Incident Response & Defence
Everything so far taught you how attacks work. This final module flips to the defender's chair (the “blue team”): how professionals detect an attack in progress, stop it, clean up, and make sure it never happens again. This is where most security careers actually live.
Red team vs. blue team
The incident response lifecycle
When something goes wrong, professionals follow a calm, repeatable process. A common model (SANS) has six phases — remember P I C E R L:
| Phase | What you do | Everyday version |
|---|---|---|
| 1. Preparation | Tools, logging, plans, and training in place beforehand | Smoke alarms & a fire drill |
| 2. Identification | Detect and confirm something is actually wrong | The alarm goes off — is there real smoke? |
| 3. Containment | Stop it spreading (isolate the machine) | Close the door to the burning room |
| 4. Eradication | Remove the cause (malware, bad account) | Put the fire out |
| 5. Recovery | Restore clean systems and monitor | Repair the room, watch for flare-ups |
| 6. Lessons Learned | Write it up; fix the root cause | Why did it start? Prevent a repeat |
Logs — the defender's eyes
You can't respond to what you can't see. Logs are the records systems keep of what happened. On Linux they live in /var/log (recall Module 2). Your grep and tail skills shine here.
SIEM — one screen for all the logs
A big organisation has thousands of machines. A SIEM (Security Information and Event Management) system — like Splunk, the ELK Stack, or Wazuh — collects every log into one place, correlates them, and raises alerts. A SOC (Security Operations Centre) analyst watches that screen.
Hardening & defence-in-depth
Hardening means shrinking a system's attack surface before anything happens. Defence-in-depth means using many layers so that if one fails, others still hold.
| Layer | Example control |
|---|---|
| People | Security awareness & phishing training |
| Access | Strong passwords + multi-factor authentication (MFA) |
| Network | Firewalls, segmentation, closing unused ports (from your Nmap audits) |
| System | Patching, least-privilege permissions, disabling unused services |
| Data | Encryption at rest & in transit, backups you have tested |
| Detection | Logging + SIEM + alerts |
Investigate like an analyst. Try: grep "Failed password" /var/log/auth.log, last, or ufw status.
Do this in your lab. It ties the whole course together: attacker and defender in one exercise.
- Prepare: on your Kali machine, make sure SSH is running and watch its log: sudo tail -f /var/log/auth.log.
- Simulate the attack from your lab target by making several wrong SSH logins to your Kali box (this generates “Failed password” lines — your own machines only).
- Identify: in another terminal, grep "Failed password" /var/log/auth.log | wc -l to count the attempts, and find the source IP.
- Contain: block that IP with the firewall (sudo ufw deny from 192.168.56.50) and confirm the failures stop.
- Lessons learned: write 3 preventive controls (MFA, fail2ban, key-only SSH).
Result: you've run a complete mini incident — detect, contain, prevent. That's the core loop of a SOC analyst's day.
Key takeaways
- Defenders follow the IR lifecycle: Prepare, Identify, Contain, Eradicate, Recover, Lessons Learned.
- Contain before you clean — preserve evidence.
- Logs + a SIEM are how you detect attacks; your grep/tail skills apply directly.
- Hardening and defence-in-depth stop incidents before they start.
🎉 You've completed the CyberSchool core course
You started not knowing what a network was. You can now read a network, operate Kali, scan with Nmap, analyse packets, assess vulnerabilities, understand penetration testing and web/wireless attacks, use cryptography, and respond to incidents — the foundational knowledge behind CompTIA Security+, Network+, Cisco CCNA, and CEH.
Where to go next: pick a certification and practise relentlessly on legal platforms like TryHackMe, Hack The Box, and your own lab. Depth comes from doing. Keep everything ethical, keep building, and welcome to the field.