Security · Attacks & Response

Attacks & Incident Response

How real attacks unfold, and the calm playbook for when — not if — one lands.

Security Basics → Interview
01

The Attack Lifecycle

Real intrusions aren’t one magic exploit — they’re a chain of stages (the “kill chain”). Understanding it lets defenders break the chain at any link, and lets you answer “walk me through an attack” with structure:

StageAttacker doesDefender counters
ReconMap targets, employees, techMinimize public exposure, monitor scanning
Initial accessPhish, exploit, stolen credsMFA, patching, email filtering
Execution / footholdRun payload, establish persistenceEDR, least privilege, allowlisting
Privilege escalationGain admin/rootPatching, minimal privileged accounts
Lateral movementSpread to other systemsSegmentation, unique credentials
Exfiltration / impactSteal data, deploy ransomwareEgress monitoring, backups, DLP
You don’t need to stop every stage — breaking any link stops the attack. Defense in depth means each stage meets a fresh control, so the attacker needs to win repeatedly while you need to win once.
02

Why Phishing Still Wins

The most common initial-access vector isn’t a clever exploit — it’s a convincing email. Phishing bypasses every technical control by targeting the human: a fake login page harvests credentials, an attachment runs a payload. Social engineering is manipulation, not hacking, and it works because urgency and authority override caution.

Defenses that actually help
  • Phishing-resistant MFA (hardware keys / passkeys)
  • Email authentication: SPF, DKIM, DMARC
  • Realistic training + easy reporting button
  • Least privilege so stolen creds do less
Why it keeps working
  • One click from thousands of targets
  • Spoofed senders, look-alike domains
  • Urgency defeats scrutiny (“CEO needs this now”)
  • Passwords are reused and phishable
This is why phishing-resistant MFA matters: hardware keys and passkeys bind to the real domain, so even a user fooled into typing on a fake site can’t complete the login — the key refuses to sign for the wrong origin.
03

The Incident Response Playbook

When an incident lands, ad-hoc panic makes it worse. The standard PICERL lifecycle gives a calm sequence:

PhaseGoalTrap to avoid
PreparationPlan, tooling, backups, contacts readyWriting the plan during the incident
IdentificationConfirm it’s real, scope itAlert fatigue hiding the real signal
ContainmentStop the spread (isolate, revoke)Tipping off the attacker too early / too late
EradicationRemove the foothold, close the holeRe-imaging without fixing root cause
RecoveryRestore service, verify integrityRestoring from a compromised backup
Lessons learnedBlameless postmortem, fix systemicallyBlaming a person, skipping the retro

Contain before you investigate the world. The instinct to fully understand first lets the attacker keep working; isolate the blast radius, then analyze from a position of safety.

04

Blameless Postmortems & Getting Started

The final phase is where security actually improves. A blameless postmortem assumes good people hit bad systems: ask what conditions allowed the mistake, not who made it. Blame drives incidents underground; the goal is systemic fixes and a team that reports problems early.

Starting a security career or hardening a team? The highest-leverage moves are unglamorous: turn on MFA everywhere, patch on a cadence, enforce least privilege, keep tested backups offline, and log enough to answer “what happened?”. Legal, ethical practice only — learn attacks to defend, always with explicit authorization (your own lab, CTFs, or a signed engagement).

05

Interview Questions

Walk me through how a ransomware attack typically unfolds.

Phishing or exploited edge service for initial access → payload and persistence → privilege escalation → lateral movement across a flat network → exfiltrate data (for double extortion) → detonate encryption. Each stage is a place to break the chain: MFA, patching, segmentation, egress monitoring, offline backups.

First hour of a confirmed breach — what do you do?

Contain before investigating everything: isolate affected hosts, revoke suspect credentials and sessions, preserve evidence (don’t wipe). Then scope it, eradicate the foothold, recover from known-good backups, and run a blameless postmortem. Preparation is what makes this calm rather than chaotic.

Why blameless postmortems?

Blame makes people hide mistakes, so you lose the information needed to prevent recurrence. Assuming good people met bad systems surfaces the real causes — missing guardrails, confusing tooling — and produces systemic fixes plus a culture that reports early.

Why does phishing-resistant MFA matter more than “MFA”?

SMS/TOTP codes are phishable — a fake site relays them in real time. Hardware keys and passkeys bind the credential to the real origin and refuse to authenticate to a look-alike domain, defeating the credential-relay that beats basic MFA.

Quick Quiz

1. Breaking any single stage of the kill chain…
2. The most common initial-access vector is…
3. In incident response you should generally…
4. Phishing-resistant MFA (passkeys) beats TOTP because it…
5. A blameless postmortem focuses on…