Identification & Scoping

Connecting to the machine

Start the virtual machine in split-screen view by clicking the green Start Machine button on the upper right section of this task. If the VM is not visible, use the blue Show Split View button at the top-right of the page. Alternatively, you can connect to the VM via RDP using the credentials below if Split View does not work. 

Username	analyst
Password	DFIR321!
IP	MACHINE_IP

IMPORTANT: The attached VM contains artefacts to help us better understand a Security Incident from detection to resolution. Work on the subsequent tasks and experiment with the VM through a case example. Microsoft Outlook will start on its own. Kindly ignore the activation key window by pressing Back, and then proceed by clicking Skip sign in for now ▶️ Use as view only. When asked for a license, click X, for optional data, click Next ▶️ Don't send optional data ▶️ Done in the subsequent pop-up windows.

The Identification phase forms the bedrock of the Incident Response Process. This critical phase combines the technical detection of potential security incidents with the inherent human capacity to recognise and report them.

The speed at which an organisation can spot an incident directly correlates with the pace of response, potentially limiting the damage and shortening recovery time.

The Triad of Identification: People, Process, and Technology

Identification is a harmonious concert between people, processes, and technology.

While technology offers the tools to detect potential incidents through alerts, people must interpret these alerts and adhere to established procedures to ensure incidents are correctly identified and managed.

Moreover, all, not solely the IT or Security teams, must report any anomalies and ensure that the relevant parties are alerted by following the appropriate procedures.

Consequently, the success of the identification phase rests on a well-coordinated collaboration among these three elements.

Understanding Security Alerts and Event Notifications

Security Alerts, also referred to as Event Notifications, are crucial signals that may hint at the presence of a potential threat or the occurrence of an actual security incident. These are pivotal in triggering the Incident Response Process and ensuring security and safety. Understanding the nature of these alerts, including their type and severity, is vital in guiding the incident response process. This understanding is nurtured through technical expertise, effective use of security tools, and a culture of continuous learning and vigilance. Following the proper procedures when handling these alerts ensures that the right individuals are alerted, bolstering incident response effectiveness.

Leveraging Technical Expertise and Security Tools

Effective incident response relies on timely reporting, staff proficiency, and strategic use of security technologies.

Therefore, it's crucial that all employees of an organisation, technical or otherwise, stay alert and promptly report any suspicious activities or anomalies through the appropriate communication channels.

Employing robust security technologies can significantly enhance the detection and deterrence of potential threats, ensuring rapid recognition and response to situations that may escalate into actual security incidents.

It is why TryHackMe is dedicated to supporting those pursuing a career in Blue teaming to master security tools by offering a platform that can aid individuals in developing proficiency in areas specific to Security Operations and Incident Response tooling, such as the following:

Endpoint Detection and Response (EDR) Intro to Endpoint Security Aurora EDR Wazuh Intrusion Detection and Prevention Systems (IDPS) Snort Snort Challenge - The Basics Snort Challenge - Live Attacks Security Information and Event Management (SIEM) Investigating with ELK 101 Splunk: Basics Incident handling with Splunk

Recognising that these security tools truly flourish in the hands of skilled individuals with the necessary information and technical expertise to combat potential threats and manage security incidents is vital.

However, effective communication channels are just as essential to ensure that the right people are quickly alerted with accurate and precise information, which enables them to conduct an investigation and initiate the incident response process, made possible only by well-designed procedures that both technical and non-technical staff can swiftly and seamlessly follow.

Promoting a Culture of Learning and Vigilance

Cultivating a culture of learning and vigilance is a top-down initiative. Executive management must prioritise and invest in cyber security, setting clear expectations for following the correct procedures. Regular education and awareness campaigns can equip personnel to identify and report suspicious activity or technical anomalies they may encounter, contributing to the overall effectiveness of the incident response process. Moreover, comprehensive policies and procedures related to incident response and reporting, guided by legal counsel, can underscore the importance of following the right procedures in identifying security incidents and communicating them effectively, thereby alerting the relevant people with the necessary information that will enable them to address issues.

Transitioning from Identification to Scoping

Once an incident has been identified, the subsequent step is determining its scope.

Scoping involves grasping the extent of the incident, including which systems are affected, what data is at risk, and how the incident impacts the organisation.

The transition from identification to scoping is crucial in the Incident Response Process, demanding clear communication, effective collaboration, and a well-defined process. The insights gained from the identification phase will prove instrumental in facilitating this transition and strengthening the effectiveness of the incident response process.

