Managing Incidents Module — TryHackMe Insights &Walkthrough

Understand how security engineers help their organizations during an incident to reduce the impact of the incident.

Module URL: https://tryhackme.com/r/room/introtoirandim

In this module, we will be exploring the concepts of incident response and management specifically from the role of a security engineer. While the SOC might be the last line of defence against incidents, security engineers often find themselves being the first line of defence. In the module we will explore the concepts of incident response and management, looking at how logging and monitoring should be performed, how security engineers can act as first responders, and how cyber crisis management works.

1. Intro to IR and IM

Room URL: TryHackMe — Managing Incidents
Room Walkthrough: Intro to IR and IM Walkthrough

Summary of Lessons Learned

1. Incident Response vs. Incident Management

• Incident Response (IR): Focuses on the technical aspects of an incident, such as identifying, containing, and solving the issue.
• Incident Management (IM): Ensures the actions taken are planned, communicated, and executed effectively to recover operations.

2. The Six Phases of Incident Management

1. Preparation:

• Develop incident response plans and conduct practice drills.

2. Detection and Analysis:

• Use logs, tools, and alerts to identify and analyze threats.

3. Containment:

• Isolate affected systems to stop the spread of the incident.

4. Eradication:

• Remove the root cause (malware, vulnerabilities).

5. Recovery:

• Restore systems to normal and secure operations.

6. Post-Incident Activity:

• Review what happened, analyze lessons learned, and improve processes for future incidents.

3. Common Pitfalls

• Poor system hardening and logging practices.
• Misjudging the scope of the incident, leading to ineffective containment.
• Insufficient backups for ransomware recovery.

Key Lessons to Apply

1. Preparation:

• Train teams, create incident response plans, and simulate responses.

2. Visibility:

• Prioritize logging for better detection and investigation.

3. Alerts:

• Fine-tune detection tools to reduce false positives while capturing real threats.

4. Accountability:

• Clearly define roles and responsibilities in incident response.

5. Data Protection:

• Use secure backups that are regularly tested for recovery.

Final Takeaway

Proactive preparation, clear roles, continuous monitoring, and timely response are key to minimizing the impact of any incident. An effective plan and proper execution make the difference between a manageable incident and a full-scale crisis.

Logging for Accountability

Room URL: TryHackMe — Logging for Accountability
Room Walkthrough: Logging for Accountability Walkthrough

Summary of Lessons Learned

1. Why Logging Matters

• Logs provide the source of truth for system actions.
• Essential for accountability, traceability, and investigations.

2. Key Log Management Practices

1. Protect Log Integrity:

• Logs must be tamper-proof and securely stored.

2. Utilize Log Sources:

• Use multiple log types: network logs, system logs, and application logs.

3. Use SIEM Tools:

• Tools like Splunk or Wazuh automate log collection, correlation, and threat detection

4. Compliance:

• Maintain logs according to regulatory requirements (PCI DSS, GDPR).

5. Data Correlation:

• Combine logs to identify patterns and validate security events.

Key Lessons to Apply

1. Protect logs using tamper-proof storage solutions.
2. Use SIEM tools to automate log analysis and enhance threat detection.
3. Align log practices with regulatory requirements to remain compliant.

Final Takeaway

Logs are critical for detecting threats, ensuring accountability, and complying with laws. By implementing secure logging practices and using tools for analysis, organizations can significantly improve their resilience to cyber incidents.

Becoming a First Responder

Room URL: TryHackMe — Becoming a First Responder
Room Walkthrough: Becoming a First Responder Walkthrough

Summary of Lessons Learned

1. Preservation of Evidence

• Preserve evidence based on volatility:
• Registers & Cache → Memory & Processes → Temporary Files → Disk Snapshots.
• Avoid actions that alter evidence, like shutting down systems.

2. Raising the Alarm

• Follow escalation procedures (playbooks or call trees) to notify key stakeholders quickly.

3. Containment of the Incident

• Use proper isolation methods to prevent the spread:
• Network Segmentation: Block lateral movement.
• Physical Isolation: Disconnect infected devices.
• Virtual Isolation: Use EDR tools for containment.

4. Invoking BCP (Business Continuity Plan)

• Use the BCP to ensure rapid recovery. Align with the Disaster Recovery Plan (DRP).

5. Documentation of Actions

• Use UTC timestamps for consistency.
• Document actions, approvals, and findings for smooth handovers.

6. Handover to the Blue Team

• Share all findings, logs, and evidence for continued investigation and recovery.

Final Takeaway

Being a first responder requires quick, decisive actions to contain, preserve evidence, and escalate incidents. Following structured procedures and clear documentation ensures an effective response while minimizing long-term impact.

Cyber Crisis Management

Room URL: TryHackMe — Cyber Crisis Management
Related Article: Cyber Crisis Management Walkthrough

Summary of Lessons Learned

1. Key Lessons to Apply

1. Preparation is Critical

• Have a Crisis Management Team (CMT) with detailed playbooks and communication strategies.

2. Importance of Investigation:

• Ask the right questions to uncover:
• Scope of the incident.
• Attack techniques (RAT, SMB pipes).
• Compromised systems (Domain Controller, GPO).

2. Decisive Action is Necessary:

• Take immediate actions:
• Block C2 channels.
• Reset credentials.
• Perform domain takeback.

3. Clear Communication:

• Maintain calm through:
• Internal updates for employees.
• External holding statements to reassure customers and the public.

4. Role of SMEs (Subject Matter Experts):

• SMEs provide the technical expertise needed for the CMT to make informed decisions.

Final Takeaway

A Crisis Management Team (CMT) ensures swift decision-making during a cyber crisis. By leveraging preparation, technical expertise, and clear communication, organizations can:

1. Minimize damage to systems and operations.
2. Maintain trust with employees, customers, and stakeholders.
3. Adapt and improve processes to better handle future incidents.

Final Thoughts about the Module

This module teaches that preparation, collaboration, and clear processes are the pillars of successful incident management. Security engineers, first responders, and crisis management teams must work together to reduce the impact of incidents, protect organizational assets, and maintain trust. By continuously improving processes and learning from each incident, organizations can become more resilient to cyber threats.

A well-prepared team, clear communication, and swift action are the keys to managing incidents effectively and ensuring a strong cyber defense.

Stay vigilant, stay prepared, and remember — a swift and well-planned response can be the difference between crisis and success.