# Incident Handling Guide — Course Overview A comprehensive, practical guide to incident response and digital forensics for blue team professionals, SOC analysts, and incident handlers. **Vault Status:** Active Foundation **Audience:** Blue team professionals, L2–L3 SOC analysts, incident handlers, forensic investigators **Prerequisites:** Networking basics (TCP/IP, DNS, HTTP), operating systems (Windows, Linux), security fundamentals (authentication, cryptography) **Study Duration:** 8–12 weeks for comprehensive coverage; can be used as ongoing reference **Industry Frameworks:** NIST SP 800-61, SANS PICERL, MITRE ATT&CK, Cyber Kill Chain, Diamond Model, ISO 27035 --- ## 🎯 What This Guide Covers This vault is a practical, hands-on guide to: 1. **Understanding security incidents** — definitions, classification, cost, impact 2. **Building incident response capabilities** — team structure, processes, tools, policies 3. **Detecting and responding to incidents** — triage, investigation, evidence handling 4. **Containing and eradicating threats** — isolation, remediation, system recovery 5. **Digital forensics for IR** — evidence preservation, chain of custody, forensic analysis 6. **Investigating specific incident types** — malware, ransomware, phishing, data breach, insider threat, DDoS, web attacks, intrusions 7. **Threat intelligence integration** — indicators of compromise, threat feeds, adversary profiling 8. **SIEM and log analysis** — security monitoring, alert tuning, log parsing 9. **Communication and escalation** — stakeholder updates, executive reporting, crisis communication 10. **Compliance and legal considerations** — GDPR, breach notification, evidence retention, legal holds The approach is **methodical and investigative** — designed for operators who need to think clearly under pressure, preserve evidence correctly, and make defensible decisions in real time. --- ## 📚 Learning Objectives Upon completing this guide, you will be able to: ### Incident Classification & Severity - [ ] Define a security incident using NIST, ISO, and SANS definitions - [ ] Distinguish between events, alerts, incidents, and breaches - [ ] Classify incidents by type and severity level - [ ] Determine appropriate response time and resource allocation (SLAs) - [ ] Calculate incident severity using CVSS or similar frameworks ### Incident Handling Lifecycle - [ ] Describe all phases of the incident handling lifecycle (NIST and SANS models) - [ ] Explain roles and responsibilities in incident response - [ ] Build and equip an incident response team - [ ] Develop incident response policies and procedures - [ ] Create incident response playbooks for common scenarios ### Detection & Analysis - [ ] Identify indicators of compromise (IOCs) and indicators of attack (IOAs) - [ ] Perform incident triage and initial assessment - [ ] Collect and preserve digital evidence correctly - [ ] Construct incident timelines from logs and artifacts - [ ] Perform log analysis and SIEM tuning - [ ] Use threat intelligence to correlate findings ### Containment - [ ] Perform short-term containment (isolation, access restriction) - [ ] Perform long-term containment (patch management, hardening) - [ ] Prevent lateral movement and privilege escalation - [ ] Coordinate with network, systems, and security teams ### Eradication & Recovery - [ ] Identify and remove all traces of intrusion - [ ] Restore systems from known-good backups - [ ] Validate system integrity after eradication - [ ] Return systems to production safely - [ ] Prevent re-infection ### Digital Forensics - [ ] Preserve evidence according to best practices - [ ] Maintain chain of custody documentation - [ ] Perform forensic imaging and analysis - [ ] Examine Windows and Linux systems forensically - [ ] Perform memory and disk analysis - [ ] Create and defend forensic reports ### Threat Investigation - [ ] Investigate malware incidents (detection, analysis, eradication) - [ ] Handle phishing incidents (email investigation, user remediation) - [ ] Respond to ransomware (identification, negotiation, recovery) - [ ] Investigate data breaches (scope, notification, prevention) - [ ] Detect insider threats (monitoring, investigation, prevention) - [ ] Respond to DDoS attacks (mitigation, coordination) - [ ] Investigate web application attacks (vulnerability analysis, exploitation) - [ ] Handle network intrusions (lateral movement, C2 analysis) ### Communication & Escalation - [ ] Escalate incidents appropriately within the organisation - [ ] Communicate with executives and non-technical stakeholders - [ ] Coordinate with external parties (law enforcement, vendors, customers) - [ ] Manage crisis communication during active incidents - [ ] Document incident details for future reference ### Compliance & Legal - [ ] Understand breach notification requirements (GDPR, regional laws) - [ ] Manage evidence for legal proceedings - [ ] Maintain proper documentation for regulatory compliance - [ ] Handle privileged attorney-client communications - [ ] Understand law enforcement coordination --- ## 📋 Prerequisites Before starting this guide, you should have foundational knowledge in: ### Networking - TCP/IP