Chapter 14: Never Again
Arc 3: Security Incident

"Never Again" — Incident Response, Hardening & Defense in Depth

Ray Donovan has approved your incident response plan. Now execute it: contain the threat, eradicate the attacker, recover operations, and harden Meridian Dynamics so this never happens again.

Incident Response Lifecycle (NIST SP 800-61)

Incident response is not improvisation. It is a structured, repeatable process defined by NIST Special Publication 800-61. Every organization needs an IR plan before an incident occurs — not during one. The lifecycle has six phases, each building on the last:

PhaseDescriptionMeridian Dynamics Application
1. Preparation Build the IR plan, assemble the team, deploy tools, establish communication channels, understand legal obligations, and train staff through tabletop exercises. Meridian had no IR plan, no centralized logging, no account lifecycle management, and no security awareness training. Every weakness the attacker exploited was a preparation failure.
2. Detection & Analysis Monitor systems for anomalies, receive and triage alerts, classify severity, determine scope. This is where you answer: "Are we under attack? How bad is it?" You detected the breach through Event Log analysis — 14 failed logons at 3:14 AM, a suspicious scheduled task, a fake svchost.exe, and anomalous C2 traffic. None of these triggered automated alerts because no SIEM existed.
3. Containment Stop the bleeding. Short-term containment isolates the threat immediately. Long-term containment applies patches and hardens while preserving evidence for forensic analysis. Disable t.manning's account, quarantine the compromised workstation (VLAN isolation), block the C2 IP at the firewall, kill the reverse shell process. Preserve disk images before reimaging.
4. Eradication Remove all traces of the attacker: delete malware, remove backdoors, unregister persistence mechanisms, patch exploited vulnerabilities, close the holes they used to get in. Remove the "WindowsUpdate" scheduled task, delete the fake svchost.exe, remove t.manning from IT-Admins, scan all systems for similar artifacts, patch the VLAN firewall rules.
5. Recovery Restore operations safely. Rebuild compromised systems from known-good backups, force credential resets, increase monitoring, verify no re-infection occurs. Gradual return to production. Wipe and reimage MD-WS-ENG05 from a known-good backup. Force password reset for all IT-Admins. Restore Finance share access with least-privilege ACLs. Monitor for 30 days for attacker return.
6. Lessons Learned Post-incident review within 72 hours. Document the complete timeline, what worked, what failed, and what must change. Update the IR plan and security policies based on findings. Present the full timeline to Ray Donovan. Document every finding. Propose LAPS, tiered admin, NAC, enhanced auditing, SIEM, and security awareness training. Update the IR plan.
The most expensive security control is the one you implement AFTER the breach. Every hardening measure in this chapter could have been deployed proactively for a fraction of the cost of the incident response, legal fees, regulatory fines, and reputational damage Meridian Dynamics now faces.

Evidence Preservation

Before you touch anything, preserve evidence. If this incident leads to legal action, law enforcement involvement, or regulatory investigation, improperly handled evidence is inadmissible. Containment and eradication must not destroy the evidence you need.

PrincipleWhat It MeansHow To Do It
Chain of Custody A documented, unbroken record of who handled the evidence, when, and what they did with it. Log every person who touches the evidence, the date/time, and the actions taken. Sign off at every handover.
Forensic Imaging Create a bit-for-bit copy of the disk, including unallocated space, before any changes are made. Use forensic imaging tools (FTK Imager, dd) to create a full disk image. Work only from the copy, never the original.
Write Blockers Hardware or software that prevents any writes to the evidence disk during imaging. Connect the evidence disk through a write blocker before imaging. Any write operation invalidates the evidence.
Hash Verification Compute SHA256 hashes of the original and the copy. If they match, the copy is a perfect replica. Hash the original disk, create the image, hash the image. Document both hashes. They must be identical.
Legal Admissibility Evidence must be collected following legal standards to be used in court or regulatory proceedings. Follow your organization's legal hold procedures. Involve legal counsel early. Do not alter timestamps or file contents.
Rule of thumb: Image first, investigate second. If you start poking around a compromised system before imaging, you are altering the evidence with every command you run.

