Preparation
Understand the Preparation phase of the Incident Response lifecycle.
easy
To access material, start machines and answer questions login.
The Preparation phase is the foundation of every effective incident response capability. Before an organization can detect, contain, or recover from a security incident, it must have the right people, processes, and technology in place. Without preparation, even the most skilled analyst will struggle to respond effectively when an incident occurs.
In this room, we will walk through what preparation looks like in practice. We will cover the key components of an incident response capability, explore the frameworks that guide this work, and review the preparation state of Nexus Financial before a real incident unfolds.
Learning Objectives
- Understand the purpose and importance of the Preparation phase in incident response
- Identify the key components of an capability, including people, processes, and technology
- Recognize how SP 800-61r2 and SANS PICERL structure the incident response process
- Understand the role of logging and detection in identifying security incidents
- Identify preparation gaps in a real organization scenario that could enable an attack
Prerequisites
Familiarity with basic security concepts and tools such as is recommended as the module progresses to hands-on investigation work in later rooms.
Module Chain
This module follows a single security incident at Nexus Financial from start to finish across four rooms:
| Room | What You Do |
|---|---|
| 1 - Preparation | Review Nexus Financial's security posture before the attack |
| 2 - Detection and Analysis | Detect the incident and analyze it in |
| 3 - Response and Recovery | Make containment decisions, confirm the attacker is gone, and identify root causes |
| 4 - Post-Incident Activity | Reconstruct the timeline of the attack and revisit what went wrong |
I am ready to start!
Security incidents are inevitable. Organizations of every size face adversarial threats daily, and the question is never whether an incident will occur but whether the organization is ready to respond when it does. Incident response is the structured approach an organization takes to prepare for, detect, contain, and recover from security incidents while minimizing damage and reducing recovery time.
Events, Alerts, and Incidents
These three terms are often used interchangeably, but they mean very different things in an context.
| Term | Definition |
|---|---|
| Event | Any observable occurrence within a system or network. Events happen constantly, and the vast majority are completely normal. A user logging in, an email being delivered, and a file being opened are all events. Notable events are transitioned into alerts thanks to detection rules and security tools. |
| Alert | A notification generated by a security tool indicating that something may require attention. Not every alert represents a real threat. Alerts can be escalated to incidents after a thorough alert triage. |
| Incident | A confirmed violation of security policies or practices that has a negative impact on the organization. An incident is declared when evidence confirms that a threat is real and action is required. |
This distinction matters because the process formally begins at the point of incident declaration. Everything before that point is alert triage. Everything after is incident response.
What Triggers an Incident Response
An process can be triggered by many sources, not just automated alerts from a . Common triggers include:
- A security alert escalated by a analyst
- A user reporting suspicious email or unexpected account behavior
- An automated detection from an or tool
- A third party, such as a threat intelligence provider or law enforcement, notifying the organization
- A threat intelligence feed flagging infrastructure associated with the organization
Understanding that incidents can originate from multiple sources is important. An organization that only monitors automated alerts will miss incidents that start with a user report or a third-party notification.
How Nexus Financial Handles This
Nexus Financial has a security team in place to effectively register incidents. engineers ingest events and build detection rules, analysts triage alerts and analyze threats, and a compliance team handles incident reports from partners and external parties. This ensures that Nexus Financial knows when something bad happens, and it is handled as a formal incident in an organized manner.
What is declared after a threat is confirmed?
What must be completed on an alert before the IR process can formally begin?
When a security incident occurs, the people responding to it are under pressure. Decisions need to be made quickly, evidence preserved, and multiple teams need to coordinate simultaneously. Without a defined structure, responses become reactive and inconsistent. Critical steps get missed, evidence gets lost, and recovery takes longer than it should.
This is why incident response frameworks exist. A framework provides the team with a proven, repeatable process to follow regardless of the incident type or severity. It removes the need to make structural decisions under pressure and ensures that nothing important is overlooked. Frameworks also provide a common language across teams, making it easier to coordinate internally and communicate with external parties such as legal counsel or law enforcement.
SP 800-61
The National Institute of Standards and Technology published the Computer Security Incident Handling Guide (SP 800-61 revision 2) (opens in new tab). It is one of the most widely referenced incident response frameworks in the industry and defines a four-phase lifecycle. This module follows revision 2 of the guide.
| Phase | Description |
|---|---|
| Preparation | Covers all the work done before an incident occurs. This includes building the team, defining policies and procedures, deploying detection tools, and ensuring adequate logging and visibility across the environment. |
| Detection and Analysis | Covers the identification of potential incidents, the triage of alerts, and the analysis required to confirm that an incident has occurred and understand its nature and scope. |
| Containment, Eradication, and Recovery | Covers the active response to a confirmed incident. Containment limits further damage, eradication removes the threat from the environment, and recovery restores normal business operations. |
| Post-Incident Activity | Covers the lessons learned process. This includes reviewing what happened, documenting the findings, and using what was learned to improve the organization's defenses and response procedures. |
A key characteristic of the framework is that it is designed as a cycle. The lessons learned from the Post-Incident Activity feed directly back into Preparation, making the organization better equipped for the next incident. The diagram above shows how this module maps to the lifecycle.
