365 credentials on a page that looks identical to the corporate login. By 14:45 the SOC sees an unusual sign-in to her account from an IP geolocated in Eastern Europe. By 15:10, fifty patient records — including diagnoses and prescription histories — have been viewed and downloaded as a CSV (Comma-Separated Values) file from the practice-management portal that her account had access to.
Question. Identify the regulatory regime(s) at play, the notification clocks that have started, and the additional considerations because the breached data is health-related.
Suggested answer.
This breach implicates two regulatory regimes simultaneously:
Additional considerations because the data is health-related:
The IR plan from this point: containment (disable the account; revoke active sessions; reset password; force MFA re-enrollment with FIDO2 if not already in place; purge the phishing email from all other recipients; block the sender domain at the gateway and the DNS filter); evidence preservation (export the receptionist's mailbox at the time of compromise, capture the Microsoft 365 unified audit log entries for the access and download events, image the receptionist's workstation); legal liaison (the on-call Legal Liaison joins the bridge within 30 minutes — the HIPAA 60-day clock and the Massachusetts notification clock are now their problem too); communication (Communications Lead drafts the HHS OCR notification, the Massachusetts Attorney General notification, and the patient-letter template using pre-approved Section 5 IRP templates; no employee speaks externally until those drafts are released); and external partners (the breach-notification law firm on retainer is engaged; if the cyber-insurance policy requires notification within a window, that call goes out today).
The deeper lesson: every incident has at least one legal clock. Healthcare incidents have several at once, and the clocks tick from the moment of awareness, not the moment of certainty. The incident handler's job is to handle the technical part fast enough that the legal dimension can be handled on time.
Scenario. Atlanta Cloud Services hosts the e-commerce back-end for 60 small U.S. retailers based out of Atlanta, Georgia. On Black Friday at 13:02, a volumetric DDoS (Distributed Denial-of-Service) attack takes the platform offline for 47 minutes. Lost revenue for customers is estimated at USD 380,000. Eight days later, the IR lead runs a post-incident review and pulls the metrics: MTTD (Mean Time to Detect) was 2 minutes against a target of <2 minutes, MTTA (Mean Time to Acknowledge) was 6 minutes against a target of <5 minutes, and MTTR (Mean Time to Recover) was 47 minutes against a target of <20 minutes.
Question. Apply the 5 Whys to the MTTR overshoot, identify the root cause (and not just the proximate cause), and propose action items tagged by Detection / Prevention / Process / People bucket.
Suggested answer.
The 5 Whys, condensed:
The proximate cause is "MTTA overshoot of 1 minute" or "manual approval delay". Both are surface symptoms. The root cause is no named owner for runbook threshold reviews, which manifested through an over-cautious manual-approval step that turned a 3-minute technical fix into a 47-minute organisational one.
This is critical to internalise. A blameless post-mortem that stopped at "the Network Director was slow" would have produced an action item like "be faster", which is not actionable. The 5 Whys forces the team past the proximate cause into the structural cause, which has a real fix: appoint an owner for every runbook with a quarterly threshold-review process.
Action items, tagged by bucket:
Three months later, the team handles a second volumetric DDoS during a Tuesday lunchtime. MTTR: 8 minutes. One human in the loop, not five. The PIR did that, not the tooling.
The lesson worth carrying out of this case: incident-response metrics are the cheapest, highest-leverage instrument an IR team has. They turn vague feelings ("the response felt slow") into numbers ("MTTR was 47 minutes against a 20-minute target"), and the difference between a proximate cause and a root cause is the difference between an action item that fails to close and one that fundamentally improves the programme.
