Cyber Crisis Management— Managing Incidents — TryHackMe Walkthrough

An introduction into cyber crisis management and how a CMT works.

Room URL: https://tryhackme.com/r/room/cybercrisismanagement

Task 1 Introduction

This is it. Thankfully we have prepared for it, but it has finally happened. Finally, we are faced with a cyber crisis! Now is not the time to stand around, we have to take action in order to save our organisation! Luckily, we have a Crisis Management Team (CMT) whose job is specifically to navigate us through these troubled waters!

In this room, we will learn about crisis management and how the CMT can take charge to help steer the organisation safely out of a cyber crisis.

Pre-requisites

• Intro to Incident Response and Management (medium.com/@iritt/intro-to-ir-and-im-managing-incidents-tryhackme-walkthrough-60a9c3ce63f1)
• Logging for Accountability and Monitoring (https://iritt.medium.com/logging-for-accountability-managing-incidents-tryhackme-walkthrough-5c28110a58b0)
• Becoming a First Responder (https://iritt.medium.com/becoming-a-first-responder-f87bedfb62e7)

Learning Objectives

• How CMT deals with a cyber crisis
• The golden hour during CMT and how even minutes can matter
• The CMT process and how security engineers can play the role of subject matter experts

Answer the questions below

I am ready to learn about cyber crisis management!

Task 2 What is a Cyber Crisis

What is a Cyber Crisis?

In the Intro to Incident Response and Management room (https://tryhackme.com/r/room/introtoirandim), we discussed what constitutes a cyber incident. The SOC receives log information that creates events and alerts. In the case that an alert is sufficiently serious, a cyber incident occurs.

However, based on the severity of the incident, the blue team decides the best response. In our example, only a level 4 incident would trigger the Crisis Management Team (CMT). As a refresher, these were the four levels:

• Level 1: SOC Incident — Small enough that the incident can be taken care of directly by the security operations centre (SOC), such as a user reporting a phishing email
• Level 2: CERT Incident — Small enough that a team in the SOC can take care of the incident, such as a single user that has interacted with a phishing email
• Level 3: CSIRT Incident — A larger incident that requires not just the SOC team, but also incident managers, such as multiple users that have interacted with a phishing email that contains malware
• Level 4: CMT Incident — A critical incident where the CSIRT requires the ability to invoke nuclear actions, such as an incident where ransomware is being deployed and the CSIRT needs to take the environment offline to protect the rest of the estate

So, how does the team actually decide the level of an incident? This is done through an incident severity classification matrix as shown below:

While this is an example, most incident severity classification methods rely on measuring the scope of the incident against the number of systems or users that are impacted vs the difficulty of recovering the affected systems and assets. Therefore, if many users are affected on a critical system, this would usually result in the incident being rated critical, resulting in the CMT getting involved. Some organisations also add certain special rules to their severity matrix. For example, if any amount of customers are affected, the incident severity is rated as critical.

Answer the questions below

2.1 What would the severity rating of an incident be where multiple users are affected and the impact is medium?

When an incident impacts multiple users with a medium-level impact, it is classified as “Moderate.” This rating indicates that the issue is more severe than minor incidents but still within manageable limits, without posing an immediate or critical risk.

Answer: Moderate

2.2 What would the severity rating of an incident be where multiple users are affected and the impact is low?

If the impact on multiple users is minimal, the severity rating is “Low.” This reflects that while the incident affects more than one person, its overall effect on systems, data, or business processes is negligible.

Answer: Low

2.3What would the severity rating of an incident be where an entire business unit is affected and the impact is high?

When an incident affects a whole business unit and the impact is high, it is classified as “Critical.” This denotes an urgent crisis requiring immediate response due to the potential for severe disruption to operations and possible long-term damage.

Answer: Critical

Task 3 The Roles and Responsibilities in a CMT

Not all Voices are Equal

There are several roles and responsibilities that have to be taken care of in the CMT. Normally, not all CMT members are involved from the start. Depending on the crisis, members are added as needed. This is to help ensure that the CMT can respond as rapidly as possible.

