Response and Recovery

The attacker is inside the Nexus Financial environment. The Detection and Analysis phase confirmed the compromise, identified the affected accounts, and mapped the initial attack chain. This room covers Response and Recovery, the phase where the IR team transitions from understanding the incident to actively resolving it. In NIST SP 800-61r2 terms, this maps to the Containment, Eradication, and Recovery phase.

Learning Objectives

• Understand Response and Recovery and its place in the NIST SP 800-61r2 framework
• Learn the difference between containment strategies and when to apply each
• Understand how MITRE ATT&CK maps to attacker behavior and informs containment decisions
• Understand what eradication and recovery involve in the current Microsoft 365 incident
• Use Splunk to analyze attacker post-compromise activity and identify what needs to be contained and eradicated

Prerequisites

Although this room can be completed as a standalone, it is highly recommended to complete the following rooms before starting this one:

• Preparation
• Detection and Analysis

Familiarity with Splunk SPL queries is required for the practical tasks. It is also recommended to complete the Microsoft 365 for the SOC module before starting this room.

Module Chain

This module follows a single security incident at Nexus Financial from start to finish across four rooms:

Note: This is Room 3 of 4 in the Incident Response module. All four rooms follow the same incident at Nexus Financial.