Scenario. Mississauga Logistics is a 200-person logistics firm in a Mississauga, Ontario industrial park. On a Tuesday morning, Mike from accounting clicks the "Report Phishing" button in his Outlook on an email that claims to be from Canada Post. The display name reads "Canada Post — Postes Canada", but the sending domain is notice@canadapost-delivery-notice.com — close enough to fool a tired eye on a busy morning. The subject line reads "[Important] Your parcel is on hold — pay $1.99 CAD to release". The body asks the recipient to click "Pay now" linked to https://canadapost-pay-client.top/. Headers show SPF=fail DKIM=none DMARC=fail. There is no attachment.
Question. Decompose the email into the three-stage phishing model, identify the social-engineering levers in use, and explain how the email reached Mike's inbox at all given that all three authentication checks failed.
Suggested answer.
The three-stage decomposition.
canadapost-delivery-notice.com, registered probably days before the campaign. Note the .top top-level domain (TLD) on the second-stage URL — .top is one of the cheapest TLDs and is widely abused. The real Canada Post uses canadapost.ca and canadapost-postescanada.ca.Social-engineering levers. Two are obvious in the visible content: urgency ("Important") and the small-amount commitment lever above. There is also an implicit authority lever — the lure relies on the recipient's mental model of Canada Post as a legitimate, official-looking Crown corporation; the attackers borrow that authority by mimicking the visual identity. The lure quality overall is competent but not premium — a 6 out of 10. A premium spear-phish would have been personalised to Mike by name, would have referenced a real shipment Mississauga Logistics was expecting, and would have used a domain that survived basic cursory scrutiny.
How did this reach Mike's inbox if SPF, DKIM, and DMARC all failed?
The answer is configuration nuance, and it is the most common reason phishing emails reach inboxes despite authentication failure. Three sub-reasons:
p=quarantine or p=reject. If the attacker's look-alike domain canadapost-delivery-notice.com has no DMARC record at all (or has p=none), then "DMARC=fail" reported in the headers may be informational rather than enforced — the receiving server has no instruction from the attacker's domain owner to reject. This is subtle and worth re-reading: DMARC enforcement depends on the sending domain's policy.Containment and follow-up. The analyst runs a message trace to count the recipients of the same email — likely many other Mississauga Logistics staff received it. The email is purged from those mailboxes before any of them clicks. The look-alike domain and the payment URL are added to the gateway block list and the DNS filter. The case is logged. If Mike had submitted card details rather than clicking Report, the response would also include calling his bank to flag the card and watching for fraudulent transactions over the next few days.
The deeper lesson: SPF, DKIM, and DMARC defend against spoofing of your own domain. They do not defend against typosquatting, look-alike domains, or any other attack where the malicious mail genuinely originates from an attacker-controlled domain that the attacker has registered legitimately. The defence in those cases is the gateway's heuristics, the user's eye, and the awareness programme.
Scenario. Chicago Retail is a small Chicago, Illinois retailer running a single web server www01. On Saturday at 04:13, an outsourced SOC calls the on-call IR-trained employee: "we think you have a webshell on www01". The on-call drives to the office, logs into the jump host, and begins working through the seven-rung containment ladder. They find one webshell cmd.php in /var/www/uploads, then a second pix.php they had not been told about, and a new cron entry pointing to a callback script in /tmp. Examining the access log shows the original upload of cmd.php happened the previous Tuesday — eleven days before the SOC's Saturday alert.
Question. Walk through the seven-rung ladder with explicit time budgets, explain why "isolate before you eradicate" matters here specifically, and identify the dwell-time metric that goes on the post-mortem slide.
Suggested answer.
