AD6.11 Interactive Lab: Incident Response Exercise

Interactive Lab: Incident Response Exercise

This lab uses the investigation engine to walk you through a complete incident response scenario. A high-severity alert fires on Monday morning: user r.williams has a confirmed AiTM credential compromise with BEC indicators. You'll execute the evidence preservation script, the 5-step compromised account procedure, the BEC-specific response steps, decide whether to escalate to the managed SOC, document the incident using the template, and conduct a post-incident review — all in sequence, with decision points where your choices affect the outcome.

What you practised

This lab tested your ability to execute the complete incident response workflow: evidence preservation (5 min) → compromised account procedure (10 min) → BEC-specific steps (finance notification, vendor notification, sent email review) → managed SOC coordination → incident documentation using the 6-section template → post-incident review. The key judgment calls: whether to preserve evidence before containing (yes — 5 minutes doesn't significantly extend attacker access), whether to notify finance urgently (yes — vendor invoices were forwarded), and whether to escalate to legal (yes — vendor bank details forwarded to external address triggers GDPR assessment).

Connection to Module AD7

With monitoring (AD5) and response (AD6) operational, Module AD7 covers security posture assessment — the broader evaluation of your security program using Secure Score, compliance metrics, incident data, and management reporting to demonstrate continuous improvement and justify future security investments.