Containment Strategies

Containment is about speed and precision. You need to cut off the attacker without destroying evidence or alerting them that they have been detected. Here are the primary containment techniques:

StrategyHow It WorksMeridian Application
Network Isolation (VLAN Quarantine) Move the compromised host to a quarantine VLAN with no internet access and no access to production resources. The attacker's C2 connection dies, lateral movement stops. Move YOURNAME-PC (10.10.40.203) to QUARANTINE VLAN — block all inbound and outbound traffic except for forensic analysis tools.
Account Disabling Immediately disable the compromised account in Active Directory. This prevents new authentications while existing sessions time out. Disable t.manning's AD account. This kills the attacker's ability to open new sessions. Existing Kerberos tickets expire within the TGT lifetime (default 10 hours).
Firewall Rules (Block C2) Create outbound firewall rules blocking all traffic to the known C2 IP addresses. Apply at the host level and the network perimeter. Block all outbound traffic to 203.0.113.42 on all ports. Apply the rule on the perimeter firewall AND on every host firewall via GPO.
Process Termination Kill the malicious process on the compromised host. This stops active data exfiltration and C2 communication immediately. Stop-Process -Id 6847 -Force to kill the fake svchost.exe reverse shell on MD-WS-ENG05.
DNS Sinkhole Configure the internal DNS server to resolve known malicious domains to a controlled IP (e.g., 127.0.0.1). Infected hosts that use domain-based C2 cannot reach the attacker. If the attacker used a domain instead of an IP for C2, sinkhole it in the internal DNS. This catches any other infected hosts trying to call home.

CIS Benchmarks & Windows Hardening

The Center for Internet Security (CIS) Benchmarks are consensus-based, best-practice security configuration guides. They provide specific, actionable hardening settings for Windows, Linux, network devices, cloud platforms, and more. They are free to download and are the gold standard for system hardening.

Key Windows hardening settings from the CIS Benchmark that would have prevented or detected the Meridian breach:

SettingCIS RecommendationHow It Helps
Account lockout threshold Lock account after 5 failed attempts for 30 minutes The 14-attempt brute force against t.manning would have triggered lockout after attempt 5.
Audit logon events Enable success and failure auditing for all logon events The brute force would have generated alerts on the first failed logon at 3:14 AM.
PowerShell Script Block Logging Enable Event ID 4104 to log all PowerShell script blocks The decoded Base64 reverse shell payload would have been logged in cleartext.
Command-line process auditing Include command-line arguments in Event ID 4688 Every command the attacker ran would have been recorded with full arguments.
Disable SMBv1 Remove support for the vulnerable SMBv1 protocol Reduces attack surface for lateral movement exploits like EternalBlue.
Restrict remote desktop Allow RDP only for specific security groups via GPO t.manning should never have had RDP access to MD-WEB01 through a broad IT-Admins group.

Tiered Administration Model

The Tiered Administration Model (also called the Administrative Tier Model) prevents credential theft from cascading across the environment. The core rule: never log into a lower tier with higher-tier credentials.

TierAssetsAdmin AccountsRule
Tier 0 Domain Controllers, AD infrastructure, PKI, ADFS Domain Admins, Enterprise Admins, Schema Admins Tier 0 admins log into Tier 0 assets ONLY. Never touch a workstation or member server with these credentials.
Tier 1 Member servers (file servers, web servers, database servers, application servers) Server Admins, specific service accounts Tier 1 admins manage servers only. They never log into workstations or domain controllers.
Tier 2 Workstations, laptops, printers, user devices Help desk accounts, local admins, desktop support Tier 2 admins manage user devices only. They never touch servers or domain controllers.
What went wrong at Meridian: The IT-Admins group was a single, flat group with privileges spanning all tiers. t.manning had access to the Domain Controller (Tier 0), the web server and file server (Tier 1), and workstations (Tier 2) — all with one set of credentials. When the attacker compromised t.manning, they got everything.

In a properly tiered model, even if the attacker compromised a Tier 2 account, they could not use those credentials to access servers (Tier 1) or Domain Controllers (Tier 0). Each tier is an isolated blast radius.

LAPS (Local Administrator Password Solution)

LAPS solves one of the most common enterprise security failures: identical local administrator passwords across every machine. When every workstation has the same local admin password (e.g., "Welcome1!"), compromising one machine gives you local admin on all of them.

LAPS works by having each domain-joined computer automatically generate a unique, complex local administrator password and store it in a protected attribute in Active Directory. The password rotates on a configurable schedule (e.g., every 30 days). Only authorized administrators can read the password for a specific machine.

How LAPS prevents lateral movement:
  • Each machine has a unique local admin password — compromising one gives you nothing on the next
  • Passwords rotate automatically — even if stolen, they expire
  • Passwords are stored in AD with ACL-based access — only Tier 1/Tier 0 admins can read them
  • No human needs to remember or manage these passwords

NAC (Network Access Control)

Network Access Control (NAC) ensures that only authorized, healthy, and compliant devices can connect to the network. The attacker at Meridian connected to Guest WiFi and pivoted to the corporate VLAN because there was no network-level device authentication.

