Skip to content

Lab 3: Incident Response Simulation

Difficulty: ⭐⭐⭐ Advanced Duration: 90–120 minutes Chapter Reference: Chapter 9 — Incident Response Lifecycle Nexus SecOps Controls: Nexus SecOps-061, Nexus SecOps-062, Nexus SecOps-063, Nexus SecOps-064, Nexus SecOps-065, Nexus SecOps-068, Nexus SecOps-070

Learning Objectives

By completing this lab, you will be able to:

  1. Apply the PICERL incident response lifecycle to a realistic scenario
  2. Make time-pressured containment decisions with incomplete information
  3. Manage stakeholder communication during an active incident
  4. Conduct a structured post-incident review
  5. Identify control gaps revealed during an incident

Format

This lab uses a tabletop simulation format. Eight sequential injects are presented in order. For each inject:

  1. Read the inject (new information arriving during the incident)
  2. Write your immediate decisions and actions before reading the next inject
  3. Document your reasoning

Rules: - Work through injects in order — do not read ahead - Time-pressure is simulated: you have a 10-minute "budget" per inject to decide - Document decisions as if you are writing them in an incident ticket in real time

Your role: Incident Commander, Meridian Financial Services SOC Incident start: 14:37 UTC on a Tuesday

Inject 0: Initial Alert

14:37 UTC — You receive a CRIT page:

[SIEM ALERT — CRITICAL] Rule: Ransomware Behavior Detected Host: FINANCE-WS-042 User: mlopez Detail: Mass file rename detected — 847 files renamed to .encrypted extension in 4 minutes Parent process: explorer.exe → cmd.exe → cryptor.exe Alert time: 14:37 UTC

Before continuing, document:

  1. What is your immediate action in the next 60 seconds?
  2. What assumptions are you making that need to be validated?
  3. Who do you contact first?

Inject 1: First Scope Information

14:40 UTC — You query the SIEM. Results arrive:

Query: host:FINANCE-WS-042 last 2h

14:01 UTC — DNS query: c2.badactor.net (resolved: 185.220.x.x)
14:05 UTC — HTTP connection: 185.220.x.x:443 (2.1 MB outbound)
14:15 UTC — PowerShell: -EncodedCommand [long base64]
14:22 UTC — Process: cryptor.exe spawned
14:37 UTC — File renames begin (847 and counting)

Query: user:mlopez last 24h (all hosts)

14:09 UTC — Outlook: email to personal.gmail.com (22MB attachment)
08:45 UTC — VPN login from 192.168.1.x (normal — office IP)

EDR status query for FINANCE-WS-042: Host online. Last check-in: 14:38 UTC

Before continuing, document:

  1. What does this timeline tell you about the attack sequence?
  2. At what point did the attack begin (based on evidence so far)?
  3. What is your containment decision for FINANCE-WS-042?
  4. Do you have enough information to isolate the host, or do you need more?

Inject 2: Scope Expansion

14:44 UTC — Network team runs a query. Results:

Active SMB connections FROM FINANCE-WS-042: - FINANCE-WS-043 (Admin$) — connection established 14:39 UTC - FINANCE-WS-044 (Admin$) — connection established 14:40 UTC - FILESVR01 (share$) — connection established 14:38 UTC

File system activity on FILESVR01 (last 5 min): - 1,240 files renamed to .encrypted (and counting)

14:45 UTC — Analyst reports: FINANCE-WS-043 is now generating file rename alerts.

Before continuing, document:

  1. How does this change your containment strategy?
  2. What is your priority order for containing hosts?
  3. What network action do you take immediately?
  4. Who needs to know about FILESVR01?

Inject 3: Leadership Call

14:47 UTC — Your CISO calls. She has 3 minutes and wants answers:

"What's happening? How many systems? Are we losing data? Do I need to call legal?"

Before continuing, document your verbal response (write it out):

  • Current situation (1 sentence)
  • Known scope (hosts affected)
  • What you've done so far
  • What you're doing right now
  • What you need from her (decisions, resources)
  • Your honest uncertainty: what you don't know yet

14:50 UTC — CISO decision: "Authorize complete network isolation of the FINANCE subnet. Notify legal now. You have my authority to take any containment action needed."

Inject 4: Forensics Decision

14:55 UTC — Tier 2 analyst comes to you with a choice:

"I can do one of these right now: A) Take a memory dump of FINANCE-WS-042 before we isolate (takes 8 minutes, host stays on network) B) Isolate FINANCE-WS-042 immediately via EDR, start forensics after C) Physically pull the network cable (instant, but we lose any network-based artifacts)"

Meanwhile: FINANCE-WS-043 file renames have reached 540. FINANCE-WS-044 not yet affected.

