
Defensive Security Lecture – What SEC Consult Told Us About Phases of a Cyber Crisis
Table of Contents
🚨 Intro
Today we had a guest lecture in our Digital Forensics class, held by a consultant from SEC Consult , a cybersecurity company that offers everything from penetration testing to fully managed incident response.
They walked us through the phases of a cyber crisis, sharing practical insights drawn from real-world cases. It was quite interesting stuff, especially since it wasn’t just theoretical knowledge but based on actual experiences.
The difference between operational and legal-grade forensics was not optimal for our course which is about the latter but it really got us into another rote.
🔍 Active vs Passive Security
SEC Consult positions itself as both a preventive and reactive player:
- On one side: classic penetration testing and security assessments.
- On the other: Managed Incident Response — basically full-scale crisis handling when the red lights are already flashing.
They stressed a practical truth:
“In real-world incidents, you’re usually doing security forensics — not courtroom-grade forensics.”
In other words: move fast, find the problem, stop the damage. Legal admissibility comes second.
🌐 Threat Landscape: Modern Crisis Drivers
We also got an overview of how SEC sees the modern threat landscape. Key players and trends:
- Hacktivists → politically motivated attacks (e.g. defacements, DDoS)
- FIN groups → financially motivated, often sophisticated
- APTs (Advanced Persistent Threats) → state-sponsored, resource-heavy, long-term compromise strategies
They explained how the Unified Kill Chain provides a broader modern view compared to MITRE ATT&CK or Lockheed’s original kill chain — by emphasizing:
- Entry vectors (In)
- Internal movement and escalation (Through)
- Exfiltration or impact (Out)
This more holistic breakdown helps defenders see attacks as multi-phase operations rather than isolated events.
🛠️ Tools and Techniques
We touched on tools like Mimikatz — simple in use, powerful in impact. It’s still effective against misconfigured or under-protected environments.
The point: attackers don’t always use zero-days. Simple tools + bad configs = compromise.
🔁 Incident Response Lifecycle
SEC Consult follows a clear incident response lifecycle, which maps closely to standard models like NIST but with practical emphasis:
-
Detection
- May come from internal logs, external notifications, or even customers
-
Containment
- Segment the damage, isolate systems, avoid lateral movement
-
Eradication
- Remove the cause — malware, persistence mechanisms, rogue accounts
-
Recovery
- Restore clean backups, bring services back, validate integrity
-
Lessons Learned
- Timeline analysis, policy review, process improvement
They pointed us to Backdoors & Breaches — a great tabletop tool for IR training that simulates attack scenarios in a card-game format. Definitely something I want to try out in my own practice.
🧠 Final Thoughts
What stuck with me the most was the emphasis on realism over perfection.
In a cyber crisis, speed and clarity beat formality. Knowing what to log, who to contact, and how to act makes all the difference.
This session gave me a better idea of how fast-moving, high-stakes incident response can feel — and how good preparation is the only real defense.
Let me know if you want a printable version of this post or a companion checklist for incident response flow.
I’ll definitely be diving deeper into killchains and tabletop scenarios in the research section soon.