While in most cases a democracy is the best solution to ensure that everyone’s voices are heard, the opposite is true for CMT. An autocracy is the best approach for a CMT to ensure that actions are taken decisively without wasting precious time. Usually, this responsibility would fall on the CEO. This is a fairly extreme approach and to share the responsibility of making these decisions, some CMTs will provide voting rights to key individuals, usually no more than five. So while it is still a small team that can request that actions are taken, the responsibility no longer lies on just one individual.

Roles in the CMT

The table below details some of the roles and responsibilities you can find in a typical CMT:

Answer the questions below

3.1 Who is responsible for note-taking in the CMT?

The Scribe’s role is to document all discussions, events, and decisions made during the CMT session. These notes are critical for reporting to third parties like regulators or government agencies.

Answer: Scribe

3.2 Who is responsible for leading the CMT session?

The CMT Chair, often the CEO or COO, leads the session and has the final say on decisions to ensure that actions are taken quickly and decisively.

Answer: Chair

3.3 Who is responsible for ensuring that the actions taken by the CMT do not break the law?

The Legal team ensures that all actions taken by the CMT comply with laws and regulations. For example, they provide guidance on whether paying a ransom or engaging with threat actors is legal.

Answer: Legal

3.4 Who is responsible for making sure that the stakeholders are informed during the CMT?

The Communication role ensures that both internal stakeholders (employees) and external stakeholders (customers) are informed in a controlled manner to prevent unnecessary panic.

Answer: Communication

3.5 Who is responsible for providing more technical information to the CMT to ensure that they can take the appropriate actions?

Subject Matter Experts (SMEs), such as the head of the SOC or CSIRT incident manager, provide detailed technical insights to help the CMT understand the scope of the incident and determine appropriate actions.

Answer: Subject Matter Experts

Task 4 The Golden Hour

When the CMT is invoked, the first hour is one of the most crucial. Similar to any investigation, as more time progresses, rebuilding what has happened and recovering from it becomes harder. We refer to this as the Golden Hour. During the Golden Hour, the CMT has to perform several critical steps.

Assembly

The first step in the Golden Hour is to assemble the CMT. Once the CSIRT decides to invoke CMT, a process should be followed to notify all initial CMT members that they are required to help with a cyber crisis. Usually, a playbook and call tree are created for this. It is incredibly important since some of the required members may not be available (for example, the COO could be stuck on an overnight flight). Therefore, their replacement and their replacement’s replacement should already be documented.

Usually, the CSIRT Chair would be responsible for invoking the CMT and then performing the initial notification. From there, several members can assist in assembling the CMT. The team should also decide if the team would assemble remotely or in person and what communication channels will be used. While this decision might sound simple, it is often harder than you would think. It could be that the CSIRT has a strong suspicion that their primary communication channels have been compromised by the threat actor and therefore, out-of-band communication will be required.

Information Gathering

Once the CMT has been established, the very first step is to understand what has happened and what actions should be taken immediately. For a cyber crisis, this is usually done in the form of a CSIRT briefing where the CSIRT provides:

• A summary of the information discovered up to this point
• A summary of the actions that have already been taken by the team and the effect they had on the incident
• Recommendations as to what nuclear actions should be taken immediately by the CMT

Crisis Triage

Once the CMT has been briefed, it is important for the team to triage the incident and consider the actions proposed by the CSIRT. The CMT should think carefully about the impact that the actions would have on the organisation and already think about what steps can be taken to limit the impact. During this triage phase, the team will also decide on which other stakeholders should be involved in the CMT.

Notifications

As mentioned before, controlling the narrative is incredibly important. As such, one of the first steps that the CMT should already perform during the Golden Hour is to prepare and in certain cases send out communication, both internally and externally. Usually, CMTs would prepare by making use of holding statements. These are messages that do not divulge exactly what is happening, but provide reassurance that the team is investigating and will provide more feedback as information becomes available. This can help calm the situation as stakeholders are aware that the team is busy working on whatever the issue is.

Answer the questions below

4.1 What is the first step that has to be performed during the CMT golden hour?

The first thing that needs to happen during the “Golden Hour” is assembling the Crisis Management Team (CMT). This means that the CSIRT (Incident Response Team) informs the key CMT members that they need to respond to the crisis. To make this process quick and efficient, there is usually a playbook or call tree in place that lists who to contact and their replacements in case someone isn’t available (e.g., they are on a flight or out of reach).