NAC TechnologyHow It WorksMeridian Impact
802.1X Port-based authentication. Every device must authenticate (certificate, credentials, or MAC) before being granted network access. Unauthenticated devices go to a restricted VLAN. The attacker's unknown device would have been denied corporate VLAN access entirely. The Guest WiFi would have been truly isolated.
Health Checks Verify that connecting devices meet security requirements: up-to-date antivirus, current patches, enabled firewall, approved OS version. Even if a device authenticated, it would be quarantined if it failed health checks — adding another barrier the attacker must clear.
Certificate-Based Auth Devices present a machine certificate issued by the organization's PKI. Only devices with a valid, non-expired certificate are admitted. An attacker's personal device would not have a Meridian-issued certificate. They would be blocked before ever reaching the network.
MAC Filtering Allowlist known device MAC addresses. Simple but spoofable — use as a supplementary control, not primary. Basic layer of defense. The attacker's unknown MAC would be flagged, but a skilled attacker can spoof a legitimate MAC.

PAM, SIEM, and Centralized Logging

Privileged Access Management (PAM) controls who can use administrative accounts, when, and for how long:

PAM Core Concepts:
  • Just-In-Time (JIT) Access — Admin privileges are granted only when needed and automatically revoked after a time window (e.g., 4 hours). t.manning's permanent IT-Admins membership would not exist under JIT.
  • Just-Enough-Administration (JEA) — Admins get only the specific permissions they need for a task, not blanket admin access.
  • Session Recording — All privileged sessions are recorded (screen + keystrokes). If an admin does something malicious or an account is compromised, the recording provides full forensic detail.
  • Password Vaulting — Privileged passwords are stored in an encrypted vault. Admins check out passwords for specific sessions. Passwords rotate after each use.

Security Information and Event Management (SIEM) is the missing piece that would have caught this breach on Day 1:

SIEM Capabilities:
  • Centralized Logging — Collect event logs from every server, workstation, firewall, and network device in one place
  • Correlation Rules — "If 10+ failed logons for the same account within 5 minutes, followed by a success, fire an alert" — this would have caught the brute force at 3:14 AM
  • Real-Time Alerts — Email, SMS, or ticketing system notifications when rules trigger
  • Dashboards — Visualize authentication patterns, network traffic, and anomalies
  • Retention — Store logs for months or years for forensic analysis and compliance
The detection gap: Meridian had event logs on each server, but nobody was watching. Events were recorded but never reviewed. A SIEM would have correlated the 14 failed logons across servers, matched them to the same source IP, and fired an alert within minutes — not three weeks later when an intern found them.

Backup Strategy: The 3-2-1 Rule

Backups are your last line of defense. When everything else fails — ransomware encrypts your data, an attacker wipes your systems, or a disaster destroys your data center — backups are what save you. The 3-2-1 Rule is the gold standard:

3-2-1 Backup Rule:
  • 3 copies of your data (the original + 2 backups)
  • 2 different media types (e.g., local disk + cloud storage, or SSD + tape)
  • 1 copy offsite (geographically separate location or cloud)

Immutable backups add another critical layer: once written, backup data cannot be modified or deleted for a defined retention period. Even if an attacker gains admin access, they cannot encrypt or destroy immutable backups. This is the single most effective defense against ransomware.

Security Policies & the Human Element

Technology alone cannot secure an organization. Every control you implement can be undermined by human error, ignorance, or negligence. Security policies define the rules, and training ensures people follow them.

PolicyPurposeMeridian Gap
Acceptable Use Policy Defines what employees can and cannot do with company systems and data No policy existed. Users had no guidance on data handling or system usage.
Password Policy Minimum length, complexity, rotation, no reuse, no default passwords t.manning's password was "Meridian2023!" — a default temporary password that was never changed. No complexity enforcement.
BYOD Policy Rules for personal devices on the network: required security software, network segmentation, data access limitations No BYOD policy. The attacker connected a personal device to the network with zero scrutiny.
Incident Response Plan Who to call, what to do, how to communicate, legal obligations, escalation procedures No IR plan existed until you wrote one. The response was ad hoc, discovered by an intern, and took weeks longer than necessary.
Data Classification Label data by sensitivity: Public, Internal, Confidential, Restricted. Apply appropriate controls to each level. Finance data, employee records, and IoT firmware source code all sat on the same file server with the same access controls.
The Human Element:
  • Security Awareness Training — Regular training (at least quarterly) on phishing recognition, password hygiene, social engineering, and reporting suspicious activity
  • Phishing Simulation — Send simulated phishing emails to employees. Track who clicks. Provide immediate coaching to those who fail.
  • Social Engineering Defense — Train reception, help desk, and IT staff on pretexting, tailgating, vishing (voice phishing), and USB drop attacks
  • Reporting Culture — Create a culture where reporting a suspicious email or a mistake is encouraged, not punished. Fear of punishment causes employees to hide incidents.
Meridian's most critical failure was not technical — it was human. An enabled account for a former employee. A default password never changed. No security awareness training. No one reviewing logs. Technology can compensate for some human failures, but it cannot replace a security-conscious workforce.