The seven rungs, with budgets and what actually happens at each:
| Rung | Action | Budget | Detail |
|---|---|---|---|
| 1. Confirm | 10 min | Pull the suspicious URL pattern from the SOC; replicate against the host; confirm the webshell file exists in the web root and matches a known signature. | |
| 2. Isolate | 5 min | SSH to the load balancer; remove www01 from the pool. The host is up — memory and processes intact — but no traffic reaches it. The attacker, if they are watching, sees their webshell stop responding to new requests but does not yet see cleanup activity. |
|
| 3. Preserve | 25 min | Trigger the platform's "snapshot disk" on the cloud console. Capture a memory dump with LiME. Copy /var/log and /etc to a forensics share. |
|
| 4. Eradicate | 30 min | Identify all webshells (not just the one the SOC reported). Run find /var/www -mtime -14 -type f to list every file under the web root modified in the last 14 days. Discover pix.php, the second webshell. Find the new cron entry pointing to /tmp/<script> and remove it. Rotate every credential the host had access to: database password, API keys for any cloud service, SSH keys, application tokens. |
|
| 5. Patch & Harden | 60 min | Find the upload endpoint that allowed cmd.php to be uploaded. It accepted any file extension. Add a server-side allow-list that rejects anything other than the expected image MIME types. Disable PHP execution in the /uploads directory at the web-server config level (an AddType text/plain .php in an .htaccess file or equivalent in nginx config). |
|
| 6. Restore | 30 min | Redeploy the patched application from the build pipeline. Restore traffic gradually: 10%, 50%, 100%. Watch the WAF logs at each step for any sign of the attacker probing the patched endpoint. | |
| 7. Lessons Learned | 5 days later, 2 h | Blameless post-mortem with the dev team, the ops team, the SOC, and the IT director. Three concrete runbook updates. |
Total wall-clock from rung 1 to rung 6: approximately 2.5 hours.
Why "isolate before you eradicate" matters here specifically. A surprising number of well-meaning teams skip rung 2 and rush to rung 4 — "I see a webshell, I delete it, I feel good." Two hours later the attacker drops a new webshell from a foothold in another machine they had quietly already moved to. In this specific case, the team also had no idea about the second webshell pix.php until they got to rung 4 — meaning if they had skipped rung 2, the attacker would have watched the deletion of cmd.php, immediately uploaded cmd2.php from pix.php, and the team would still be where they started. Isolate first so the attacker cannot adapt to the cleanup. Then preserve evidence. Then, and only then, eradicate.
Why preservation matters before eradication. The disk snapshot will let forensics later identify exactly what data the attacker accessed during the eleven-day window. Without it, the team will have to report worst-case to the Illinois Attorney General under the Illinois Personal Information Protection Act (PIPA), which means the legal team must assume that anything reachable from www01's database account was potentially exfiltrated. With the snapshot, forensics can analyse the access log, the database query log, and the webshell's own command history (often recoverable from memory) and produce a defensible "the following 1,200 customer records were accessed" finding. The narrower the finding, the smaller the regulatory exposure and the customer notification scope.
The dwell-time metric. The webshell was uploaded the previous Tuesday and detected on Saturday — eleven days of attacker dwell time. That is the number that goes on the first slide of the post-mortem. The IBM Cost of a Data Breach Report puts the industry mean time to identify a web-app breach above 200 days for several years running. Eleven days is dramatically better than industry average — but eleven days is still eleven days during which the attacker had remote command execution on a host with database access. The post-mortem action items focus on closing the detection gap: the SOC alert that fired on Saturday should have fired on Tuesday afternoon, and the question to answer is "what would have made that possible?" The likely answer is one of A09 (Security Logging & Monitoring Failures): file-integrity monitoring on the web root, alerting on new files appearing in /uploads, alerting on new cron entries, alerting on outbound connections from web nodes to non-CDN destinations.
The deeper lesson: a clean response to a webshell incident takes about 2.5 hours of wall-clock work and produces a defensible record. Skipping the isolation rung or the preservation rung saves twenty minutes today and costs weeks of regulatory exposure later. The senior responder does the work in order; the junior responder learns to want to do the work in order.