It’s also important for the team to decide whether they’ll meet in person or remotely and to determine safe communication channels. If the primary systems, like email or messaging apps, might have been hacked, the team would use “out-of-band communication,” such as phone calls or secure tools outside the company network.

Answer: Assembly

4.2 In the event of a cyber crisis, who provides the update to the CMT?

When a cyber crisis happens, the CSIRT (Computer Security Incident Response Team) is responsible for providing the initial update to the CMT. This update is very important because it helps the CMT understand the situation and decide what to do next.

The CSIRT’s update usually includes:

1. A summary of what has been discovered so far — like how the attack happened and what systems are affected.
2. A summary of actions already taken — for example, systems that have been shut down or blocked to limit the damage.
3. Recommendations for immediate actions — sometimes called “nuclear actions,” which are big decisions, like taking entire systems offline to stop the spread of malware.

This information gives the CMT the facts they need to make fast and informed decisions to manage the crisis.

Answer: CSIRT

Task 5 The CMT Process

Once the CMT has been established and the Golden Hour actions have been performed, the CMT starts with a cyclic process to deal with the crisis, as shown below.

It is important to note that during the entire process, the CMT remains static. Rather than have members of the main CMT split off and find information, SMEs are used to bring information to the CMT. This is because if the CMT team were to split off during a critical moment, it would waste time to assemble the team again. This model ensures that the CMT can always receive critical information from stakeholders and SMEs.

Information Updates

The CMT receives updates from the various stakeholders. This usually happens in the form of briefings with SMEs. The goal is to provide the CMT with new information to better understand the scope of the crisis and what impact actions taken in the past have had on the crisis. The CMT decides how often these update sessions are performed. At the start of the crisis, these updates would often be more frequent.

As mentioned before, the CMT usually consists of members that are not as technical. It is, therefore, important that SMEs provide the update information in a manner that can be understood by the CMT. Usually, technical information is abstracted in the update and the focus is more on the impact of what has happened than what has actually happened.

Triage

Once the team receives new information, the triage process has to occur again. During this phase, the CMT decides if the severity of the crises should be raised or lowered and if any new SMEs should be involved in the CMT. The CMT also needs to decide if there will be any new communication sent out internally and externally.

Action Discussions

Using the new information provided by the various SMEs, the CMT has to discuss the proposed actions. The goal of these discussions is to understand the impact that these actions would have on the organisation. In this case, we are no longer talking about easy and small actions, such as removing a phishing mail from a user’s mailbox. We are talking about large actions such as:

• Restricting remote access to the environment by halting all VPN access
• Performing a domain takeback of the Active Directory domain
• Switching a system over to the disaster recovery environment

These are actions that the CMT can’t take lightly, as they would impact the business. The goal of discussions is to better understand that impact and allow the team to determine if there may be any less impactful, but still effective actions that can be taken.

Action Approvals

The CMT chair will usually limit the amount of time for discussions. This is to ensure that the discussions do not go on forever, leading to inaction. Furthermore, depending on the scenario, the situation may worsen with more time. For example, if ransomware is being deployed from a central location such as Group Policy Objects, the entire Windows environment would be encrypted within 120 minutes! Every single minute the team discusses actions longer, the ransomware is spreading. Therefore, these discussions are limited before the team decides which actions will be followed.

As discussed before, this is usually not done in a very democratic way and will often be a decision made directly by the CEO. These decisions are not made lightly, as the executives will ultimately be held accountable for the crisis; however inaction can often be much more detrimental. Would you be able to make these critical decisions, choosing between the lesser of two evils in a limited amount of time?

Documentation and Crisis Closure

Once the crisis has been remedied, it has to be documented. Using the notes from the scribe, a crisis document is created. This document details what happened during the crisis and what actions were implemented to deal with the crisis. This information is not just for the archive, but can be used by the CMT to learn lessons about the crisis and adapt their processes and policies to better deal with a cyber crisis in the future.

