wwc2025 /Cyber for Beginners

Lab 4 — Incident Response Basics

Incident Response Walkthrough: Roles, Evidence, and Decisions

Goal

Practice responding to a security incident in a structured, calm, and documented way instead of reacting impulsively.

This lab emphasizes:

  • Clear roles
  • Evidence preservation
  • Deliberate decision-making
  • Documentation before action

Scenario

A staff member reports unexpected MFA prompts on their account and is concerned someone may be trying to access it.

You are part of a small security response team tasked with handling the situation correctly.

Key Concepts

- Incident response phases:

  • Detection
  • Containment
  • Eradication
  • Recovery
  • Roles and responsibilities
  • Evidence handling
  • Why documentation matters early

What You’ll Do

You will use a web-based Incident Response Walkthrough to simulate the first part of a real response.

Step 1 — Assign Roles

In your group, assign:

  • Technical Responder — investigates and performs approved actions
  • Decision Maker — authorizes containment and recovery steps
  • Documentation Lead — records timeline, actions, and current status

(No need to enter names — just agree as a group.)

Step 2 — Choose Your First Actions

You have three “first actions” tokens, representing the first 15 minutes of response.

For each action:

  • Preview what evidence it preserves
  • Identify what evidence might be lost
  • Decide whether the tradeoff is worth it

⚠️ Some containment actions can remove valuable evidence if taken too early.

Step 3 — Review the Evidence Board

As actions are taken, evidence will be marked as:

  • Available
  • Preserved
  • Lost

Use this board to:

  • Assess how confident you are about what happened
  • Understand the impact of your decisions

Step 4 — Complete the Incident Record

Document:

  • What happened (confirmed vs suspected)
  • When it occurred (timeline so far)
  • Actions taken in the first 15 minutes
  • Current status

Your documentation should reflect what you actually know — not assumptions.

Step 5 — Decide Whether to Escalate

Based on the evidence you preserved (or lost), decide:

  • Do you escalate this as a likely incident?
  • Do you need more information first?
  • Or can it be handled as routine support?

Justify your decision clearly.

Important Guardrails

  • All data is synthetic
  • No real systems or malware
  • Focus on process, not speed
  • Do not destroy evidence prematurely

Reflection Questions

Be ready to discuss:

  • Which actions felt tempting to take immediately?
  • What evidence would you want before containing?
  • How did lost evidence affect your confidence?
  • What should happen in the first 15 minutes of a real incident?

Getting Started

This lab runs through the WWC Lab Hub.

  1. Start the Lab Hub
  2. Launch Lab 4 — Incident Response: Evidence Preservation Challenge
  3. Work through the steps as a team

Your instructor may pause the lab for discussion or debrief.

Takeaway

Good incident response is not about panic or speed.

It is about:

  • Preserving evidence
  • Communicating clearly
  • Documenting decisions
  • Acting deliberately
← Incident Response Basics Social Engineering Deep Dive →