Today we had a guest lecture in our Digital Forensics class, held by a consultant from SEC Consult, a cybersecurity company that offers everything from penetration testing to fully managed incident response.

They walked us through the phases of a cyber crisis, sharing practical insights drawn from real-world cases. It was quite interesting stuff, especially since it wasn't just theoretical knowledge but based on actual experiences.

The difference between operational and legal-grade forensics was not optimal for our course which is about the latter but it really got us into another rote.

Active vs Passive Security

SEC Consult positions itself as both a preventive and reactive player:

• On one side: classic penetration testing and security assessments.
• On the other: Managed Incident Response, basically full-scale crisis handling when the red lights are already flashing.

They stressed a practical truth:

"In real-world incidents, you're usually doing security forensics, not courtroom-grade forensics."

In other words: move fast, find the problem, stop the damage. Legal admissibility comes second.

Threat Landscape: Modern Crisis Drivers

We also got an overview of how SEC sees the modern threat landscape. Key players and trends:

• Hacktivists → politically motivated attacks (e.g. defacements, DDoS)
• FIN groups → financially motivated, often sophisticated
• APTs (Advanced Persistent Threats) → state-sponsored, resource-heavy, long-term compromise strategies

They explained how the Unified Kill Chain provides a broader modern view compared to MITRE ATT&CK or Lockheed's original kill chain, by emphasizing:

• Entry vectors (In)
• Internal movement and escalation (Through)
• Exfiltration or impact (Out)

This more holistic breakdown helps defenders see attacks as multi-phase operations rather than isolated events.

Tools and Techniques

We touched on tools like Mimikatz, simple in use, powerful in impact. It’s still effective against misconfigured or under-protected environments.

The point: attackers don’t always use zero-days. Simple tools + bad configs = compromise.

Incident Response Lifecycle

SEC Consult follows a clear incident response lifecycle, which maps closely to standard models like NIST but with practical emphasis:

1. Detection
   • May come from internal logs, external notifications, or even customers
2. Containment
   • Segment the damage, isolate systems, avoid lateral movement
3. Eradication
   • Remove the cause: malware, persistence mechanisms, rogue accounts
4. Recovery
   • Restore clean backups, bring services back, validate integrity
5. Lessons Learned
   • Timeline analysis, policy review, process improvement

They pointed us to Backdoors & Breaches, a great tabletop tool for IR training that simulates attack scenarios in a card-game format. Definitely something I want to try out in my own practice.

Final Thoughts

What stuck with me the most was the emphasis on realism over perfection.
In a cyber crisis, speed and clarity beat formality. Knowing what to log, who to contact, and how to act makes all the difference.

This session gave me a better idea of how fast-moving, high-stakes incident response can feel and how good preparation is the only real defense.

Let me know if you want a printable version of this post or a companion checklist for incident response flow.
I'll definitely be diving deeper into killchains and tabletop scenarios in the research section soon.