Answer the questions below

5.1 What is the term used to describe the process by which the CMT determines the severity of the crisis?

Triage is the process where the CMT assesses new information to determine if the severity of the crisis needs to be raised or lowered. During this phase, the CMT also decides whether additional subject matter experts (SMEs) need to be involved and whether new internal or external communications are required.

Answer: Triage

5.2 Who is ultimately responsible for ensuring that the CMT takes action?

The CMT Chair, often the CEO or COO, is responsible for ensuring that actions are taken. The Chair limits the time for discussions to avoid delays, especially during critical moments where inaction could make the situation worse. The Chair often has the final say in approving and implementing decisions.

Answer: CMT Chair

5.3 Who will ultimately be held accountable for the crisis?

The CEO (Chief Executive Officer) is the person at the very top of the organization. Because the CEO is responsible for the overall success and safety of the company, they are ultimately held accountable for everything that happens, including a cyber crisis. Even if other teams or individuals make decisions during the crisis, the CEO is the one who must answer to the board, stakeholders, and customers.

This responsibility comes with the role, as the CEO is seen as the leader who ensures the company can recover and move forward.

Answer: CEO

Task 6 The Importance of SMEs

Jack of All Trades

The members of the CMT usually have broad scopes for their roles. For example, the CEO is responsible for running the entire organisation. While the CEO might have extensive knowledge of several things in the organisation, it cannot be expected that they are an expert in everything that the organisation does. This is the case for most of the CMT members. As such, this team in isolation would not be able to deal with the crisis and therefore, have to leverage the expertise of others around them.

The Masters of One

This is where subject matter experts come into play. As a security engineer, you may be involved in a CMT if the crisis pertains to your specific division. As the security engineer, you should have an incredible depth of knowledge of your specific system or asset and can therefore provide vital information to the CMT.

The CMT can only take effective actions if the following is true:

• The CMT must have an accurate understanding of the scope of the incident, including what has happened and what the impact is on the business. It will never be possible to understand the full crisis scope as the investigation will still be ongoing, but having an as clear as possible picture is important.
• The CMT has to understand what actions are available for them to take and what the impact vs effectiveness of these actions would be.

SMEs play a critical role in providing this information. As a security engineer, you will understand the system best to know what potential actions can be taken to recover from the crisis. You will know how long backups are kept. You will know whether the environment can switch to DR. You will know what the impact would be if you have to take critical assets in the environment offline.

This information must be clearly communicated to the CMT to ensure they can make an informed decision. Without SMEs, it would be impossible to recover from a crisis.

Answer the questions below

6. Who is responsible for providing the CMT with technical and in-depth information to allow them to make an informed decision during the crisis?

Subject Matter Experts, or SMEs, are people who have deep, specialized knowledge about specific systems or areas in the organization. While the Crisis Management Team (CMT) focuses on making decisions during the crisis, they are usually not technical experts. They rely on SMEs to explain what is happening in clear terms.

For example:

• If the crisis affects a specific server or system, the SME (like a security engineer) can tell the CMT exactly how that system works, what backups are available, and what will happen if it’s taken offline.
• SMEs help the CMT understand the technical options available to fix the problem and the impact each option might have.

Without SMEs, the CMT would not have enough information to make the right decisions, because they wouldn’t fully understand the situation.

Answer: Subject Matter Experts

Task 7 The Actions Available to the CMT

Apart from the technical response the CMT can take to deal with the crisis, there are other actions that the team needs to consider and potentially take. Some actions will help the team control the narrative, while others may be required by law.

Internal Communication

The CMT will have to decide what communication will be sent internally. This doesn’t just include messages that will go to employees, but also communication that is prepared for key divisions such as the help desk. Depending on the technical response taken by the CMT, the help desk might receive an influx of support queries. To ensure that the help desk can assist employees and to limit the spread of panic, the CMT will also prepare communication for this team. While the team can create this communication during the crisis, it is often not recommended as limited time is available which could lead to mistakes. Rather, the team should have already prepared holding statements that can simply be tweaked before being distributed.

External Communication

External communication is just as important. Again, this does not just cover the communication that is sent directly to customers, but also communication such as comments to the press or interviews that will be performed. This component has become vital and incredibly difficult to navigate in today’s time due to social media. Often, organisations will employ teams that will specifically take care of this communication during an incident to help ensure that the public is informed about what is happening without spreading fear and panic, which could cause reputational damage to the organisation.