Note: SP 800-61 is not the only incident response framework available. Others, such as the SANS PICERL model and the NCSC Incident Management framework, follow similar principles with slight differences in how phases are named and grouped. This room focuses on SP 800-61, the most widely referenced framework in the industry and the foundation for many organizations' processes.
Where Nexus Financial Stands
Nexus Financial has an incident response policy in place that references SP 800-61 as its guiding framework. The policy defines the phases, assigns roles to members, and outlines communication procedures. However, as you will discover when reviewing the preparation documents, having a framework on paper and being fully prepared to execute it are two different things. Several foundational controls identified by as part of the Preparation phase are either missing or incomplete at Nexus Financial, and these gaps have direct consequences for the incident described in this module.
How many phases does the NIST SP 800-61 IR lifecycle have?
According to NIST SP 800-61, what phase follows Containment, Eradication, and Recovery?
Effective incident response is built on three pillars: the right people with the right skills, well-defined processes that guide their work, and the technology that supports detection and investigation. A weakness in any one of these pillars reduces the effectiveness of the entire capability.
People
The group responsible for managing security incidents is commonly referred to as a Cyber Security Incident Response Team, or . You may also encounter this team referred to as a Computer Emergency Response Team (), a Security Incident Response Team (), or simply an Incident Response Team (). The name varies between organizations, but the function is the same. In smaller organizations, there may not be a dedicated . In these cases, analysts temporarily take on the incident response role when an incident is declared. This is a common practice in organizations that do not have a high enough incident volume to justify a permanently staffed function.
members require appropriate access to the systems and data needed to do their work. This access should follow the principle of least privilege, granting only what is necessary for each member's role, audited regularly, and formally approved rather than assigned permanently.
Training is equally important. responders must be proficient with forensic tools, log analysis, and investigative techniques. End users must know how to recognize suspicious activity and report it through the correct channels. Regular simulations and awareness campaigns build this capability over time.
Processes
Processes define how the team operates. Key documents include:
| Document / Tool | Purpose |
|---|---|
| Incident Response Plan | Defines the overall approach the organization takes when managing incidents. Covers roles and responsibilities, escalation paths, communication channels, and how the effectiveness of the response is measured. |
| Communication Plan | Defines who within the is the point of contact for different incident types, when to notify law enforcement or third parties, and how to manage communications during a high-profile breach. |
| Playbooks | Provide step-by-step procedures for specific incident types such as , ransomware, or data breach. Give responders a clear path to follow without having to make every decision under pressure. |
| Documents | Track the handling of evidence from collection through analysis to storage. Essential for any incident that may result in legal proceedings, and must record who handled evidence, when, and why. |
| Ticketing Systems | Provide a central record of all investigation activity. Every action taken, every finding made, and every decision reached should be logged to ensure the investigation has a complete, auditable trail. |
| Asset Inventory | A complete and up-to-date list of all hardware and software within the organization. Without knowing what assets exist, it is impossible to know what has been compromised. |
Technology
The technology layer gives the team the capability to detect threats, investigate incidents, and respond effectively. No single tool covers everything, and most organizations use a combination of solutions depending on their environment and maturity. Some of the core technologies that support incident response include:
| Tool | Purpose |
|---|---|
| Security Information and Event Management () | The central hub of most operations. Collects logs from across the environment, correlates events, and generates alerts when suspicious activity is detected. In this module, the is where the investigation takes place across the upcoming rooms. |
| Endpoint Detection and Response () | Monitors activity on individual devices and can detect, alert on, and in some cases automatically respond to malicious behavior at the endpoint level. |
| Intrusion Detection and Prevention Systems (IDPS) | Monitors network traffic for known attack patterns and anomalous behavior. Detection systems alert on suspicious traffic, while prevention systems can actively block it. |
| Data Loss Prevention () | Monitors and controls the movement of sensitive data within and outside the organization. Can detect and block unauthorized data transfers before exfiltration occurs. |
| Threat Intelligence Platforms | Aggregate and contextualize information about known threats, attacker infrastructure, and malicious indicators. Helps teams understand who they are dealing with and anticipate attacker behavior. |
| Forensic Tools | Support the collection and analysis of evidence during an investigation. Includes disk and memory software, packet-capture tools, and log-analysis utilities. |
These are not the only tools an team may use. The specific technology stack varies between organizations depending on their size, industry, and security maturity. What matters is that the tools are properly configured, actively monitored, and that the team using them is trained to get the most out of them.
Where Nexus Financial Stands
Nexus Financial has a in place, supported by an policy, a communication plan, and a platform for detection. Like many organizations of their size, the Security Analysts also take on responsibilities in addition to their day-to-day roles. How well their people, processes, and technology hold up in practice is something you will assess in the practical task at the end of this room.
What document tracks the handling of evidence from collection through to storage?