Before continuing, document:

  1. Which option do you choose? Why?
  2. What is the risk of each option?
  3. Does volatility order affect your decision? (memory → disk → network)
  4. What do you do about FINANCE-WS-043 and FINANCE-WS-044 while this happens?

Inject 5: Ransom Note Discovery

15:05 UTC — Responder on-site at the FINANCE floor reports:

"A ransom note appeared on every workstation screen in the finance department. It says: 'Your files are encrypted. Pay 15 BTC to [wallet] within 72 hours or data is published. Contact: ransom@darkmail.cc. Data already exfiltrated.'"

"Also — mlopez says she never clicked anything. She says her computer was acting slow since 14:00 and she reported it to the help desk but no one called her back."

Help desk ticket found: Created 14:03 UTC by mlopez. Category: "slow computer." Closed by HD-agent at 14:20 UTC: "Rebooted remotely. Issue resolved."

Before continuing, document:

  1. What does "data already exfiltrated" change about your response?
  2. What do you do with the help desk ticket information? (this is a process failure — do you investigate it now or later?)
  3. mlopez says she did nothing — do you believe her? What do you do?
  4. Do you pay the ransom? What is your decision framework?

Inject 6: IR Team Deconfliction

15:20 UTC — Third-party IR firm arrives (retained by legal). Lead IR investigator says:

"We need full access to all affected hosts immediately. Don't touch anything else until we've done our forensics. Also, we need copies of all logs for the last 30 days — SIEM, EDR, proxy, email. And we need a list of everyone who has accessed those hosts in the last 90 days."

Your team has already: - Isolated FINANCE-WS-042 and FINANCE-WS-044 - Taken a memory dump of FINANCE-WS-042 - Begun log collection from SIEM - Notified 4 analysts to support containment

Before continuing, document:

  1. How do you hand off to the IR firm while maintaining coordination?
  2. What decisions remain yours vs. theirs?
  3. How do you preserve evidence integrity during the handoff?
  4. What log data can you provide immediately vs. what needs time to collect?

Inject 7: Regulatory Deadline

15:45 UTC — Legal counsel sends an urgent message:

"We have determined this incident likely involves personal financial data (GDPR applies — EU customer records). GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a breach. We became 'aware' at approximately 14:37 when the alert fired. Notification deadline: 14:37 UTC on Friday.

I need from you: (1) scope of affected data, (2) categories of data, (3) approximate number of individuals affected, (4) likely consequences. I need a draft by tomorrow morning."

15:50 UTC — EDR confirms: cryptor.exe was delivered via a phishing email opened by mlopez at 13:58 UTC. The email contained a macro-enabled Excel file disguised as an invoice.

Before continuing, document:

  1. What information can you provide to legal right now?
  2. What information requires more investigation before you can provide it?
  3. Does the phishing email finding change any of your ongoing actions?
  4. Write the first three sentences of the GDPR notification draft.

Inject 8: Post-Incident Review Setup

It is now 5 days later. Containment is complete. You are preparing for the Post-Incident Review (PIR).

Final incident scope: - 3 workstations fully encrypted (FINANCE-WS-042, 043, 044) - 1,240 files on FILESVR01 encrypted (restored from backup — 4h recovery) - 890MB data exfiltrated (email + C2 channel) - Total downtime: FINANCE department, ~6 hours - GDPR notification: Filed (18 hours after detection) - Ransom: Not paid

Before completing the lab, write your PIR framework:

  1. Timeline reconstruction — list the 6 most critical events (with approximate times) in chronological order
  2. What went well — identify 3 things the team did right
  3. What went wrong — identify 3 failures or gaps
  4. Root cause analysis — what was the root cause of the initial compromise?
  5. Control gaps identified — list 3 Nexus SecOps control areas that this incident revealed as gaps
  6. Recommendations — for each gap, write one specific recommendation with an owner and 90-day deadline

Answer Key

Click to reveal — complete all 8 injects first!

Inject 0 — Immediate Actions

  1. First 60 seconds:
  2. Acknowledge the alert in SIEM/SOAR
  3. Do NOT immediately isolate (you need 2 minutes of context first)
  4. Begin log query: what happened on this host in the last 2 hours?
  5. Notify shift lead immediately — this is CRIT, requires escalation within 15 minutes

  6. Assign incident number and open ticket

  7. Assumptions to validate: Is this real encryption or a test? Is the host online? What is the business criticality of this host and user? What data is on this workstation?