Informing the Regulator

Depending on the category of the organisation, there may be the need to inform other third parties. For example, in the financial sector, organisations are usually required by law to notify their respective regulator if there is a crisis. This is because the crisis could have an impact on the entire country. Another common regulator that must be informed during a crisis is the information regulator if the crisis has resulted in the breach of customer information in countries that have to adhere to laws such as GDPR.

Contacting Law Enforcement

Also, depending on the country of the organisation, there may be a need to contact law enforcement agencies, for example, the FBI. Usually, these processes are defined by the CMT before a crisis and will be part of their playbooks. Law enforcement agencies can often help with the investigation and help to ensure that the chain of custody of forensic evidence is followed to help with prosecution later.

Exercising CMT

Now that you understand the CMT process, it is time to use that knowledge to deal with a cyber crisis. Launch the static site and take care of the crisis!

Start of the Game — Incident Lifecycle Game

What Happened:

You are introduced to the Incident Lifecycle Game, where your goal is to make strategic decisions to manage a cyber crisis effectively.

Objective:

1. Minimize damage to the organization’s systems (estate) and reputation.

2. Make thoughtful decisions as the crisis unfolds.

The first story is loading, and the game prepares to present a simulated cyber crisis.

The SOC (Security Operations Center) detected multiple reports of a phishing email.

The CSIRT confirmed the email delivered malware (Remote Access Trojan — RAT) to workstations.

Why It’s Important:

1. The RAT allows attackers to take control of infected computers and steal data.

2 Immediate action is needed to investigate and stop the malware from spreading.

Question Phase — Selecting Questions

What Happened:

You are given four choices to investigate the phishing attack

Select:

1. How many users received the email? — To understand the scope (20 users affected).
2. What does the malware do? — To understand its behavior (keylogging and C2 communication).

Why: These questions helped uncover the scale of the attack and how the RAT operates, providing vital information for containment.

What Happened:

Answers revealed:

20 users received the email.

The RAT captures keystrokes and communicates with a C2 (Command and Control) server.

Follow-up investigation uncovered:

The C2 server is active.

The RAT spreads by harvesting credentials.

This information allowed you to focus on stopping communication with the C2 server and preventing lateral movement.

Action Phase — PowerUp Options

You received an Action PowerUp that allowed you to take additional actions in the next phase.

The PowerUp increased your ability to respond quickly, taking double the number of actions to contain the malware effectively.

Action Phase — Taking Actions

Take two critical actions:

1. Blocked the C2 channel on the perimeter — Prevented the RAT from communicating with the attackers.
2. Reset accounts of employees infected with the RAT — Stopped further misuse of compromised credentials.

Why:

1. Blocking the C2 server cuts off the attackers’ control.

2. Resetting accounts prevents stolen credentials from being used for further compromise.

Communication Phase — Internal and External Updates

Prepare controlled communications:

1. Internal: “We are busy investigating.”

2. External: “We are aware of system slowdowns and are investigating, please stand by.”

Why:

This calms both employees and external stakeholders, reducing panic and preserving trust.

Story 2

The crisis escalates Story 02. Next phase, where you need to investigate further actions by the attackers.

The RAT is still active, and attackers are attempting to escalate their control over the environment.

New Warning — Domain Controller Compromised

The SOC detected that attackers compromised the Domain Controller (DC) using the RAT.

Attackers performed DC SYNC, dumping all user credentials.

This is a critical escalation. The attackers now have credentials for all users, enabling full control over the environment.

New Questions — Investigating the Domain Controller

Selected key investigation questions:

1. Lateral movement technique used — The attackers used SMB pipes to pivot through the network.
2. C2 channel on the perimeter — Identified the original C2 server.
3. What attackers did on the domain controller — They exfiltrated credentials (DC Sync).

Understanding these details allows you to stop the malware’s spread and regain control.

Communication Phase

Actions to Take:

1. Internal Communication: “We are busy investigating” — This message reassures employees without revealing too much information.

It helps reduce panic internally while maintaining control of the situation.

