TR1.11 Interactive Lab: Preservation Priority
Figure TR1.11 — Three preservation priority scenarios. Each requires a different sequence based on the attacker's current state.
The preservation challenge in 2026
These scenarios reflect the current threat landscape where attackers compress timelines and operate across multiple environments simultaneously. Three statistics frame the urgency:
Mandiant’s M-Trends 2026 report documented median initial-access-to-operator-handoff times of 22 seconds — the access broker compromises the credential and passes control to the ransomware operator almost instantly. CISA’s StopRansomware Guide explicitly recommends preserving volatile evidence (system memory, Windows Security logs, firewall log buffers) BEFORE taking mitigation actions when possible — but acknowledges that active encryption requires immediate containment. Mandiant and Google Cloud found that 77% of 2025 ransomware intrusions involved confirmed data exfiltration, up from 57% in 2024 — meaning the attacker is simultaneously encrypting AND exfiltrating, forcing the triage responder to consider two damage vectors in their contain-first decision.
Each scenario below presents a different combination of attacker state, environment, and damage vector. For each, apply the preservation decision tree from TR1.5 and the environment-specific evidence capture sequence from TR1.2-TR1.4. Document your reasoning — the decision matters, but the reasoning matters more because it shows whether you assessed the attacker state correctly.
How to approach each scenario
Read the context. Answer four questions in order: (1) Is the attacker actively causing damage RIGHT NOW? (2) What is the most volatile evidence that exists at this moment? (3) What containment action stops the damage with minimum evidence destruction? (4) What is the full evidence capture sequence after containment (or before containment, if preserve-first)? Write your answers before opening the reference. The reference answer shows one valid approach — your approach may differ if your reasoning is sound.
Scenario 1: Active data exfiltration from Linux database server
Context: Alert: sustained outbound data transfer from SRV-NGE-BRS-DB01 (RHEL database server) to 45.155.205.99. The transfer has been active for 12 minutes. Network monitoring shows 2.3 GB transferred so far. The database contains engineering drawings and customer PII. The process performing the transfer is curl running as svc-dbadmin.
Your task: (1) Preserve first or contain first? (2) What is your first action? (3) What evidence do you capture and in what order? (4) What containment do you execute?
Reference answer
Decision: CONTAIN FIRST. Active exfiltration of PII = active damage. Every minute of delay = more data leaves the organisation. Regulatory impact increases with volume.
First action: Block 45.155.205.99 at the network perimeter (firewall rule). This stops the exfiltration without modifying the server’s state — the curl process is still running (will fail on next connection attempt), memory is intact, logs are intact. This is the optimal contain-first action because it stops the damage with zero evidence destruction.
If firewall access is not available: iptables -A OUTPUT -d 45.155.205.99 -j DROP on the server itself. This stops the outbound connection but modifies the server’s iptables state (document the change).
Evidence capture (after containment):
Tier 1 (30 seconds): ps auxf (identify the curl process and its parent), ss -tnp (document the connection state — it should show CLOSE_WAIT or TIME_WAIT after the firewall block), last -i (who logged in as svc-dbadmin).
Tier 2 (2-5 min): LiME memory dump (the curl command line, the database query that prepared the export, the svc-dbadmin session state are all in memory). /proc/PID/cmdline for the curl process (exact command with URL and parameters).
Tier 3: cat /var/log/auth.log (SSH sessions for svc-dbadmin), bash_history (the commands the attacker typed), database audit logs (what data was queried for export).
Containment complete: Firewall block (exfil stopped) + svc-dbadmin account disabled + SSH key for svc-dbadmin revoked.
Scenario 2: Dormant Cobalt Strike beacon on Windows endpoint
Context: During a threat hunt, you discover DESKTOP-NGE042 has been beaconing to 45.155.205.99 every 60 seconds for 3 days. The beacon process is rundll32.exe loading msedge_update.dll from j.morrison’s AppData\Local\Temp. No alerts fired because the beaconing pattern was below the detection threshold (the Detection Engineering team has been notified). The attacker has not issued commands through the beacon in the last 72 hours based on DeviceNetworkEvents showing consistent 312-byte payloads (heartbeat only, no tasking).