  8. First contact: Shift lead. Then Tier 2 on-call analyst. Then (if confirmed): CISO notification chain.

Inject 1 — Timeline Analysis

Attack sequence (reconstruction): - ~13:58 (inferred): Phishing email opened, payload delivered - 14:01: C2 beacon (DNS) - 14:05: Initial data exfil (2.1 MB via C2) - 14:09: Email exfiltration (22MB to personal Gmail) - 14:15: PowerShell payload (likely credential dumping or lateral movement prep) - 14:22: Ransomware dropper executed - 14:37: Mass file encryption begins (detected)

Attack began: At least 14:01 (C2 DNS), likely 13:58 (initial compromise).

MTTD from first C2 to detection: ~36 minutes.

Containment decision: Isolate FINANCE-WS-042 now. The host is actively encrypting and has already exfiltrated data. Staying connected provides no benefit; further delay increases harm.

Inject 2 — Scope Expansion

Containment strategy change: You now have an active ransomware spreading event. Priorities: 1. Isolate FINANCE-WS-042 immediately (source of lateral movement) 2. Isolate FILESVR01 at the network level (actively encrypting — most valuable target) 3. Isolate FINANCE-WS-043 (actively compromised) 4. Preemptively isolate FINANCE-WS-044 (connected from source host)

Network action: Request firewall/NAC block on the entire FINANCE-WS subnet from the file servers. One host is a threat to the entire subnet.

FILESVR01 notification: IT Operations manager, data owner for finance data, backup team (begin verifying backup integrity now).

Inject 3 — CISO Communication

Sample response:

"We have an active ransomware incident. Currently confirmed: 3 workstations and 1 file server are affected. We've isolated 2 hosts and are isolating the others now. Evidence shows data was exfiltrated before encryption started — approximately 22MB via email and 2.1MB via an external server. We need legal involved immediately because of the data exfiltration. What I need from you: authority to isolate the entire FINANCE subnet, and approval to pull in external IR support. What I don't know yet: total scope of affected data, patient zero cause, and whether other departments are at risk."

Inject 4 — Forensics Decision

Correct choice: B — Isolate immediately via EDR.

Reasoning: - Memory dump takes 8 minutes. In 8 minutes: more files encrypted on WS-042, lateral movement to more hosts, more data exfiltrated. The risk of delay exceeds the forensic value of a live memory dump. - You can still do memory acquisition after EDR isolation — the host is quarantined, not wiped. - Option C (physical cable pull) loses network-based artifacts and may corrupt open file handles.

Volatility order (for post-isolation forensics): Memory → Running processes → Network state → Disk. After EDR isolation, RAM is still available for memory acquisition.

WS-043/WS-044 during this time: Isolate WS-043 immediately (already encrypting). WS-044: isolate preemptively.

Inject 5 — Ransom Note

"Data already exfiltrated" implications: - This is now a data breach, not just a ransomware event - Regulatory notification timelines are now triggered (GDPR 72h, etc.) - Do NOT underestimate this claim — the 14:09 email exfil already confirmed it - Legal team must be notified immediately that breach notification may be required

Help desk ticket: Document it now as a process failure observation; investigate it during PIR, not during active response. The priority is containment.

mlopez credibility: The help desk ticket corroborates her timeline (slow computer at 14:03, consistent with malware delivery at ~13:58). She is likely a victim, not an insider threat. However: verify her accounts for unauthorized access, disable external email sending for her account.

Ransom payment decision: - Company policy should dictate this (not the incident commander) - Default: Do not pay — paying funds criminal enterprise, does not guarantee decryption, may violate OFAC regulations - Check: Do we have clean backups? → If yes, DO NOT pay - Escalate: This decision must go to legal, CISO, and CEO — not the SOC

Inject 6 — IR Firm Handoff

Coordination model: - Incident Commander (you) retains command authority — the IR firm advises and executes forensics - Set up a unified command channel (dedicated Slack/Teams channel or bridge call) - Brief IR firm lead on current state, actions taken, evidence collected - Provide evidence chain-of-custody log for all artifacts already collected - IR firm takes ownership of forensic investigation; you retain containment and recovery decisions

Your decisions vs. theirs: - Yours: Containment actions, business recovery, stakeholder communication - Theirs: Forensic methodology, evidence collection, root cause attribution

Evidence integrity: Transfer using signed hash (SHA-256 of all files), document chain of custody, provide access logs to affected systems.

