Incident handling Hack the Box, SOC Pathway  

1. Cyber kill chain 

• Qn: In which stage of the cyber kill chain is malware developed ?
• Ans: Weaponize 

2. Incident Handling Process Overview

• Qn: True or False: Incident Handling comprises two main activities. There are investigating and reporting 
• Ans: False 
• This is false as within incident handling the two main activities are investigating and recovering.

3. Preparation Stage (Part 1)

• Qns: What should we have prepared and always ready to ‘grab and go’?
• Ans: jump bag
• A jump bag is a bag full of tools necessary for an emergency. Such a bag takes days to put together as such having a jump bag ready is very important.  

• Qns: True or False: Using baselines, we can discover deviations from the golden image, which aids us in discovering suspicious or unwanted changes to the configuration.
• Ans: True 
• Baselines give as a good gauge of what is normal without such measurements it would be very difficult to spot suspicious behaviour without a comparison. 

4. Preparation Stage (Part 2) 

• Qn: What can we use to block phishing emails pretending to originate from our mail server?
• Ans: DMARC 
• DMARC is Domain-based Message Authentication, Reporting & Conformance this is a way to find out if an email message is actually from the sender. 

5. Detection & Analysis Stage (Part 1)

•  Qn:  True or False: Can a third party vendor be a source of detecting a compromise?
• Ans: True 
• A third-party vendor can indeed be a source of detecting a compromise. They might notify you if they discover signs of your organisation being compromised or if they identify anomalies or threats related to your systems.

6. Detection & Analysis Stage (Part 2)

• Qn: During an investigation, we discovered a malicious file with an MD5 hash value of ‘b40f6b2c167239519fcfb2028ab2524a’. How do we usually call such a hash value in investigations? Answer format: Abbreviation
• Ans: IOC 
• IOC stands for Indicator of Compromise. It refers to any piece of information that indicates a potential intrusion or malicious activity within a system or network. Examples of IOCs include:

• File hashes (e.g., MD5, SHA-1, SHA-256 hashes of malicious files)
• IP addresses used by attackers
• Domain names associated with malicious activities
• URLs used in phishing attacks
• Email addresses involved in malicious communications

7. Containment, Eradication & Recovery Stage 

• Qn: True or False: Patching a system is considered a short term containment.
• Ans: False 
• Patching directly resolves the vulnerability exploited such that it can’t be exploited again such a system is considered a long term solution.

8. Post-incident Activity Stage

• Qn: True or False: We should train junior team members as part of these post-incident activities.
• Ans: True 

This is just a quick overview of the topic Incident handling. I hope this walkthrough was useful to you. I decided to make this walkthrough both as a way to revise what I have learnt as well as to be able to help those who may be stuck. Just a disclaimer: my solutions may not be the best way to go about solving the problems. I suggest only using my solutions if you are really stuck and try to really understand the methods that go into solving the problems.  If you have any questions feel free to reach out to me through linkedIn. I will be making more walkthroughs for Hack The Box SOC Pathway. All the best !