We kicked off the day with our regular news section, followed by an assessment on malware analysis. As a cohort, we scored 92%, another great result to add to the books! I missed just one question again. It was about PsExec, which I didn’t fully understand at first, but after some research and help from the teacher, I got it.
PsExec is a legitimate Windows tool used for remotely executing commands on other systems. It uses something called Named Pipes, a method for different processes to communicate with each other, even across machines. PsExec doesn’t need to install a full service on the remote system, it just copies a small file over and runs it. This makes it a favourite tool not only for system admins, but also for attackers, because it can be used for remote control, spreading malware, gathering data from binary metadata, and more. It’s versatile, which is why it often shows up in red-team tools and malware campaigns.
After the assessment, we shifted gears from malware to a new topic: Incident Response (IR) and Incident Management (IM).
- Incident Response is about identifying and understanding what happened, like investigating a breach, malware infection, or system failure.
- Incident Management focuses on how to handle the situation, who needs to respond, what steps to follow, and how to recover.
We also reviewed the different roles involved during an incident:
- SOC Analyst – monitors security alerts and investigates suspicious activity.
- SOC Lead – coordinates and oversees the response team during incidents.
- Malware Analyst – examines malicious code to understand its behaviour and origin.
- Threat Hunter – proactively looks for threats that may have bypassed security controls.
- Information Security Officer – ensures policies and compliance are followed across the organization.
We also went over the NIST Incident Response Lifecycle, which includes:
Preparation
Detection and Analysis
Containment, Eradication and Recovery
Post-Incident Activity
Then we explored Incident Response Playbooks:
- Why Playbooks? Because during an incident, you need clear, repeatable steps to follow, no guesswork.
- Use Cases: Different types of incidents (like ransomware, phishing, or data leaks) each get their own playbook.
Our final lab was about Becoming a First Responder. It introduced a few important terms that I’ll need to know for the Security+ exam:
- Business Continuity Plan (BCP): A strategy to keep essential operations running during a disruption.
- Disaster Recovery Plan (DRP): A plan to restore IT systems and data after a major incident like a cyberattack or natural disaster.
- Volatility of Evidence: The idea that some data (like RAM or network connections) disappears quickly, so responders need to capture it first.
Overall, I really liked this week’s focus. While I enjoyed learning about malware analysis, I did feel like we spent a bit too much time in static analysis. It’s pretty cool, but also really complex due to the nature of disassembling code and working at such a low level.
Now, I’m excited because next week we start ethical hacking, something I’ve been really looking forward to!