Log data available immediately: SIEM exports (minutes), EDR telemetry (minutes to hours) Log data requiring time: 30-day proxy logs (storage retrieval), email logs, 90-day access logs (may require storage archive access)

Inject 7 — Regulatory Deadline

Information available now: - Type of breach: Ransomware with data exfiltration - Timing: First known at 14:37 UTC (detection) - Data categories: Financial data, personal data (EU customer records) - Known exfiltration: 22MB email to personal Gmail, 2.1MB via C2 - Notification deadline: 72h from 14:37 UTC = Friday 14:37 UTC

Information requiring more investigation: - Exact number of individuals affected (requires data classification of encrypted/exfiltrated files) - Specific data fields (PII, financial identifiers) - Whether exfiltrated data included EU residents' data

Phishing finding changes: - Determine who else received the same phishing email → check email gateway for delivery to other mailboxes - Block the sender domain/IP immediately at email gateway - Check if the macro-enabled file was forwarded internally

GDPR notification draft opening:

"We are reporting a personal data breach affecting [estimated number] individuals whose data is processed by Meridian Financial Services. On [date] at 14:37 UTC, our security monitoring systems detected ransomware activity on systems processing financial and personal data. Evidence indicates unauthorized access began at approximately 13:58 UTC, during which personal data was exfiltrated prior to encryption."

Inject 8 — PIR Framework

Timeline reconstruction: 1. ~13:58 — mlopez opens phishing email; macro-enabled Excel delivers payload 2. 14:01 — First C2 beacon (DNS query to c2.badactor.net) 3. 14:09 — Data exfiltration via email (22MB to personal Gmail) 4. 14:37 — Mass file encryption begins; SIEM detects and alerts 5. 14:38 — Lateral movement to FILESVR01; file encryption spreads 6. 15:45 — GDPR breach notification obligation confirmed by legal

What went well: 1. SIEM detected ransomware within 2 minutes of encryption beginning 2. Containment of primary host achieved within 18 minutes of detection 3. GDPR notification filed within 18 hours (well within 72h window)

What went wrong: 1. Help desk closed mlopez's "slow computer" ticket without investigation — missed a 34-minute early warning 2. No DLP rule on email gateway for large external email attachments (22MB exfil went undetected) 3. Flat FINANCE subnet allowed lateral movement from one workstation to file server (no microsegmentation)

Root cause: Phishing email bypassed email security (macro-enabled Excel not blocked). Social engineering of user.

Nexus SecOps control gaps: 1. Nexus SecOps-085 (DLP) — No email DLP alert triggered on 22MB external send 2. Nexus SecOps-021 (Log correlation) — Help desk tickets not correlated with SIEM alerts; mlopez's ticket should have auto-triggered an alert check 3. Nexus SecOps-116 (Network segmentation) — Finance workstations had direct SMB access to file servers

Recommendations: 1. DLP Email Gateway — Deploy DLP rule: Alert on attachments >10MB to non-corporate domains. Owner: IT Security. Deadline: 30 days. 2. Help Desk SIEM Integration — Auto-query SIEM when help desk tickets categorized "slow computer" or "malware" are created. Owner: SOC Manager + IT Manager. Deadline: 60 days. 3. Finance Network Segmentation — Implement VLAN isolation for FINANCE-WS subnet with firewall rule: deny direct SMB from workstations to file servers; require jump server. Owner: Network Engineering. Deadline: 90 days.

Scoring

Criteria Points
Inject 0: Correct immediate actions (acknowledge, query, notify) 10 pts
Inject 1: Accurate timeline reconstruction and containment decision 10 pts
Inject 2: Correct priority order and network action 10 pts
Inject 3: Clear, complete CISO briefing covering all 5 elements 10 pts
Inject 4: Correct forensics decision with reasoning 10 pts
Inject 5: Identified breach notification trigger; correct ransom decision 10 pts
Inject 6: Clear IR firm handoff with evidence integrity steps 10 pts
Inject 7: Correct regulatory analysis and notification draft 10 pts
Inject 8: PIR covers all 6 elements with specific, actionable recommendations 20 pts
Total 100 pts

Score ≥ 80: Ready for incident commander responsibilities Score 60–79: Review Chapter 7 IR lifecycle; focus on decision-making under uncertainty Score < 60: Shadow an experienced IR lead on tabletop exercises before operational work

Lab 3 complete. Proceed to Lab 4: SOAR Safety Checks