Your task: (1) Preserve first or contain first? (2) What is your first action? (3) What evidence do you capture? (4) What containment do you execute?
Reference answer
Decision: PRESERVE FIRST. The beacon is dormant — 3 days without attacker activity. The heartbeat-only traffic confirms no active tasking. Containing now would stop the beacon but destroy the memory evidence (the beacon configuration including the full C2 infrastructure, the Malleable C2 profile, and the team server fingerprint).
First action: Capture memory. winpmem_mini_x64.exe C:\IR\Evidence\DESKTOP-NGE042_memdump.raw. The memory dump contains the beacon’s decrypted configuration — the most valuable evidence for the investigation team. This takes 2-5 minutes.
Evidence capture (while memory dumps): Tier 1: Process list with command lines (identify rundll32.exe and its parent), network connections (document the C2 connection), logged-in users. Tier 2: Scheduled tasks and autoruns (identify any persistence beyond the DLL), loaded modules for rundll32.exe (confirm the DLL sideloading). Tier 3: KAPE collection (event logs, prefetch — prefetch will show when msedge_update.dll was first executed, establishing the initial compromise date).
Containment (after preservation): Network-isolate DESKTOP-NGE042 via Defender for Endpoint. Do NOT delete msedge_update.dll — it is evidence. Do NOT reboot — the memory evidence would be destroyed and the investigation team needs the running beacon state.
Scenario 3: Historical cloud compromise discovered during audit
Context: During a quarterly access review, you discover that r.chen@northgateeng.com had an unusual sign-in from Nigeria 18 days ago. r.chen is based in Manchester and has never travelled to Africa. The sign-in was successful, used a stored refresh token, and accessed SharePoint for 45 minutes. r.chen was on annual leave at the time and did not report any issues. No alerts fired. r.chen has been working normally since returning from leave 12 days ago.
Your task: (1) Preserve first or contain first? (2) What is the risk of delayed action? (3) What evidence may already be lost?
Reference answer
Decision: PRESERVE FIRST. Historical compromise — 18 days old. The attacker’s session from Nigeria has long since expired (access token lifetime ~1 hour). There is no active damage. But there may be persistence mechanisms planted during the 45-minute SharePoint session.
Evidence at risk: The sign-in log entry is 18 days old. Entra ID retains sign-in logs for 30 days natively — so the entry is still available but will expire in 12 days. The SharePoint audit log (what files r.chen accessed during those 45 minutes) is retained for 90 days — still available. If the attacker registered an OAuth application or MFA method, the AuditLog entry is still within 30-day retention.
Preservation actions: Snapshot all sign-in logs, audit logs, and OfficeActivity for r.chen (last 30 days) to the IR case folder immediately — before the 30-day retention window closes on the oldest entries. Check for OAuth grants, MFA registrations, inbox rules, and mailbox delegate permissions established during or after the Nigerian session.
Containment (after preservation): Reset r.chen’s password. Revoke all refresh tokens. Audit and remove any OAuth grants or MFA methods not recognised by r.chen. Check r.chen’s endpoint for indicators of compromise (the 45-minute SharePoint session may have been used to plant a malicious file for later download).
Risk of delayed action: The sign-in log entry expires in 12 days. If the investigation is not initiated within that window, the primary evidence of the compromise is lost from native Entra ID retention. Sentinel may have the data if sign-in logs were ingested, but the triage responder cannot assume this — snapshot now.
Scenario 4: Cross-environment double extortion in progress
Context: Two alerts fire simultaneously at 01:30. Alert 1: Defender for Endpoint detects vssadmin shadow copy deletion on SRV-NGE-SHF-MFG01 (Windows Server, Sheffield manufacturing). Alert 2: CommonSecurityLog shows a sustained 800 MB outbound transfer from SRV-NGE-BRS-DB01 (RHEL database, Bristol) to an external IP over the last 20 minutes. Investigation of the firewall logs reveals the exfiltration IP matches a known ransomware group’s staging infrastructure. The manufacturing server and database server are connected via SD-WAN. Both events appear to originate from the same compromised service account (svc-backup@northgateeng.com).