2. External Communication: “We are aware that our systems have become slow and are investigating, please stand by”.

This message informs external stakeholders (customers) of the issue without causing alarm or reputational damage.

Why This Matters:

Clear communication during a cyber crisis is critical:

1. Internally: Employees remain focused and calm.

2. Externally: Customers and the public maintain trust, knowing the issue is being handled.

By choosing controlled, transparent messages, you mitigated reputation damage while showing active management of the situation.

Loading Screen for Story 03

Warning Notification — Domain Compromise

Alert: “RATs were used to spread the threat in our environment. A domain controller has been compromised according to SOC analysis.”

Critical Issue: Users cannot access their files, and urgent action is needed before the environment deteriorates further.

This is a pivotal point in identifying that the attackers are now targeting domain controllers — a central system that manages users and permissions.

Must respond to critical questions to investigate and limit the spread.

Investigate the incident by asking the SOC team questions to gather information.

Questions:

1. From where is the connection made to the domain controller?
2. What did the attackers do on the domain controller?
3. How is the ransomware being deployed?

These questions will reveal the scope of the attack, the attacker’s techniques, and their impact on the environment.

Questions Asked:

1. Where is the connection to the domain controller made from?

Answer: The attacker is using a Remote Access Trojan (RAT) to move across the environment, bypassing a security “jump host.”

2. What lateral movement technique was used?

Answer: The attacker uses an SMB pipe to move between systems and connect to other RATs. This technique helps them communicate across the network.

3. Can we find the C2 channel used on the perimeter?

Answer: Yes, we discovered the original C2 channel (Command and Control) that the RAT is using to communicate and take control of systems.

What did the attackers do on the domain controller?

1. Performed DC Sync Attack:

The attackers performed a DC Sync, which dumps all user credentials from the domain controller. This means they now have access to all usernames and passwords in the system.

2. Where was the DC Sync data exfiltrated to?

The credentials were taken out of the environment, meaning attackers stole all the usernames and passwords.

How is the ransomware being deployed?

1. Source of Ransomware:

The ransomware originates from the compromised domain controller. This means attackers are spreading the ransomware from the core system that manages the environment.

2. How is the ransomware spreading?

The attackers are using a Group Policy Object (GPO) to push ransomware to all Windows computers in the network. This automated deployment spreads the ransomware quickly.

Can we analyze the ransomware?

Yes, we were able to create Indicators of Compromise (IoCs) and signatures for the ransomware strain. This will help in detecting and stopping it.

Summary of Findings:

1. Attackers gained access using RAT malware and bypassed security defenses.
2. They used SMB pipes to move laterally across the network.
3. A DC Sync attack was performed, stealing all credentials.
4. Ransomware is being deployed using GPO from the domain controller.
5. We identified IoCs and signatures to help stop the ransomware.

These findings help understand how the attack spread and how to mitigate further damage.

Action Phase — Mitigation Options

Take immediate actions to contain the spread and reduce damage.

Select Actions:

1. Block the C2 channel on the perimeter: Stops malware communication with the attacker.

2. Perform a domain takeback: Regains control of the compromised domain controller.

These actions directly target the RAT’s communication channel and secure critical systems.

Communication Phase — Internal and External Communication

1. Internal Communication: “There is an incident, and we are dealing with it!”
2. External Communication: “We are busy investigating an incident and will update the public soon.”

Clear and transparent communication minimizes panic and ensures employees and external stakeholders stay informed.

Estate Damage: 47% — Damage to organizational systems and assets.

Reputation Damage: 35% — Impact on public and internal trust.

The game simulates a realistic cyber crisis, demonstrating the importance of:

1. Fast Investigation: Choosing the right questions to uncover critical information.
2. Immediate Mitigation: Blocking communication channels and limiting malware spread.
3. Effective Communication: Keeping stakeholders informed to control panic and public perception.
4. Strategic Decision-Making: Taking decisive actions to regain control of critical infrastructure.

Takeaway: A well-prepared Crisis Management Team (CMT), supported by Subject Matter Experts (SMEs), can effectively reduce damage during a cyber crisis. While some damage is inevitable, swift action and communication can minimize its impact on the organization.

Answer: THM{The.Crisis.has.been.managed!}