PICERL · Chain of Custody · IR Roles · MITRE ATT&CK · IOCs · Threat Intelligence
Study with Practice Tests →The foundation of GCIH. Every incident handler must master the structured response lifecycle, evidence handling principles, and threat intelligence frameworks before tackling attacker techniques.
| Topic | Key Concepts |
|---|---|
| 1. Incident Handling Process | PICERL, chain of custody, IR team roles, MITRE ATT&CK, IOCs, threat intelligence |
| 2. Reconnaissance & Scanning | OSINT, Nmap, vulnerability scanning, passive vs active recon |
| 3. Exploitation & Web Attacks | Password attacks, buffer overflows, social engineering, SQLi, XSS, CSRF |
| 4. Network Attacks & IDS | ARP poisoning, DoS/DDoS, packet analysis, IDS/IPS evasion, NetFlow |
| 5. Malware & Lateral Movement | Malware types, C2, persistence, Pass-the-Hash, YARA, memory forensics |
Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned. The most tested framework in GCIH. Every incident response action maps to one of these phases.
Documented record of who collected evidence, when, where it was stored, and who had access. A broken chain can render evidence inadmissible in court. Hash all evidence immediately with SHA-256 to prove integrity.
Framework mapping adversary Tactics (why), Techniques (how), and Procedures (specific implementation). 14 tactics from Reconnaissance through Impact. Used for threat hunting, detection engineering, and red team exercises.
IOCs (Indicators of Compromise): IP addresses, file hashes, domains — burn fast (attacker changes them easily). TTPs (Tactics, Techniques, Procedures): behavioral patterns — persist longer, harder to change. TTPs are more valuable for long-term defense.
Short-term: Stop the bleeding immediately (isolate system, block IP, disable account). Long-term: Durable fix without disrupting operations. Always contain before eradicating — rushing to clean up lets attackers pivot.
David Bianco's model of IOC value: Hash → IP Address → Domain → Network Artifact → Host Artifact → Tool → TTPs (hardest for attacker to change = most painful to lose). Focus detection on higher pyramid levels.
The GCIH exam often asks you to pick the correct NEXT step. Remember: Identification comes before Containment — you must confirm an incident exists before acting. Containment precedes Eradication — never clean up while the attacker still has access.
Document and photograph before touching anything. Volatile evidence (RAM, running processes, network connections) disappears on reboot — capture it first. Order of volatility: Registers/cache → RAM → Swap → Disk → Remote logs → Archive media.
Know when to involve law enforcement. Computer Fraud and Abuse Act (CFAA) in the US applies to unauthorized access. Wiretap Act governs network monitoring. Always get legal counsel before conducting offensive action — even on your own network.
The six-phase incident response lifecycle is the backbone of GCIH. Every question about what to do next maps back to one of these phases.
Build IR capability before incidents occur. Includes: IR policy and plan, team formation (CSIRT), communication trees, incident classification criteria, jump bags, forensic tools, legal retainers, tabletop exercises, threat intelligence subscriptions. Goal: be ready before the breach happens.
Determine whether an event is actually an incident. Sources: SIEM alerts, IDS/IPS, user reports, threat intelligence, SOC analysts. Key questions: What systems are affected? When did it start? Is it still active? Establish a ticket/timeline immediately. Declare an incident when confirmed.
Short-term: Immediately limit damage — network isolate affected systems, block attacker IPs, disable compromised accounts, null-route C2 domains. Long-term: Implement durable controls — ACL changes, firewall rules, credential resets — that can be maintained while business continues. Do NOT reboot or wipe yet — preserve forensic evidence.
Remove all traces of the attacker from the environment. Actions: delete malware, close backdoors, patch vulnerabilities exploited, remove rogue accounts, clean infected systems. Verify eradication is complete before proceeding. Failing to find all persistence mechanisms = reinfection.
Restore systems to normal operation. Restore from known-good backups, rebuild from clean images, re-enable services in a controlled manner. Monitor closely post-recovery for signs of reinfection. Define success criteria — what does "recovered" look like? Gradual return to production, not all-at-once.