Your task: (1) This is a multi-environment incident with two simultaneous damage vectors — encryption AND exfiltration. Which do you contain first? (2) What evidence do you capture and from which system? (3) How do you coordinate containment across two environments?
Reference answer
Decision: CONTAIN BOTH SIMULTANEOUSLY if possible. If solo, contain the exfiltration first. The encryption is destroying data availability, but the exfiltration is destroying data confidentiality — and confidentiality breaches trigger regulatory notification obligations (GDPR, NIS2) that availability events alone do not. Additionally, every minute of continued exfiltration increases the volume of data the attacker can use for double extortion. The shadow copies are already deleted — the encryption cannot be reversed by stopping it now, only limited in scope.
Containment sequence (solo responder): Minute 0: Block the exfiltration destination IP at the network perimeter (firewall rule). This stops the data transfer immediately without touching either server. Both servers remain running with evidence intact. Minute 1: Network-isolate SRV-NGE-SHF-MFG01 via Defender for Endpoint. This stops the encryption from spreading beyond the manufacturing server via SMB. The encryption continues on local files but is contained to one server. Minute 2: Disable svc-backup@northgateeng.com in Active Directory. This prevents the attacker from using the same credentials to access additional systems.
Evidence capture (after containment):
Windows (SRV-NGE-SHF-MFG01): memory dump (ransomware binary configuration, encryption key if still in memory), process list (identify the encryption process), DeviceFileEvents snapshot (scope of encrypted files).
Linux (SRV-NGE-BRS-DB01): ss -tnp (verify exfiltration connection is closed after firewall block), ps auxf (identify the exfiltration process), auth.log (svc-backup SSH session details), bash_history (database export commands used for staging).
Key insight: The firewall block is the single most effective contain-first action because it stops the highest-impact damage vector (exfiltration) without modifying either server’s state. All volatile evidence on both servers is preserved. This is why network-level containment is preferable to host-level containment when both are available — it stops traffic without touching the endpoint evidence.
Self-assessment
For each scenario: did your preserve/contain decision match the reference? Did you identify the critical evidence in the correct order? Did you select the right tools and commands? If your decisions diverged from the reference: was your reasoning defensible (different but valid approach), or did you miss a critical factor (attacker state, evidence volatility, containment blast radius)?
The myth: Rigid decision trees do not account for the nuance of real incidents. Experienced responders should use judgment, not frameworks.
The reality: The decision tree provides structure for the most time-pressured moment of the incident. Under pressure, judgment degrades — the responder defaults to their bias (either too cautious or too aggressive). The decision tree replaces the bias with a structured question: is the attacker active? The answer determines the sequence. Within each sequence, the responder applies judgment (which containment action, which evidence to prioritise, how to assess blast radius). The tree provides the sequence. Judgment provides the execution. Both are required.
Post-lab reflection questions
After completing all 4 scenarios, consider these questions that bridge the lab to your operational environment:
Question 1: In your organisation, which of the 4 scenarios is most likely to occur? If you operate primarily cloud M365 environments, Scenario 3 (historical cloud compromise) is statistically most common — most cloud compromises are discovered days or weeks after initial access. If you operate on-premises servers with internet-facing services, Scenario 1 (active exfiltration) may be more relevant. Understanding your most likely scenario helps you prioritise the preparation work: pre-staging tools, pre-building containment playbooks, and pre-configuring automations.
Question 2: For your most likely scenario, what is the FIRST containment action you would execute? Is that action available to you right now — at 03:00 on a Sunday? If the answer is “I would need to call the network team to implement a firewall rule” or “I would need admin access that I do not currently have,” the preparation gap is not in your triage skills but in your operational access. The preparation work for evidence preservation begins with ensuring you HAVE the access to execute containment when needed.
