Back to SOC Challenges

Challenge 4: Incident Response

Conduct a complete incident investigation and create a comprehensive report.

CRITICAL INCIDENT: Multiple security alerts detected. Analyze all available data sources and complete the incident response investigation.
Email Gateway Alert

Timestamp: 2025-10-06 09:15:33

From: [email protected]

To: [email protected]

Subject: URGENT: Account Verification Required

Status: Suspicious - Phishing Attempt

Network Traffic Alert

Timestamp: 2025-10-06 09:47:12

Source IP: 10.0.0.45 (workstation-27)

Clicked Link: hxxp://paypa1-secure[.]com/verify

Result: Malware Download Detected

EDR (Endpoint Detection)

Timestamp: 2025-10-06 10:15:44

Host: 10.0.0.45 (workstation-27)

Process: powershell.exe -enc [base64]

Activity: Network scan initiated

Target: Internal network 10.0.0.0/24

Authentication Logs

Timestamp: 2025-10-06 11:22:15

Source: 10.0.0.45

Target: 10.0.0.100 (file-server)

Method: SMB Authentication

Status: Successful (using cached credentials)

File Access Logs

Timestamp: 2025-10-06 12:05:33

Host: 10.0.0.100 (file-server)

User: SYSTEM

Files: HR_Database.xlsx, Payroll_2025.csv

Action: Copied to C:\Temp\exfil\

Firewall Logs

Timestamp: 2025-10-06 12:18:47

Source: 10.0.0.100:49152

Destination: 185.220.101.33:443

Protocol: HTTPS

Data Transfer: 47.3 MB outbound

Incident Response Report
Incident Response Framework
NIST IR Phases:
  1. Preparation: Tools and training
  2. Detection & Analysis: Identify the threat
  3. Containment: Limit the damage
  4. Eradication: Remove the threat
  5. Recovery: Restore operations
  6. Post-Incident: Learn and improve
Kill Chain Analysis:
  • Reconnaissance: Target identification
  • Weaponization: Malware creation
  • Delivery: Phishing email
  • Exploitation: User clicks link
  • Installation: Malware deployed
  • C2: External communication
  • Actions: Data exfiltration