TryHackMe Walkthrough – Incident Response – Preparation

Preparation is the first room in the Incident Response learning path within the TryHackMe learning platform.

The learning path consist of the following rooms:

  • Preparation
  • Identification & Scoping
  • Threat Intel & Containment
  • Eradication & Remediation
  • Lessons Learned
  • Tardigrade

In this post I will walkthrough the Preparation room.

Task 1: Introduction

Question 1: No answer needed

Task 2: Incident Response Capability

Question 1: What is an observed occurrence within a system?

The answer is in the reading. Look at the first bullets in this task.

Answer: Event

Question 2: What is described as a violation of security policies and practices?

This answer is also in the reading, in the same place as question 1.

Answer: Incident

Question 3: Under which incident response phase do organisations lay down their procedures?

This is answered in the reading under “The Incident Response Process”

  • Preparation: Ensures that the organisation can effectively react to a breach with laid down procedures.

Answer: Preparation

Question 4: Under which phase will an organisation resume business operations fully and update its response capabilities?

The answer is in the reading, in the same section as the previous answer, keep rolling down the bullet list until you get to…

Answer: Recovery & Lessons Learned

Task 3: People and Documentation Preparation

Question 1: A group that handles events involving cyber security breaches, comprising individuals with different skills and expertise, is known as?

This answer is in the third paragraph of the reading.

Answer: cyber security incident response team

Question 2: Which documents would be used to accompany any evidence collected and keeps track of who handles the investigation procedures?

This answer is in the reading in the “Communication Plan & Chain of Custody” section.

Answer: chain of custody documents

Task 4: Technology Preparation

Question 1: What would a kit containing the necessary incident-handling tools be called?

This answer is in the last paragraph of the reading. In the section titled “Investigation Capabilities”.

Answer: jump bag

Task 5: Visibility

Question 1: What is the Event ID for the File Created rule associated with the test?

After reading and completing the instructions for the task I used the Find feature to search for File Created. The Event ID associated was…

Answer: 11

Question 2: Under the Software Restriction Policies, what is the default security level assigned to all policies?

For this we need to open back up Local Security Policy. In there you should see “Software Restriction Policies, then Security Levels. In there are three choices. I clicked on each to see which one was set as default. See above screenshot.

Answer: Unrestricted

Question 3: Find the Audit Policy folder under Local Policies. What setting has been assigned to the policy Audit logon events?

Follow the navigation steps in the question to find that that event is set to..

Answer: failure

Task 6: Conclusion

Question 1: No answer needed

One thought on “TryHackMe Walkthrough – Incident Response – Preparation”

Comments are closed.