Attacks & Incident Response
How real attacks unfold, and the calm playbook for when — not if — one lands.
The Attack Lifecycle
Real intrusions aren’t one magic exploit — they’re a chain of stages (the “kill chain”). Understanding it lets defenders break the chain at any link, and lets you answer “walk me through an attack” with structure:
| Stage | Attacker does | Defender counters |
|---|---|---|
| Recon | Map targets, employees, tech | Minimize public exposure, monitor scanning |
| Initial access | Phish, exploit, stolen creds | MFA, patching, email filtering |
| Execution / foothold | Run payload, establish persistence | EDR, least privilege, allowlisting |
| Privilege escalation | Gain admin/root | Patching, minimal privileged accounts |
| Lateral movement | Spread to other systems | Segmentation, unique credentials |
| Exfiltration / impact | Steal data, deploy ransomware | Egress monitoring, backups, DLP |
Why Phishing Still Wins
The most common initial-access vector isn’t a clever exploit — it’s a convincing email. Phishing bypasses every technical control by targeting the human: a fake login page harvests credentials, an attachment runs a payload. Social engineering is manipulation, not hacking, and it works because urgency and authority override caution.
- Phishing-resistant MFA (hardware keys / passkeys)
- Email authentication: SPF, DKIM, DMARC
- Realistic training + easy reporting button
- Least privilege so stolen creds do less
- One click from thousands of targets
- Spoofed senders, look-alike domains
- Urgency defeats scrutiny (“CEO needs this now”)
- Passwords are reused and phishable
The Incident Response Playbook
When an incident lands, ad-hoc panic makes it worse. The standard PICERL lifecycle gives a calm sequence:
| Phase | Goal | Trap to avoid |
|---|---|---|
| Preparation | Plan, tooling, backups, contacts ready | Writing the plan during the incident |
| Identification | Confirm it’s real, scope it | Alert fatigue hiding the real signal |
| Containment | Stop the spread (isolate, revoke) | Tipping off the attacker too early / too late |
| Eradication | Remove the foothold, close the hole | Re-imaging without fixing root cause |
| Recovery | Restore service, verify integrity | Restoring from a compromised backup |
| Lessons learned | Blameless postmortem, fix systemically | Blaming a person, skipping the retro |
Contain before you investigate the world. The instinct to fully understand first lets the attacker keep working; isolate the blast radius, then analyze from a position of safety.
Blameless Postmortems & Getting Started
The final phase is where security actually improves. A blameless postmortem assumes good people hit bad systems: ask what conditions allowed the mistake, not who made it. Blame drives incidents underground; the goal is systemic fixes and a team that reports problems early.
Starting a security career or hardening a team? The highest-leverage moves are unglamorous: turn on MFA everywhere, patch on a cadence, enforce least privilege, keep tested backups offline, and log enough to answer “what happened?”. Legal, ethical practice only — learn attacks to defend, always with explicit authorization (your own lab, CTFs, or a signed engagement).
Interview Questions
Walk me through how a ransomware attack typically unfolds.
Phishing or exploited edge service for initial access → payload and persistence → privilege escalation → lateral movement across a flat network → exfiltrate data (for double extortion) → detonate encryption. Each stage is a place to break the chain: MFA, patching, segmentation, egress monitoring, offline backups.
First hour of a confirmed breach — what do you do?
Contain before investigating everything: isolate affected hosts, revoke suspect credentials and sessions, preserve evidence (don’t wipe). Then scope it, eradicate the foothold, recover from known-good backups, and run a blameless postmortem. Preparation is what makes this calm rather than chaotic.
Why blameless postmortems?
Blame makes people hide mistakes, so you lose the information needed to prevent recurrence. Assuming good people met bad systems surfaces the real causes — missing guardrails, confusing tooling — and produces systemic fixes plus a culture that reports early.
Why does phishing-resistant MFA matter more than “MFA”?
SMS/TOTP codes are phishable — a fake site relays them in real time. Hardware keys and passkeys bind the credential to the real origin and refuse to authenticate to a look-alike domain, defeating the credential-relay that beats basic MFA.