Incident Response in Cyber Security | Identification & Scoping Phase | TryHackMe

We covered the second phase of incident response, that is, identification & scoping or detection phase. In the detection phase, the SOC team spots the incident through event notifications or continuous log monitoring and then works on scoping the incident by identifying the impact of the incident on the assets and the data stored in those assets. Through this phase, the SOC team collects the evidence and extracts the artefacts from the infected or compromised machine. This was part of SOC level 2 track in TryHackMe , Identification & Scoping room.

Definition of Incident Response in Cyber Security

Incident response, also known as incident handling, is a cyber security function that uses various methodologies, tools and techniques to detect and manage adversarial attacks while minimising impact, recovery time and total operating costs. Addressing attacks requires containing malware infections, identifying and remediating vulnerabilities, as well as sourcing, managing, and deploying technical and non-technical personnel.

Event vs Incident

• Event: This is an observed occurrence within a system or network. It ranges from a user connecting to a file server, a user sending emails, or anti-malware software blocking an infection.
• Incident: This is a violation of security policies or practices by an adversary to negatively affect the organisation through actions such as exfiltrating data, encrypting through ransomware, or causing a denial of services.

The Cyber Security Incident Response Phases

• Preparation: Ensures that the organisation can effectively react to a breach with laid down procedures.
• Identification: Operational deviations must be noted and determined to cause adverse effects.
• Analysis or Scoping: The organisation determines the extent of a security incident, including identifying the affected systems, the type of data at risk, and the potential impact on the organisation.
• Containment: Damage limitation is paramount, therefore, isolating affected systems and preserving forensic evidence is required.
• Eradication: Adversarial artefacts and techniques will be removed, restoring affected systems.
• Recovery & Lessons Learned: Business operations are to resume fully after removing all threats and restoring systems to full function. Additionally, the organisation considers the experience, updates its response capabilities, and conducts updated training based on the incident.

Identification & Scoping Phase

Security Alerts, also referred to as Event Notifications, are crucial signals that may hint at the presence of a potential threat or the occurrence of an actual security incident. These are pivotal in triggering the Incident Response Process and ensuring security and safety.Understanding the nature of these alerts, including their type and severity, is vital in guiding the incident response process. This understanding is nurtured through technical expertise, effective use of security tools, and a culture of continuous learning and vigilance.Following the proper procedures when handling these alerts ensures that the right individuals are alerted, bolstering incident response effectiveness.

Once an incident has been identified, the subsequent step is determining its scope.

Scoping involves grasping the extent of the incident, including which systems are affected, what data is at risk, and how the incident impacts the organisation.

The transition from identification to scoping is crucial in the Incident Response Process, demanding clear communication, effective collaboration, and a well-defined process. The insights gained from the identification phase will prove instrumental in facilitating this transition and strengthening the effectiveness of the incident response process.

Room Answers | TryHackMe Preparation

Room answers can be found here.

Video Walkthrough | Identification & Scoping Phase | TryHackMe