Shield Home

Incident Response Simulator

CompTIA A+ Core 2 | House of Shield Training

The Incident Response Process

The incident response process is a structured approach to handling security incidents. Following these six phases ensures incidents are managed effectively, minimize damage, and provide opportunities for organizational learning.

CompTIA A+ Exam Focus

Know the six phases in order and understand the key actions for each phase. First responder actions (identify, report, preserve evidence, document) are critical for the exam.

1
Preparation
Establish policies, procedures, and tools before an incident occurs. This proactive phase sets the foundation for effective incident response.
Key Actions:
  • Create incident response plan and policies
  • Establish incident response team
  • Deploy monitoring and detection tools
  • Conduct security awareness training
  • Prepare jump bags and forensic tools
  • Document contact information and escalation procedures
2
Identification
Detect and determine if a security incident has occurred. Analyze alerts and determine the scope and severity of the incident.
Key Actions:
  • Monitor alerts from security tools (SIEM, IDS/IPS, antivirus)
  • Verify the incident is genuine (not false positive)
  • Determine incident type and severity
  • Document initial findings and timeline
  • Begin evidence preservation immediately
  • Notify appropriate personnel
3
Containment
Limit the damage and prevent the incident from spreading. Short-term containment stops the bleeding; long-term containment enables recovery.
Key Actions:
  • Isolate affected systems from network
  • Disable compromised user accounts
  • Block malicious IP addresses or domains
  • Preserve evidence during containment
  • Implement temporary fixes or workarounds
  • Continue monitoring for lateral movement
4
Eradication
Remove the threat from the environment. Eliminate malware, close vulnerabilities, and ensure the attacker no longer has access.
Key Actions:
  • Remove malware and malicious tools
  • Delete unauthorized accounts or backdoors
  • Patch vulnerabilities that were exploited
  • Reset compromised passwords
  • Review and harden security configurations
  • Verify complete removal of threat
5
Recovery
Restore systems to normal operation and verify that systems are functioning properly without signs of compromise.
Key Actions:
  • Restore systems from clean backups
  • Rebuild compromised systems from scratch
  • Gradually return systems to production
  • Enhanced monitoring for signs of persistence
  • Verify business operations are normal
  • Communicate restoration status to stakeholders
6
Lessons Learned
Conduct a post-incident review to improve future response. Document what happened, what worked, and what needs improvement.
Key Actions:
  • Hold post-incident review meeting
  • Document complete incident timeline
  • Identify what was done well and poorly
  • Update policies and procedures
  • Implement preventive measures
  • Provide additional training if needed
First Responder Actions

As a first responder, your initial actions are critical. You may not be a forensics expert, but you play a vital role in preserving evidence and containing damage.

Critical: Do Not Contaminate Evidence

Never make changes to a compromised system that could destroy evidence. Document everything you do and minimize your interaction with the affected system.

Essential First Responder Steps:

  1. Identify the incident: Verify something abnormal has occurred
  2. Report immediately: Notify your supervisor and IT security team
  3. Preserve evidence: Don't turn off systems (unless instructed), don't delete files, minimize interaction
  4. Document everything: Take photos, notes, screenshots with timestamps
  5. Isolate if possible: Disconnect network cable (not power) to prevent spread
  6. Secure the area: Prevent unauthorized access to affected systems
  7. Wait for experts: Let forensics team take over when they arrive
Chain of Custody

Chain of custody is the documented process of who collected evidence, when it was collected, how it was handled, and who had access to it. This documentation is critical for legal proceedings.

What to Document:
  • Date and time of collection
  • Who collected the evidence
  • Description of evidence
  • Location where found
  • Serial numbers/identifiers
Transfer Documentation:
  • Who received the evidence
  • Date and time of transfer
  • Purpose of transfer
  • Signatures of both parties
  • Condition of evidence
Storage Requirements:
  • Secure storage location
  • Limited access controls
  • Environmental protection
  • Tamper-evident containers
  • Access logs maintained
Malware Infection

Loading Scenario...

Select a scenario from the buttons below to begin your incident response training.
Common Incident Types

Malware Infection

Virus, worm, trojan, or other malicious software affecting systems. Requires isolation, analysis, and removal.

High Priority

Data Breach

Unauthorized access to sensitive data. May have legal reporting requirements and notification obligations.

Critical

Phishing Success

Employee fell for phishing attack and provided credentials or clicked malicious link. Requires immediate credential reset.

High Priority

Ransomware Attack

Files encrypted with ransom demand. Do not pay ransom. Isolate systems, identify variant, restore from backups.

Critical

Unauthorized Access

Someone accessed systems without authorization. Review logs, determine scope, revoke access, investigate how it occurred.

High Priority

Physical Security Breach

Unauthorized physical access to facility or equipment. Check for tampering, review access logs and camera footage.

Medium Priority
Evidence Collection Exercise

You've discovered a compromised workstation. Click on the evidence items that should be collected and documented during your investigation. Collect all critical evidence to achieve 100%.

Order of Volatility

Collect evidence from most volatile to least volatile: CPU cache/registers → RAM → Swap files → Hard disk → Logs → Backups. Volatile data is lost when power is removed.

Evidence Collection Progress

0%

0 of 0 items collected

Documentation Best Practices
  • Timestamp everything: Record exact date and time for all actions
  • Take photographs: Visual evidence of physical state, screen contents, connections
  • Screenshot displays: Capture error messages, unusual activity, system states
  • Record network connections: Use netstat, document active connections and processes
  • Note physical observations: LED activity, sounds, smells, physical damage
  • Document user statements: What the user was doing, what they observed
  • Preserve logs: Export system logs, application logs, security logs before they rotate
  • Create disk images: Use write blockers, calculate hash values for integrity
Incident Communication Procedures

Knowing who to contact and when is critical during an incident. Select an incident type below to see the proper communication chain and notification procedures.

Never Delay Reporting

When in doubt, report up. Over-reporting is better than under-reporting. Many incidents have legal notification timeframes (e.g., GDPR requires breach notification within 72 hours).

General Communication Guidelines

Internal Stakeholders

  • Immediate supervisor
  • IT Security team
  • IT Management
  • Affected department heads
  • Executive leadership (for major incidents)
  • Legal department
  • HR (for insider threats)

External Parties

  • Law enforcement (for crimes)
  • Regulatory bodies (compliance)
  • Affected customers/partners
  • Cyber insurance provider
  • External forensics consultants
  • Public relations (media)
  • Credit monitoring services

Communication Tips

  • Use secure channels only
  • Don't use compromised systems
  • Stick to facts, avoid speculation
  • Document all communications
  • Follow template procedures
  • Maintain confidentiality
  • Update stakeholders regularly
0%