Name: Jhella Mae H.
Malapote Program: BS Information Technology
Course: ITC 304 - 302I Professor: Dr. Richard N. Monreal
Term: Finals Incident Handling
Lab - Incident Handling
Objectives
Apply your knowledge of security incident handling procedures to formulate questions about given incident
scenarios.
Background / Scenario
Computer security incident response has become a vital part of any organization. The process for handling a
security incident can be complicated and involve many different groups. An organization must have standards
for responding to incidents in the form of policies, procedures, and checklists. To properly respond to a
security incident, the security analyst must be trained to understand what to do and must also follow all of the
guidelines outlined by the organization. There are many resources available to help organizations create and
maintain a computer incident response handling policy. The NIST Special Publication 800-61r2 is specifically
cited in the Understanding Cisco Cybersecurity Operations Fundamentals (200-201 CBROPS) exam topics.
Instructions
Scenario 1: Worm and Distributed Denial of Service (DDoS) Agent Infestation
Study the following scenario and discuss and determine the incident response handling questions that should
be asked at each stage of the incident response process. Consider the details of the organization and the
CSIRC when formulating your questions.
This scenario is about a small, family-owned investment firm. The organization has only one location and less
than 100 employees. On a Tuesday morning, a new worm is released; it spreads itself through removable
media, and it can copy itself to open Windows shares. When the worm infects a host, it installs a DDoS agent.
It was several hours after the worm started to spread before antivirus signatures became available. The
organization had already incurred widespread infections.
The investment firm has hired a small team of security experts who often use the diamond model of security
incident handling.
Preparation:
Answers will vary especially based upon the cybersecurity operation team. Examples:
Would the organization consider this activity to be an incident? If so, which of the organization’s policies
does this activity violate?
What measures are in place to attempt to prevent this type of incident from re-occurring, or to limit its
impact?
2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 1 of 3 www.netacad.com
�Lab - Incident Handling
Detection and Analysis:
Answers will vary especially based upon the cybersecurity operation team. Examples:
What precursors of the incident, if any, might the organization detect? Would any precursors cause the
organization to take action before the incident occurred?
What indicators of the incident might the organization detect? Which indicators would cause someone
to think that an incident might have occurred?
What additional tools might be needed to detect this particular incident?
How would the team prioritize the handling of this incident?
Containment, Eradication, and Recovery:
Answers will vary especially based upon the cybersecurity operation team. Examples:
What strategy should the organization take to contain the incident? Why is this strategy preferable to
others?
What additional tools might be needed to respond to this particular incident?
Which personnel would be involved in the containment, eradication, and/or recovery processes?
What sources of evidence, if any, should the organization acquire? How would the evidence be
acquired? Where would it be stored? How long should it be retained?
Post-Incident Activity:
Answers will vary based upon the cybersecurity operation team. Examples:
What could be done to prevent similar incidents from occurring in the future?
What could be done to improve detection of similar incidents?
Scenario 2: Unauthorized Access to Payroll Records
Study the following scenario. Discuss and determine the incident response handling questions that should be
asked at each stage of the incident response process. Consider the details of the organization and the CSIRC
when formulating your questions.
This scenario is about a mid-sized hospital with multiple satellite offices and medical services. The
organization has dozens of locations employing more than 5000 employees. Because of the size of the
organization, they have adopted a CSIRC model with distributed incident response teams. They also have a
coordinating team that watches over the security operations team and helps them to communicate with each
other.
On a Wednesday evening, the organization’s physical security team receives a call from a payroll
administrator who saw an unknown person leave her office, run down the hallway, and exit the building. The
administrator had left her workstation unlocked and unattended for only a few minutes. The payroll program is
still logged in and on the main menu, as it was when she left it, but the administrator notices that the mouse
appears to have been moved. The incident response team has been asked to acquire evidence related to the
incident and to determine what actions were performed.
The security teams practice the kill chain model and they understand how to use the VERIS database. For an
extra layer of protection, they have partially outsourced staffing to an MSSP for 24/7 monitoring.
Preparation:
Answers will vary based upon the cybersecurity operation team. Examples:
Would the organization consider this activity to be an incident? If so, which of the organization’s policies
does this activity violate?
2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2 of 3 www.netacad.com
�Lab - Incident Handling
What measures are in place to attempt to prevent this type of incident from occurring or to limit its
impact?
Detection and Analysis:
Answers will vary based upon the cybersecurity operation team. Examples:
What precursors of the incident, if any, might the organization detect? Would any precursors cause the
organization to take action before the incident occurred?
What indicators of the incident might the organization detect? Which indicators would cause someone
to think that an incident might have occurred?
What additional tools might be needed to detect this particular incident?
How would the team prioritize the handling of this incident?
Containment, Eradication, and Recovery:
Answers will vary based upon the cybersecurity operation team. Examples:
What strategy should the organization take to contain the incident? Why is this strategy preferable to
others?
What additional tools might be needed to respond to this particular incident?
Which personnel would be involved in the containment, eradication, and/or recovery processes?
What sources of evidence, if any, should the organization acquire? How would the evidence be
acquired? Where would it be stored? How long should it be retained?
Post-Incident Activity:
Answers will vary based upon the cybersecurity operation team. Examples:
What could be done to prevent similar incidents from occurring in the future?
What could be done to improve detection of similar incidents?
Conclusion:
Effective incident handling is essential for minimizing the damage caused by cybersecurity threats and
ensuring a swift return to normal operations. By following a structured process—preparation,
identification, containment, eradication, recovery, and lessons learned—organizations can respond to
incidents efficiently and systematically. This approach not only reduces downtime and data loss but
also helps improve future security posture through continuous learning and improvement. As threats
grow more complex, a well-defined incident handling strategy becomes a vital component of any robust
cybersecurity framework.
Type your answers here.
End of document6
2018 - 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 3 of 3 www.netacad.com
