HomeNetwork Security in 5 DaysDay 5
Day 5 of 5
⏱ ~60 minutes
Network Security in 5 Days — Day 5

Incident Response & Security Architecture

When defenses fail — and eventually they do — incident response (IR) limits damage and restores operations. Today covers IR methodology, containment strategies, and designing networks that are resilient to breaches.

The NIST Incident Response Lifecycle

NIST SP 800-61 defines four phases: Preparation (policies, tools, contacts), Detection and Analysis (identify and confirm the incident), Containment, Eradication, and Recovery (stop the bleeding, remove malware, restore service), and Post-Incident Activity (lessons learned, improve defenses). Every organization should have a written IR plan tested annually with tabletop exercises.

Containment Strategies

Isolation prevents an attacker from pivoting further. Options: network isolation (firewall rule blocking the compromised host), VLAN reassignment (move the host to a quarantine VLAN), endpoint isolation (EDR one-click isolation), and shutdown (last resort — preserves volatile memory only if forensic image is taken first). Partial containment beats full shutdown when you want to monitor attacker behavior.

Resilient Network Design

Design for breach: micro-segmentation limits lateral movement, privilege access workstations (PAWs) protect admin credentials, out-of-band management networks can't be reached from compromised hosts, immutable backups (3-2-1 rule) enable recovery from ransomware, and deception technologies (honeypots, canary tokens) detect attackers early.

bash
# Quickly isolate a compromised Linux host
iptables -I INPUT 1 -j DROP
iptables -I OUTPUT 1 -j DROP
iptables -I INPUT 1 -s [ANALYST_IP] -j ACCEPT  # Keep analyst access

# Capture volatile memory before shutdown
cd /tmp && wget https://github.com/504ensicsLabs/LiME/releases/
# Load LiME kernel module for RAM acquisition
insmod lime.ko 'path=/media/usb/ram.lime format=lime'

# Network IOC: block a C2 IP immediately
iptables -A OUTPUT -d [C2_IP] -j DROP
# Or DNS blackhole:
echo '[C2_IP] blocked.invalid' >> /etc/hosts

# Check for persistence (common locations)
crontab -l
ls /etc/cron.* /var/spool/cron/
cat /etc/rc.local
systemctl list-units --type=service | grep -v systemd
💡
Preserve evidence before containment when possible. Forensic memory acquisition and disk imaging must happen before isolation — once you cut off the host, volatile data is gone.
📝 Day 5 Exercise
Run a Tabletop IR Exercise
  1. Download NIST SP 800-61r2 (free PDF) and read the incident response lifecycle section
  2. Write a simple IR playbook for ransomware: detection steps, containment steps, communication plan
  3. Practice isolating a VM host using iptables rules while preserving analyst access
  4. Use Volatility (memory forensics tool) to analyze a sample memory dump from memory.samples.com
  5. Write a post-incident summary template with sections for timeline, root cause, and lessons learned

Day 5 Summary

  • NIST SP 800-61 defines the four-phase IR lifecycle
  • Containment options range from network isolation to full shutdown
  • Preserve volatile evidence before isolating — memory is gone after shutdown
  • Resilient design: micro-segmentation, PAWs, immutable backups, honeypots
  • Tabletop exercises test IR plans before real incidents reveal their gaps
Challenge

Using a malware PCAP and a sample memory dump from online repositories, perform a mini digital forensics investigation. Identify the infection vector, malware family, and IOCs. Write a 1-page incident report.

← Previous
Day 4: Network Traffic Analysis & Threat Hunting
Course complete
Back to course overview
Finished this lesson?