Week 5: Incident Response Lifecycle

Path: Defensive Operations | Module: 5 of 6

When Prevention Fails

Security is not about if you get hacked, but when. Incident Response (IR) is the organized approach to addressing and managing the aftermath of a security breach.

The PICERL Model

  1. Preparation: Have a plan, tools, and team ready before the attack.
  2. Identification: Detect the incident. Is it a false positive or real? (Logs help here!)
  3. Containment: Stop the bleeding. Isolate the infected computer from the network to stop the spread.
  4. Eradication: Remove the malware/attacker. Re-image the machine, delete malicious accounts.
  5. Recovery: Restore data from backups and return to business as usual.
  6. Lessons Learned: Write a report. How did they get in? How do we stop it next time?

🔬 Lab Exercise: Tabletop Scenario

Scenario: An employee reports a ransom note on their desktop background.

Your Task: Write down your immediate steps for the "Containment" phase.

  • Do you turn the computer off? (Hint: Maybe not! You might lose RAM evidence).
  • Do you unplug the network cable? (Yes, immediately).
  • Do you pay the ransom? (Generally, no).
← Previous Week Next: Capstone →