Filter by chapter or by question type, search the question bank by keyword, and reveal hints or answers individually as you go.
canadapost-delivery-notice.com to send phishing for a parcel-delivery scam. The legitimate domain is canadapost.ca. Which of the following is true about SPF, DKIM, and DMARC defences in this scenario?evil.com can trigger an authenticated request to bank.com using the victim's existing session.Intellectual property. This mid-term review document is the intellectual property of Cyber.SoHo Educational Hub and was authored as original course material by the instructor. It is intended exclusively for the registered students of the Incident Management course as a study aid for the mid-term examination. Redistribution outside the registered student cohort, reposting on third-party platforms, or use as training data for machine-learning systems requires the prior written consent of Cyber.SoHo Educational Hub.
No affiliation. Cyber.SoHo Educational Hub and the author are not affiliated with, endorsed by, sponsored by, or otherwise officially connected to any of the organisations, frameworks, regulators, vendors, products, or platforms named or hyperlinked in this document. References — including but not limited to the National Institute of Standards and Technology (NIST), the European Union, the Office of the Privacy Commissioner of Canada (OPC), the U.S. Federal Trade Commission (FTC), the Canadian Centre for Cyber Security (CCCS), the International Organisation for Standardisation (ISO), the Payment Card Industry Security Standards Council (PCI SSC), the Open Web Application Security Project (OWASP), MITRE Corporation, the Internet Engineering Task Force (IETF), the Information Commissioner's Office (ICO), the U.S. Department of Health and Human Services (HHS), the U.S. Securities and Exchange Commission (SEC), the U.S. Federal Bureau of Investigation (FBI), Europol, the Royal Canadian Mounted Police (RCMP), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI Internet Crime Complaint Center (IC3), the Carnegie Mellon Software Engineering Institute (SEI), International Business Machines Corporation (IBM), Microsoft Corporation, Mandiant (Google Cloud), CrowdStrike, Palo Alto Networks Unit 42, VirusTotal, SANS Institute, and YouTube, LLC — are made strictly for educational, reference, and pedagogical purposes. All trademarks, service marks, logos, and brand names are the property of their respective owners.
External-link safety. Every external link in this document points to what the author believes, at time of writing, to be the legitimate official site of the named organisation or to a reputable, freely available specification document (such as an IETF RFC or a NIST Special Publication). Students are nevertheless reminded that the wider Internet is a dynamic environment in which domains may expire, change ownership, or be subverted. Before clicking any link from any document — including this one — students are encouraged to scan the URL through VirusTotal or an equivalent service. Healthy paranoia is a job skill, not a personality flaw.
Liability and ethics. This document is provided for educational purposes only and is not a substitute for professional legal, compliance, regulatory, forensic, or operational advice in any specific incident. Reporting clocks, regulatory thresholds, and procedural requirements cited herein are summary descriptions and may change; always consult the current official text of the relevant law or framework before acting on it in a real incident. The deadlines and time budgets stated for triage, containment, eradication, and recovery activities are planning estimates drawn from industry experience; they are not contractual or regulatory commitments. The tools, products, and platforms named in this document are illustrative examples drawn from a wide and constantly changing market — every one of them has multiple alternatives, both commercial and open-source, and students are actively encouraged to research, compare, and experiment with substitutes that fit their own context and budget. Students performing any technical exercise — packet capture, log analysis, port scanning, vulnerability scanning, malware sandboxing, or any related activity — must do so only on systems and networks for which they have explicit written authorisation. Unauthorised access, scanning, or interference with computer systems is a criminal offence in most jurisdictions, including under the Criminal Code of Canada — Section 342.1 (Unauthorized Use of a Computer) and Section 430(1.1) (Mischief in Relation to Computer Data), the U.S. Computer Fraud and Abuse Act (CFAA), and the Council of Europe's Budapest Convention on Cybercrime — to which both Canada and the United States are signatories. Cyber.SoHo Educational Hub, the author, and the affiliated educational institution accept no liability for any loss, damage, regulatory exposure, or legal consequence arising from the use, misuse, or misinterpretation of this material. Think before you click. Think harder before you exploit.
End of mid-term review.
From the Industry to the Classroom — Building the IT's Future, Today and Together!