Question 3: Which of the 4 scenarios would have the highest regulatory impact in your organisation? If you process personal data (GDPR applies), Scenario 1 (data exfiltration of PII) and Scenario 4 (double extortion with data theft) trigger the 72-hour notification clock. If you are a NIS2 essential entity, all 4 scenarios may require 24-hour notification. The regulatory context changes the triage urgency — not the classification decision, but the documentation and handoff requirements.
## Scoring framework for preservation priority scenariosEach scenario in this lab tests three skills: (1) correctly assessing the attacker’s state (active vs dormant), (2) selecting the correct evidence to capture first based on volatility, and (3) choosing the containment action that stops the damage with minimum evidence destruction. Score yourself on each:
Skill 1 — Attacker state assessment (3 points per scenario): 3 points: correctly identified active (contain-first) or dormant (preserve-first) immediately, with cited evidence. 2 points: correct identification but hesitated or cited incomplete evidence. 1 point: initially incorrect but self-corrected after reading the context more carefully. 0 points: incorrect assessment that would have led to wrong sequence.
Skill 2 — Evidence capture selection (3 points per scenario): 3 points: identified the most volatile evidence specific to the scenario and specified the correct capture method. 2 points: identified the right evidence but used a generic capture method (e.g., “collect memory” without specifying WinPMem or LiME). 1 point: identified some but not all critical evidence for the scenario. 0 points: missed the most critical evidence source (e.g., did not capture memory for a fileless attack, did not capture cloud logs for a cloud compromise).
Skill 3 — Containment selection (3 points per scenario): 3 points: chose the containment action with the minimum blast radius that stops the identified damage vector, and correctly ordered the actions. 2 points: chose an effective containment action but with unnecessary blast radius (e.g., network segmentation when device isolation was sufficient). 1 point: chose a containment action that partially addresses the threat but leaves a significant attack path open. 0 points: chose no containment (continuing to investigate while the attacker operates) or a destructive action (reimaging the server before evidence collection).
Total score per scenario: 9 points. Target: 7+ per scenario (22+ total across 4 scenarios).
A consistent weakness in Skill 1 indicates the need to review TR1.5 (the preservation decision tree) and the active-vs-dormant indicators. A weakness in Skill 2 indicates the need to review TR1.1-TR1.4 (environment-specific evidence categories). A weakness in Skill 3 indicates the need to review TR2.5 (cloud containment), TR3.6 (Windows containment), or TR4.6 (Linux containment — upcoming).
The attacker speed context for each scenario
Each scenario exists in the context of real-world attacker speed data:
Scenario 1 (active data exfiltration): Palo Alto’s Unit 42 2024 report found that median time to data exfiltration dropped from 9 days in 2023 to 2 days. In some cases, exfiltration begins within hours of initial access. The 12-minute exfiltration window in Scenario 1 is realistic — the attacker has had access for at least 12 minutes and has already transferred 2.3 GB. Every additional minute of triage before containment adds to the exfiltrated volume.
Scenario 2 (dormant C2 beacon): CrowdStrike’s 2024 threat data showed an average breakout time (initial access to lateral movement) of 62 minutes for interactive intrusions. The 3-day dormancy in Scenario 2 is consistent with access broker operations — the broker compromised the endpoint and is waiting for a buyer to purchase the access. The 3-day window is the preserve-first opportunity before the buyer activates.
Scenario 3 (historical cloud compromise): Mandiant’s M-Trends 2026 reported a median dwell time of approximately 10 days — meaning half of all incidents are discovered within 10 days of initial access. The 18-day gap in Scenario 3 is slightly longer than median — the attacker has had more than enough time to establish persistence and access data. The preserve-first approach ensures the investigation has complete evidence before any containment action modifies the environment.
Scenario 4 (simultaneous encryption + exfiltration): The double extortion model now dominates ransomware operations. Mandiant and Google Cloud found 77% of 2025 ransomware intrusions involved confirmed data exfiltration. Scenario 4 presents both damage vectors simultaneously — the triage responder must prioritise the exfiltration containment (regulatory impact) over the encryption containment (business impact) while managing both.
You're reading the free modules of this course
The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.