fundamentals (IPv4, IPv6, ports, protocols) - DNS resolution and DNS attacks - HTTP/HTTPS and web protocols - Network addressing and routing basics - Common network services (SMTP, RDP, SMB, SSH) ### Operating Systems - Windows administration (user management, file systems, permissions, event logs) - Linux fundamentals (file systems, permissions, user management, process management) - System architecture and boot processes - File systems (NTFS, ext4) and storage concepts - Process and service management ### Security Fundamentals - Authentication mechanisms (passwords, MFA, Kerberos) - Cryptography basics (hashing, encryption) - Common vulnerabilities (injection, XSS, privilege escalation) - Attack methodologies and kill chains - Security policies and access control ### Nice-to-Have (Not Required) - Previous incident response experience - Malware analysis basics - Scripting or programming knowledge (PowerShell, Bash, Python) - SIEM experience - Forensic or investigative background --- ## 🏆 Frameworks & Standards Covered This guide is built upon and references industry-standard frameworks: ### NIST SP 800-61 Revision 2 **Computer Security Incident Handling Guide** — foundational NIST framework - **Preparation:** Establish capability and tools - **Detection and Analysis:** Identify incidents, perform triage, investigate - **Containment, Eradication, Recovery:** Mitigate and restore - **Post-Incident Activities:** Document and improve This is the baseline framework. Most corporate incident response programmes follow NIST 800-61 or a variant. ### SANS PICERL Model **Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned** — detailed, operational framework - Similar to NIST but emphasises **Identification** as a distinct phase - Commonly taught in SANS courses (GCIH, GCFE) - Aligns well with practical SOC operations ### MITRE ATT&CK Framework **Adversary Tactics and Techniques** — adversary behaviour classification - Maps tactics (reconnaissance, exploitation, persistence, etc.) - Maps techniques (specific methods for each tactic) - Used for threat intelligence correlation, detection engineering, and post-incident analysis - Threat intelligence section covers ATT&CK mapping ### Cyber Kill Chain (Lockheed Martin) **7-stage attack progression model** — helps understand attack flow 1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command & Control 7. Actions on Objectives Used to map incident findings and understand adversary progression. ### Diamond Model of Intrusion Analysis **Relationship model** — adversary, capability, infrastructure, victim relationships Represents intrusions as a diamond with: - **Adversary** (who) - **Capability** (what — tools, techniques) - **Infrastructure** (where — C2, staging) - **Victim** (target) Used for post-incident analysis and threat intelligence production. ### ISO 27035 **Information Security Incident Management** — international standard - Incident categorisation and severity - Response procedures - Evidence preservation - Reporting and documentation - Improvement processes --- ## 🔐 Key Standards & Regulations Referenced ### Computer Security Incident Handling - **NIST SP 800-61 Rev 2** — foundational US federal guideline - **SANS PICERL** — operational incident handling model - **ISO 27035** — international incident management standard - **NIST SP 800-150** — guidelines for cybersecurity event recovery ### Compliance & Legal - **GDPR (General Data Protection Regulation)** — EU data protection; breach notification (72 hours) - **CCPA (California Consumer Privacy Act)** — US state privacy law; breach notification - **HIPAA (Health Insurance Portability and Accountability Act)** — healthcare data breach notification - **PCI DSS (Payment Card Industry Data Security Standard)** — payment card incident response requirements - **UK Data Protection Act 2018** — UK implementation of GDPR - **SOC 2 Type II** — service provider audit standards (incident response controls) - **CISA Incident Notification Requirements** — US federal contractor breach notification ### Evidence & Forensics - **NIST SP 800-86** — guide to integrating forensics into incident handling - **SWGDE (Scientific Working Group on Digital Evidence)** — best practices for digital evidence - **IOCE (International Organization on Computer Evidence)** — international forensics standards - **RFC 3227** — guidelines for evidence collection and archiving --- ## 🎓 Recommended Certifications Path The following certifications align with this vault's content: ### Entry Level - **GCIH (GIAC Certified Incident Handler)** — SANS entry-level IR certification - Covers incident handling fundamentals, lifecycle, tools - ~40–60 hours study - Recommended starting point - Exam: FOR504 (4-hour practical exam) ### Intermediate - **GCFE (GIAC Certified Forensic Examiner)** — SANS forensics certification - Covers Windows and Linux forensic analysis - Evidence preservation and analysis - ~60–80 hours study - Exam: FOR508 (4-hour practical exam) - **CEH (Certified Ethical Hacker)** — broad security foundation - Includes incident handling and forensics modules - ~40–50 hours study - Useful for offensive/defensive balance ### Advanced - **GCFA (GIAC Certified Forensic Analyst)** — advanced forensics - Deep-dive into Windows and Linux forensics - Memory analysis, advanced timeline construction - ~80–100 hours study - Prerequisite: GCFE recommended - Exam: FOR508 (4-hour practical exam) - **GCIA (GIAC Certified Intrusion Analyst)** — advanced network analysis - Network intrusion detection and analysis - Packet analysis, malware detection - ~60–80 hours study - Exam: FOR610 (4-hour practical exam) ### Specialist - **GPEN (GIAC Penetration Tester)** — offensive security (complements IR) - **GWAPT (GIAC Web Application Penetration Tester)** — web application testing - **GSEC (GIAC Security Essentials)** — broad security knowledge base - **CISSP (Certified Information Systems Security Professional)** — senior-level management (requires 5 years experience) **Recommended progression:** GCIH → GCFE → GCFA provides a solid foundation in incident handling and forensics. --- ## 🛠️ How to Use This Vault ### For Active Incident Response (During an Active Incident) When you have an active incident: 1. **Classify the incident** — [[01-Introduction-to-Incidents|Introduction to Incidents]] - Determine severity level (P1, P2, P3, P4) - Identify incident category - Note current state (initial detection, ongoing, contained) 2. **Navigate to the appropriate incident type** — [[Incident-Types/|Incident Types folder]] - Each module has rapid-reference procedures - Follow phase-by-phase guidance - Use role-specific sections 3. **Grab the relevant cheatsheet** — [[Cheatsheets/Master-IR-Cheatsheet|Master Cheatsheet]] - Windows, Linux, or Network cheatsheet depending on scope - Commands for rapid evidence collection - Common procedures and tools 4. **Follow the lifecycle** — [[02-Incident-Handling-Lifecycle|Lifecycle overview]] - Ensure you don't skip containment - Avoid evidence contamination - Track decisions and evidence 5. **Escalate & communicate** — [[12-Communication-and-Escalation|Communication]] - Know who to contact - Keep stakeholders informed - Maintain executive briefing template ### For Study & Certification Preparation If studying for GCIH, GCFE, or similar certifications: 1. **Read the foundational modules in order:** - [[00-Overview|Overview]] (this file) - [[01-Introduction-to-Incidents|What is an Incident?]] - [[02-Incident-Handling-Lifecycle|The Incident Handling Lifecycle]] - [[03-Preparation-Phase|Preparation Phase]] 2. **Study detection and analysis:** - [[04-Detection-and-Analysis|Detection and Analysis]] - [[10-SIEM-and-Log-Analysis|SIEM and Log Analysis]] - [[11-Threat-Intelligence|Threat Intelligence and IOCs]] 3. **Study response phases:** - [[05-Containment|Containment]] - [[06-Eradication-and-Recovery|Eradication and Recovery]] - [[07-Post-Incident-Activities|Post-Incident Activities]] 4. **Deep-dive into forensics:** - [[09-Digital-Forensics-for-IR|Digital Forensics for Incident Response]] - Windows artifacts, Linux artefacts, memory analysis 5. **Study incident types relevant to your field:** - Select 2–3 modules from [[Incident-Types/|Incident Types]] - Understand response procedures for each 6. **Study legal and compliance:** - [[13-Compliance-and-Legal|Compliance and Legal Considerations]] - Understand breach notification requirements - Know your jurisdiction's laws 7. **Review cheatsheets regularly:** - Use [[Cheatsheets/Master-IR-Cheatsheet|Master Cheatsheet]] for exam prep - Memorise key command syntax - Practice timeline construction ### For Team Training & Onboarding To train new team members or build team capability: 1. **Start with overview:** - Read [[00-Overview|Overview]] together - Discuss roles and responsibilities - Review your organisation's policies 2. **Run through a sample incident:** - Use a case study from [[Incident-Types/|Incident Types]] - Walk through each phase - Discuss decision points 3. **Hands-on practice:** - Set up a lab environment - Use cheatsheets to collect evidence - Build timelines from sample logs 4. **Build playbooks:** - Use incident type modules as templates - Customise for your environment - Document your procedures ### For Ongoing Reference Use this vault as an operational reference: - Bookmark key pages in your Obsidian sidebar - Search for keywords using Obsidian's search feature - Tag findings with `#IncidentHandling` for rapid reference - Keep cheatsheets open during investigations --- ## 📖 Vault Philosophy & Approach ### Methodical & Investigative Every procedure emphasises clear thinking and defensible decisions. We avoid shortcuts that compromise evidence. ### Practical & Operator-Focused Content is written for practitioners — people in active incidents, on shift, under pressure. Theory is secondary to procedure. ### Defensive (Blue Team) This is a blue team vault. We focus on defence, detection, response, and resilience. Offensive techniques are covered only where they help us understand attacks better. ### Framework-Agnostic (But Standards-Based) While we reference NIST and SANS, the vault works whether your organisation uses NIST, SANS, ISO, or a proprietary model. The phases are universal. ### British English Throughout Consistent British English spelling and style (analyse, behaviour, defence, optimise, organisation, etc.). ### Obsidian-Compatible All files use Obsidian conventions: - Wiki-links: `[[filename]]` or `[[folder/filename|Display Name]]` - Hashtags for tagging: `#IncidentHandling`, `#Malware`, etc. - Markdown formatting for compatibility with other tools --- ## 🔍 What You'll Find in Each Module ### Core Modules Each core module includes: - **Learning objectives** — what you'll understand after reading - **Conceptual overview** — why this matters, context - **Detailed procedures** — step-by-step guidance - **Examples and case studies** — real-world scenarios - **Tools and commands** — practical utilities - **Decision trees** — when to choose which approach - **Common mistakes** — pitfalls to avoid - **Links to other modules** — cross-references ### Incident Type Modules Each incident type module includes: - **Definition and characteristics** — how to recognise this type - **Attack vectors** — how attackers deploy this attack - **Detection methods** — how to spot it - **Investigation procedures** — how to investigate - **Containment strategies** — how to stop it - **Eradication techniques** — how to remove it - **Recovery procedures** — how to restore - **Prevention measures** — how to prevent recurrence - **Case studies** — real examples ### Cheatsheets Quick-reference command lists and procedure check-lists for rapid deployment during active incidents. --- ## ⚡ Quick Incident Response Checklist (from memory) When an incident is reported: 1. **STOP** — Don't panic, don't make assumptions 2. **VERIFY** — Confirm the incident is real (not a false positive) 3. **CLASSIFY** — Determine severity and type 4. **ESCALATE** — Contact incident lead/manager 5. **PRESERVE** — Isolate systems, preserve evidence, avoid contamination 6. **GATHER** — Collect evidence methodically, maintain chain of custody 7. **ANALYSE** — Build timeline, identify IOCs, understand scope 8. **CONTAIN** — Isolate, restrict access, stop lateral movement 9. **ERADICATE** — Remove threat, patch vulnerabilities 10. **RECOVER** — Restore systems, validate integrity 11. **DOCUMENT** — Record everything, maintain chain of custody 12. **COMMUNICATE** — Keep stakeholders updated 13. **LEARN** — Conduct lessons learned, update procedures See [[02-Incident-Handling-Lifecycle|Incident Handling Lifecycle]] for detailed guidance. --- ## 🎓 Study Tips - **Don't try to memorise everything** — use the vault as reference material - **Focus on procedures and decision logic** — understand *why*, not just *what* - **Practice on lab systems** — use the cheatsheets in a lab environment before needing them in production - **Build playbooks** — adapt incident type modules to your specific environment - **Keep incident logs** — document past incidents to learn from them - **Review after every incident** — update playbooks based on lessons learned - **Stay current** — threat landscape changes; review threat intelligence regularly --- ## 📞 Roles & Responsibilities Quick Reference - **CISO / Chief Information Security Officer** — Overall responsibility, policy, budget, executive reporting - **Incident Response Manager** — Coordinates team, makes escalation decisions, manages timeline - **SOC Analyst L1** — Initial triage, alert investigation, escalation - **SOC Analyst L2** — Deep analysis, timeline construction, evidence collection - **SOC Analyst L3** — Complex analysis, threat intelligence, technique identification - **Forensic Investigator** — Evidence preservation, forensic imaging, detailed analysis - **Threat Hunter** — Proactive threat identification, IOC research, adversary profiling - **Network Engineer** — Network isolation, traffic analysis, remediation - **Systems Administrator** — System access, account management, system recovery - **Legal/Compliance** — Breach notification, evidence retention, regulatory coordination - **Communications/PR** — Internal and external communication, crisis messaging - **Executive Stakeholder** — Decision-making authority, resource approval See [[03-Preparation-Phase|Preparation Phase]] for detailed role definitions. --- ## 🏁 Getting Started Now **If you have an active incident:** Jump to [[Incident-Types/|Incident Types]] and find your incident category. Follow the procedures. Use cheatsheets. **If you're studying for certification:** Start with [[01-Introduction-to-Incidents|Introduction to Incidents]] and progress sequentially through modules. **If you're building team capability:** Start with [[00-Overview|Overview]] and [[03-Preparation-Phase|Preparation Phase]]. Build playbooks. Run drills. **If you're just exploring:** Start with [[01-Introduction-to-Incidents|Introduction to Incidents]] to understand the incident landscape. Pick an [[Incident-Types/|incident type]] that interests you. --- ## 📝 Vault Metadata - **Version:** 1.0 (Core Foundation) - **Last Updated:** 2026-04-07 - **Status:** Active — continuous refinement - **Language:** British English - **Format:** Obsidian Markdown - **Scope:** Comprehensive incident response and forensics guide - **Audience:** Blue team professionals, SOC analysts, incident handlers --- #IncidentHandling #DFIR #BlueTeam #IR-Foundations