Understanding and responding to cyber threats is a vital part of modern cybersecurity. Through frameworks like the Cyber Kill Chain and the Incident Handling Process, organizations can anticipate, contain, and recover from malicious activity with minimal impact.

Cyber Kill Chain: Understanding the Attack Lifecycle

The Cyber Kill Chain outlines the stages adversaries typically follow during an attack, helping defenders recognize and interrupt threats early. It includes:

1. Reconnaissance – Gathering information about the target through passive or active means.
   
   

2. Weaponization – Creating malware tailored to exploit discovered vulnerabilities.
   
   

3. Delivery – Sending the payload (commonly via phishing or malicious websites).
   
   

4. Exploitation – Triggering the exploit to gain access to the system.
   
   

5. Installation – Installing malware, backdoors, or rootkits to maintain persistence.
   
   

6. Command & Control (C2) – Establishing a remote connection to control compromised systems.
   
   

7. Actions on Objectives – Executing final goals such as data exfiltration or ransomware deployment.
   
   

These stages are often repeated in cycles as attackers move deeper into a network. The goal of defenders is to stop the attack as early as possible, preventing escalation and limiting damage.

Incident Handling Process: Structured Response to Threats

The Incident Handling Process, defined by NIST, complements the kill chain by guiding how organizations prepare for and respond to incidents. It includes four key stages:

1. Preparation – Establishing tools, policies, and training to improve detection and readiness.
   
   

2. Detection & Analysis – Identifying and evaluating suspicious activity to confirm incidents.
   
   

3. Containment, Eradication & Recovery – Stopping the attack, removing threats, and restoring operations.
   
   

4. Post-Incident Activity – Documenting the incident, assessing impact, and applying lessons learned.
   
   

The process is cyclical, allowing continuous improvement. Core activities include:

• Investigation: Pinpointing how the attack started, what was affected, and how the adversary operated.
  
  

• Recovery: Developing and executing a plan to return to normal operations securely.
  
  

Skipping steps or incomplete containment can alert attackers and worsen outcomes. A disciplined response is key to minimizing damage.

Together, these frameworks demonstrate a proactive and structured approach to cybersecurity—anticipating attacks through threat intelligence, responding effectively, and learning from every incident to strengthen future defenses.

This module introduces the foundational concepts and practices of Incident Handling (IH) within the context of cybersecurity. It emphasizes the critical role IH plays in an organization's ability to detect, manage, and respond to security incidents effectively. The module begins by defining key terms such as event and incident, and differentiates between general system occurrences and those that carry negative consequences or malicious intent.

It outlines the scope of incident handling, clarifying that it is not limited to external attacks but also includes internal threats, availability issues, and data loss. The module explores the importance of a structured incident handling capability, whether managed internally or through third-party providers, and the role of the incident response team, led by an incident manager.

Additionally, it covers the prioritization of incidents based on severity and potential business impact, and introduces students to widely accepted frameworks, such as NIST’s Computer Security Incident Handling Guide and the Cyber Kill Chain, to help structure effective response strategies.

This module offered a comprehensive overview of Security Incident Reporting, emphasizing its critical role in today’s cybersecurity landscape. It highlighted that incident reporting is not just a reactive measure but an essential strategic function that helps organizations document, learn from, and respond more effectively to security incidents.

The module began by outlining the importance of having a well-defined reporting mechanism. It helped me understand how structured reporting supports not only technical teams but also legal, financial, and executive stakeholders. The connection between incident reporting and compliance, risk management, and organizational preparedness was made clear throughout the content.

One of the more challenging but valuable parts of the module was learning how to properly identify and categorize security incidents. It required careful attention to the various sources of detection (tooling, human, third-party) and understanding how to classify incidents by both type and severity. The examples provided—such as malware, phishing, DDoS, and unauthorized access—helped reinforce how dynamic and multifaceted incident classification can be.

The incident reporting process itself was broken down into clear steps, including initial detection, logging, stakeholder notification, detailed investigation, and final report creation. I learned how critical it is to maintain accurate records, conduct thorough root cause analysis, and deliver an executive summary that is understandable to non-technical audiences. These steps mirror real-world expectations and helped me better understand what a full incident response lifecycle looks like from a documentation standpoint.

Although the material was dense at times, especially in the later sections covering technical timelines, indicators of compromise, and response and recovery measures, it gave me a much better appreciation of what goes into a complete incident report. The emphasis on post-incident actions and continuous improvement through lessons learned was especially important, reminding me that reporting isn’t the end—it’s part of an ongoing defense strategy.

In summary, this module was challenging but informative. It helped me connect the technical elements of incident handling with the formal reporting and communication practices that are crucial in professional security environments. I now feel more confident in my ability to participate in or contribute to incident documentation and reporting processes.