The tools discussed in the previous task under the Technology section are only as valuable as the visibility they provide. An organization cannot respond to what it cannot see. Visibility is the ability to observe what is happening across the environment through log collection and monitoring. Detection is the ability to recognize when something observed is malicious. Both are required for effective incident response, and a gap in either one allows attackers to operate unnoticed. A that is not collecting the right logs, an that is not deployed on every endpoint, or an IDPS that is not monitoring critical network segments all create blind spots in the environment. Visibility is what the technology enables, and without it, the team is working without evidence.
Visibility Through Log Management
Every device, system, and application within an organization generates log data. Collecting these logs into a centralized platform, such as a , provides the team with a single source of truth for investigations. Logs must be enabled, collected, and protected from modification once recorded.
The value of logs in an context is significant. They provide a factual record of who accessed what, when, and from where. They enable the team to reconstruct the attack timeline, identify affected systems, and confirm the root cause of a breach.
Types of Log Entries
- Event log: Records observable occurrences within a system, such as login attempts, application activity, and network connections.
- Audit log: Records a sequential history of actions taken within a system. Captures who performed an action, what the action was, and how the system responded. Split into success and failure categories; essential for investigations involving account activity and data access.
- Error log: Records system failures such as a crashed service or an application error.
- Debug log: Records detailed diagnostic information used during testing and troubleshooting.
Types of Log Sources
- Network logs: Come from routers, switches, and firewalls and record traffic flows and connection attempts.
- Host perimeter logs: Come from proxies, servers, and boundary firewalls and capture what traffic enters and leaves the environment.
- System logs: Come from the operating systems on servers and workstations and include login events, process execution, and configuration changes.
- Application logs: Come from business applications, cloud platforms, and databases. In cloud-based environments such as Microsoft 365, logs from Exchange Online, SharePoint, and Entra ID are among the most valuable sources for investigating identity-based attacks.
Detection Gaps
Having logs available is not the same as having detection. A detection gap exists when logs are collected, but no alerting rules or monitoring are in place to flag suspicious activity. An organization with a detection gap may have all the evidence needed to investigate an incident, but will not know the incident is happening until long after the damage is done.
In this module, the Nexus Financial incident serves as a case study of what happens when detection gaps exist. The attacker carried out a sequence of activities that were all recorded in the logs but went unnoticed because no detection rules were configured to alert on them. The full picture only emerged during the investigation itself.
What type of log records who performed an action, what the action was, and how the system responded?
What technology provides a centralized platform for collecting and analyzing logs across an organization's infrastructure?
What term describes the situation where logs are collected but no alerting rules exist to flag suspicious activity?
Set up your virtual environment
Nexus Financial uses Microsoft 365 for email, file storage, and collaboration, and Entra ID as its identity and access management platform. All employee accounts are managed through Entra ID, and all email, SharePoint, and Teams activity runs through Microsoft 365.
Start the lab by clicking the Start Lab Machine button below. The machine will load in Split View within a few minutes. If it does not appear, click the blue Show Split View button at the top right of the page.
Once the has loaded, open the Nexus folder on the Desktop. This folder contains a selection of Nexus Financial's preparation documents. In reality, an organization would have significantly more documentation, tooling, and processes in place. What is provided here is the material directly relevant to the incident you will be investigating throughout this module. You are only required to review these documents and answer the questions based on their contents.
The documents in the folder are:
Asset_InventoryIR_PolicyCommunication_PlanPentest_Report_2025Historic_Incidents
Once you have reviewed the documents, check the local security policies on this workstation (Part of Nexus Financial's Asset Inventory). On the lab machine, open the run dialogue, type secpol.msc, and press Enter. This opens the Local Security Policy. Navigate to the Policies under Security Settings, then review them.
Use the documents and the local security settings to answer the questions below.
According to the asset inventory, what is the IP address of the mail server?
According to the pentest report, what authentication control is flagged as missing on standard user accounts?
According to the pentest report, how many high-severity findings were identified?
According to the historic incidents log, what type of attack was recorded in NXF-INC-001?
What is the minimum password length configured on this workstation?
What is the audit setting configured for Audit account logon events?
The Preparation phase happens before the incident. It rarely gets credit when things go well, and it is easy to deprioritize when there are more pressing operational demands. But the Nexus Financial documents you reviewed in this room tell a familiar story: an organization that had some foundations in place but left critical gaps unaddressed.
Missing on standard user accounts. No email authentication controls on the domain. A previous incident closed without fixing the root cause. These are not unusual findings. They appear in organizations of every size and industry. What makes them significant is the chain of consequences they create. One unaddressed finding in a pentest report becomes the initial access vector in the next incident. One previous incident closed without a root cause fix leaves the same door open for the next attacker.
In the next room, Detection and Analysis (coming soon!), the incident has already happened. An anomalous sign-in alert has been raised. Your job is to take that single alert and work outward, identifying the compromised account, tracing the attack back to its origin, and scoping how far the damage has spread. Everything you need to understand why this happened is in this room. Everything you need to find out what happened is in the next one.
Great work! You are now ready for the next room: Detection and Analysis (coming soon!).
Ready to learn Cyber Security?
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in