Incident Response Lifecycle

Click any phase to explore what happens at that stage, what tools are used, and why it matters.

Defense in Depth — Before and After

The Meridian Dynamics network before the breach versus the hardened architecture after incident response.

BEFORE: Flat Network, No Controls
Internet
Basic Firewall
Allow all outbound
Flat Network
All VLANs reachable — no segmentation!
↓ ↓ ↓ ↓ ↓
MD-DC01
Domain Controller
MD-WEB01
Web Server
MD-FS01
File Server
Workstations
No LAPS, No NAC
Guest WiFi
No isolation!
AFTER: Defense in Depth
Internet
Next-Gen Firewall
IPS + C2 blocking
↓ ↓ ↓ ↓
DMZ VLAN
MD-WEB01 (Hardened)
Corp VLAN
802.1X NAC
Server VLAN
Tiered access only
Guest VLAN
Fully isolated
MD-DC01
Tier 0 access only
MD-FS01
Least privilege ACLs
Workstations
LAPS + EDR
SIEM
Centralized logging

Incident Response Execution — X-Ray Mode

Step through the entire incident response execution. Watch containment, eradication, recovery, and hardening unfold in real time.

Security Lab: Execute the Incident Response

Scenario: Ray Donovan has approved your incident response plan. You are now leading the response from MD-DC01 — the Domain Controller. Execute containment, eradication, recovery, and hardening actions. Every command you run is being logged for the post-incident report.
1
CONTAIN: Disable t.manning's Active Directory account immediately. This prevents new sessions while existing Kerberos tickets expire.
Hint: Disable-ADAccount -Identity t.manning
2
CONTAIN: Verify the account is disabled. Confirm the Enabled property is False.
Hint: Get-ADUser t.manning -Properties Enabled
3
CONTAIN: Remove t.manning from the IT-Admins group to revoke all elevated privileges permanently.
Hint: Remove-ADGroupMember -Identity "IT-Admins" -Members t.manning -Confirm:$false
4
CONTAIN: Verify t.manning is no longer in IT-Admins. The group should only show authorized members.
Hint: Get-ADGroupMember "IT-Admins"
5
CONTAIN: Block the C2 server IP at the firewall. Create an outbound block rule for 203.0.113.42.
Hint: New-NetFirewallRule -DisplayName "Block C2 - 203.0.113.42" -Direction Outbound -RemoteAddress 203.0.113.42 -Action Block
6
ERADICATE: Kill the reverse shell process (PID 6847) — the fake svchost.exe running on MD-WS-ENG05.
Hint: Stop-Process -Id 6847 -Force
7
ERADICATE: Remove the malicious scheduled task named "WindowsUpdate" that was providing persistence.
Hint: Unregister-ScheduledTask -TaskName "WindowsUpdate" -Confirm:$false
8
ERADICATE: Confirm the scheduled task has been removed. The command should return no results.
Hint: Get-ScheduledTask -TaskName "WindowsUpdate"
9
RECOVER: Reset t.manning's password to prevent any cached credential reuse.
Hint: Set-ADAccountPassword -Identity t.manning -Reset -NewPassword (ConvertTo-SecureString "Temp0rary!Reset#2026" -AsPlainText -Force)
10
HARDEN: Create a new GPO for enhanced audit policies that will capture all logon events, process creation, and PowerShell activity.
Hint: New-GPO -Name "Enhanced-Audit-Policy"
11
HARDEN: Search for inactive accounts — verify no other ghost accounts exist like t.manning's.
Hint: Search-ADAccount -AccountInactive -TimeSpan 30
12
HARDEN: Check for users with stale passwords (older than 90 days) that could be brute-forced like t.manning's was.
Hint: Get-ADUser -Filter {Enabled -eq $true} -Properties PasswordLastSet | Where-Object {$_.PasswordLastSet -lt (Get-Date).AddDays(-90)}

Terminal — MD-DC01 (Incident Response)

Mission Complete

You started as an IT intern who didn't know what an operating system was. You're finishing as someone who detected, investigated, contained, and responded to a real security incident. From Day 1 to "Never Again" — that's the journey of a cybersecurity professional.

Return to the Mission Control Hub to review your progress across all 14 chapters.