Site Logo
Niklas Heringer - Cybersecurity Blog

Defensive Security Lecture – What SEC Consult Told Us About Phases of a Cyber Crisis

🚨 Intro

Today we had a guest lecture in our Digital Forensics class, held by a consultant from SEC Consult , a cybersecurity company that offers everything from penetration testing to fully managed incident response.

They walked us through the phases of a cyber crisis, sharing practical insights drawn from real-world cases. It was quite interesting stuff, especially since it wasn’t just theoretical knowledge but based on actual experiences.

The difference between operational and legal-grade forensics was not optimal for our course which is about the latter but it really got us into another rote.


🔍 Active vs Passive Security

SEC Consult positions itself as both a preventive and reactive player:

They stressed a practical truth:

“In real-world incidents, you’re usually doing security forensics — not courtroom-grade forensics.”

In other words: move fast, find the problem, stop the damage. Legal admissibility comes second.


🌐 Threat Landscape: Modern Crisis Drivers

We also got an overview of how SEC sees the modern threat landscape. Key players and trends:

They explained how the Unified Kill Chain provides a broader modern view compared to MITRE ATT&CK or Lockheed’s original kill chain — by emphasizing:

This more holistic breakdown helps defenders see attacks as multi-phase operations rather than isolated events.


🛠️ Tools and Techniques

We touched on tools like Mimikatz — simple in use, powerful in impact. It’s still effective against misconfigured or under-protected environments.

The point: attackers don’t always use zero-days. Simple tools + bad configs = compromise.


🔁 Incident Response Lifecycle

SEC Consult follows a clear incident response lifecycle, which maps closely to standard models like NIST but with practical emphasis:

  1. Detection

    • May come from internal logs, external notifications, or even customers
  2. Containment

    • Segment the damage, isolate systems, avoid lateral movement
  3. Eradication

    • Remove the cause — malware, persistence mechanisms, rogue accounts
  4. Recovery

    • Restore clean backups, bring services back, validate integrity
  5. Lessons Learned

    • Timeline analysis, policy review, process improvement

They pointed us to Backdoors & Breaches — a great tabletop tool for IR training that simulates attack scenarios in a card-game format. Definitely something I want to try out in my own practice.


🧠 Final Thoughts

What stuck with me the most was the emphasis on realism over perfection.
In a cyber crisis, speed and clarity beat formality. Knowing what to log, who to contact, and how to act makes all the difference.

This session gave me a better idea of how fast-moving, high-stakes incident response can feel — and how good preparation is the only real defense.


Let me know if you want a printable version of this post or a companion checklist for incident response flow.
I’ll definitely be diving deeper into killchains and tabletop scenarios in the research section soon.