Post-incident review within 2 weeks. Questions: What happened? What was the timeline? What did we do well? What could be improved? Update IR plan, runbooks, detection rules, and training based on findings. This phase feeds back into Preparation, making the cycle self-improving.
| Severity | Description | Response Time | Examples |
|---|---|---|---|
| Critical (P1) | Active breach, data exfiltration, ransomware spreading | Immediate (<1 hr) | Ransomware outbreak, confirmed APT, active data theft |
| High (P2) | Compromise confirmed, limited spread | <4 hours | Single workstation malware, credential breach discovered |
| Medium (P3) | Suspicious activity, unconfirmed breach | <24 hours | Phishing email opened, unusual login pattern |
| Low (P4) | Policy violation, minimal risk | Best effort | Employee on unauthorized website, port scan from external |
1. CPU registers, cache
2. RAM (running processes, network sockets, encryption keys)
3. Network connections and routing tables
4. Running processes and services
5. Open files and handles
6. Swap/page file
7. Hard disk contents (file system, logs, artifacts)
8. Remote logging and monitoring data
9. Physical configuration (hardware)
10. Archived media (backup tapes, offsite backups)
Key: collect RAM before rebooting — rebooting destroys all volatile evidence. Use tools like Volatility, WinPmem, or LiME for live memory acquisition.
Effective incident response requires both the right team structure and rigorous evidence handling procedures. Legal admissibility depends on proper chain of custody.
| Role | Responsibilities |
|---|---|
| IR Manager / Incident Commander | Overall coordination, decision authority, executive communication, escalation decisions |
| Lead Analyst / Technical Lead | Technical investigation, directs forensics, determines attacker TTPs, scoping |
| Forensic Analyst | Evidence collection and preservation, disk/memory imaging, artifact analysis |
| Malware Analyst | Static and dynamic malware analysis, IOC extraction, capability assessment |
| Threat Hunter | Proactive search for attacker presence not detected by alerts |
| Legal Counsel | Advises on law enforcement notification, evidence handling legality, disclosure requirements |
| Communications Lead | Internal and external communications, PR coordination, regulatory notifications |
| IT/Operations Support | System access, network changes, backup restoration, business continuity |
• Who collected the evidence (name, role)
• Date, time, and location of collection
• Description of evidence (make, model, serial, hash)
• Every transfer: who gave to whom, when
• Storage location and access controls
• Any analysis performed and by whom
Hash evidence immediately upon collection using SHA-256 (not MD5 — collisions possible). Store hash separately from evidence. Re-hash before and after each analysis to prove no tampering. Work on forensic copies — never the original. Write-blockers prevent accidental modification of physical media.
Computer Fraud and Abuse Act (CFAA): US law criminalizing unauthorized computer access. Even defenders must have authorization to access systems. Wiretap Act: governs real-time monitoring of communications. Always have written authorization before conducting network monitoring or forensics.
| Type | Examples | Handling Notes |
|---|---|---|
| Digital — Volatile | RAM contents, running processes, network connections, ARP cache | Capture immediately; lost on power-off |
| Digital — Non-Volatile | Hard disk, USB drives, logs, config files | Forensic image with write-blocker; hash before/after |
| Network | PCAP files, NetFlow, firewall logs, SIEM events | Time-sync critical; preserve raw captures |
| Physical | Hardware, printouts, sticky notes with passwords | Photo in place before moving; bag and tag |
| Testimonial | Witness statements, user accounts of events | Document immediately; separate witnesses |
Simulate incident scenarios in a discussion-based format — no actual systems affected. Tests: decision-making, communication flows, role clarity, gap identification in the IR plan. Should involve: IR team, legal, executives, IT, communications, and business stakeholders.
Ransomware outbreak · CEO email compromise (BEC) · Data breach of customer PII · Insider threat exfiltration · Supply chain compromise · DDoS attack on critical services · Credential stuffing attack on web application
Document: what decisions were made, what gaps were identified, what the plan says vs what actually happened. Update IR playbooks based on findings. Schedule follow-up exercise to validate improvements. Frequency: at least annually, after major org changes, or after real incidents.