After identification, the next critical step in the Incident Response Process is Scoping, which involves determining the extent of a security incident, including identifying the affected systems, the type of data at risk, and the potential impact on the organisation.

Scoping is essential as it guides the subsequent steps of the response process and helps formulate an effective mitigation strategy.

The Asset Inventory: A Quick Reference for Incident Response

The Asset Inventory is a crucial tool in the incident response process. It provides a comprehensive list of all the organisation's assets, aiding in identifying and scoping potential threats. Let's look at a simple representation of the Asset Inventory.

The Spreadsheet of Doom (SoD): Enriching Artefacts for Effective Incident Response

Identifying, understanding, and responding to potential threats within the known scope of a security incident as swiftly as possible is critical.

It serves as a single reference point, accelerating the incident response procedure. Each row in this spreadsheet is representative of a unique threat identifier or an Indicator of Compromise (IoC).

The SoD is essentially a structured list of IoCs, including IP addresses, domain names, URLs, file hashes, and more associated with malicious activity. The data in this spreadsheet is enriched with additional information about each IoC, such as its source, the type of threat it is linked to, and more.

This additional context can aid incident responders in quickly understanding the nature of a security incident and potential threats. Moreover, it provides a historical reference that can be used for tracking recurring threats and observing patterns in cyberattacks.

The SoD is more than just a list - it's a dynamic, comprehensive resource that centralises crucial information, streamlines communication among incident response teams, and ultimately empowers faster, more effective responses to potential threats.

The Asset Inventory and Spreadsheet of Doom are indispensable tools in Scoping the extent of a security incident. These tools can be used as quick references and fact sheets, enabling efficient correlation and enrichment of artefacts by providing a comprehensive overview of relevant information about an incident at a glance. By continually updating and referring to both tools, incident response teams can stay one step ahead and take a more proactive approach to incident response.

The Identification and Scoping phase of the Incident Response Process is not a linear progression but a feedback loop continually refining our understanding of the incident and its scope.

This loop becomes intelligence-driven when it leverages current investigation data, enriching it with information from past incidents, correlated logs from various data sources, advanced analytics and machine learning to enhance awareness by adding more context to a developing situation.

Event Notification The loop begins when an issue has been reported. It triggers the incident response process and sets the stage for the subsequent steps. Documentation The underlying issue is documented in detail, including information about the nature of the incident, the systems affected, and any potential threats or vulnerabilities. Documentation is a critical step that provides a foundation for the rest of the process. Evidence Collection Evidence of the incident is collected, including log files, network traffic data, and other relevant information. The collected evidence provides valuable insights into the incident and helps identify potential threats. Artefact Identification The collected evidence is analysed to identify artefacts related to the incident. These artefacts can provide clues about the threat's nature and the damage's extent. Pivot Point Discovery Based on the identified artefacts, new areas of investigation may be discovered. These pivot points can lead to new insights and help further refine the incident's scope. After this step, the process loops back to the documentation phase, incorporating the new findings.

The Power of an Intelligence-Driven Feedback Loop

A feedback loop driven by intelligence in the Identification and Scoping phase encourages a proactive and dynamic method towards incident response.

This proactive approach facilitates an ongoing education and exchange of information, enabling organisations to respond to security incidents and safeguard their systems efficiently.

It also ensures compliance with legal obligations for privacy and data protection.

Organisations can boost their incident response prowess and efficiently counteract security incidents by capitalising on real-time data concerning emerging threats, cultivating an environment of ongoing education and exchange of information, and guaranteeing privacy and data protection.

The Identification and Scoping phase of the Incident Response Process is a critical juncture that requires a well-coordinated effort between people, processes, and technology. Here, the nature of security alerts is discerned, and the extent of the incident is determined.

This phase is a balancing act, requiring technical expertise, effective use of security tools, and a culture of continuous learning and vigilance.

We've explored the importance of understanding security alerts, the role of technical expertise and security tools, and cultivating a culture of learning and vigilance. We've also delved into the significance of following proper procedures to ensure that incidents are accurately identified and managed, ensuring that the appropriate individuals capable of addressing them are notified.

Remember, the success of the identification phase hinges on a well-orchestrated collaboration between these elements. You can significantly enhance your organisation's incident response capabilities by fostering a culture of awareness and vigilance and leveraging the right tools and processes.

Next Steps

Now that you've comprehensively understood the Identification and Scoping phase, it's time to proceed to the next room, Intel Creation and Containment.

Here, you'll delve deeper into the Incident Response Process, exploring the subsequent phases and honing your skills further. Remember, continuous learning and practice are essential to mastering incident response. Onwards!