Threat intelligence transforms raw data into actionable knowledge about adversaries. MITRE ATT&CK provides a common language for describing attacker behavior.
| # | Tactic | What the Attacker Is Doing | Example Technique |
|---|---|---|---|
| TA0043 | Reconnaissance | Gathering information before attacking | Active Scanning, OSINT |
| TA0042 | Resource Development | Building attack infrastructure | Acquire infrastructure, develop tools |
| TA0001 | Initial Access | Getting a foothold | Spearphishing, exploit public-facing app |
| TA0002 | Execution | Running malicious code | PowerShell, WMI, scheduled tasks |
| TA0003 | Persistence | Maintaining foothold across reboots | Registry run keys, startup folder, services |
| TA0004 | Privilege Escalation | Gaining higher permissions | Token impersonation, exploit SUID |
| TA0005 | Defense Evasion | Avoiding detection | Obfuscation, timestomping, LOLBins |
| TA0006 | Credential Access | Stealing credentials | Mimikatz, keylogging, Kerberoasting |
| TA0007 | Discovery | Learning the environment | Network scanning, AD enumeration |
| TA0008 | Lateral Movement | Moving through the network | Pass-the-Hash, PsExec, RDP |
| TA0009 | Collection | Gathering data of interest | Data staged, screen capture, keylogging |
| TA0011 | Command & Control | Communicating with compromised systems | HTTPS C2, DNS tunneling, domain fronting |
| TA0010 | Exfiltration | Stealing data out of the environment | Exfil over C2, cloud storage upload |
| TA0040 | Impact | Manipulating, destroying, or disrupting | Ransomware, disk wipe, defacement |
MD5/SHA-256 file hashes of malicious files. Easiest to block — add hash to blocklist. But trivial for attacker to change — recompile or add a byte. Useful for known malware identification but not durable detection.
C2 server IPs, scanner IPs. Easy to block at firewall. Attacker rotates IPs constantly — burned within hours. Still useful for short-term containment and correlation with threat intel feeds.
Malicious domains used for C2, phishing, malware delivery. Block at DNS. Attacker registers new domains — takes more effort than new IPs. DGA (Domain Generation Algorithm) domains are especially hard to block.
Network artifacts: unusual user-agents, URI patterns, protocol abnormalities in traffic. Host artifacts: registry keys, file paths, mutex names, scheduled task names. These take real attacker effort to change and are good behavioral indicators.
Specific attacker tools: Mimikatz, Cobalt Strike, BloodHound. Blocking known tools forces attacker to develop or acquire new ones. Tool signatures in AV/EDR. Attackers often customize tools to evade tool-based detection.
Attacker behaviors and techniques — hardest to change because they reflect the attacker's core methodology. Detection at this level forces the adversary to rethink their entire approach. Behavioral detection in EDR/SIEM targets this level.
| Standard | Purpose | Format |
|---|---|---|
| STIX (Structured Threat Info Expression) | Describes threat intelligence objects (indicators, campaigns, actors) | JSON |
| TAXII (Trusted Automated eXchange of Indicator Info) | Transport mechanism for sharing STIX content | HTTPS API |
| OpenIOC | Mandiant's format for expressing IOCs in machine-readable form | XML |
| MISP (Malware Info Sharing Platform) | Open-source threat intelligence platform for sharing IOCs | JSON/XML |
| ISACs (Info Sharing & Analysis Centers) | Sector-specific threat sharing (FS-ISAC, H-ISAC, etc.) | Various |
10 questions covering PICERL, chain of custody, evidence handling, MITRE ATT&CK, and threat intelligence. Select the best answer.
Six sticky mental anchors for the highest-yield IR Fundamentals concepts.
Click any card to flip it. 8 high-yield concept cards for rapid review.
👆 Click a card to reveal the answer
Select a topic for targeted exam-day guidance.