📢

Understanding What You Did

✅ Mike Torres Phishing Incident - Contained!

9:23 AM - Alert Received
9:42 AM - Investigation Started
10:25 AM - Compromise Confirmed
10:15 AM - Incident Contained ✓
MTTD: 36 min MTTR: 52 min
📚

The PICERL Framework

In Module 4, you investigated the phishing alert and executed the response playbook — covering Identification, Containment, Eradication, and Recovery. Now let's learn all 6 PICERL phases so you understand what each step meant and why it matters. Click each phase for an overview:

Scroll down to continue after exploring all phases

P
Preparation
Plans ready before attacks
Learning now
I
Identification
Finding the attack
Done in Module 4 ✓
C
Containment
Stop the spread
Done in Module 4 ✓
E
Eradication
Remove threat completely
Done in Module 4 ✓
R
Recovery
Return to normal
Done in Module 4 ✓
L
Lessons Learned
Improve for next time
Learning now

Click each phase to learn more (0/6 explored)

📋

Preparation: Planning Before the Attack

🧯

"Fire Extinguisher in the Kitchen"

You don't buy a fire extinguisher DURING a fire — you have one ready. Preparation is the same: plans, tools, and training are set up before any incident occurs.

What Was Prepared Before Mike's Incident?

Click each item to learn how it helped during the incident:

Scroll down to continue after exploring

📖
Phishing Response Playbook
Step-by-step guide for handling phishing incidents
EXPLORE
🎓
Analyst Training Program
SOC analysts trained on investigation procedures
EXPLORE
🔧
Security Tools & Monitoring
SIEM, email filters, and alerting systems in place
EXPLORE

Click each item to learn more (0/3 explored)

🔍

Identification & Containment: Reviewing Module 4

🩺

"Diagnose, Then Treat"

A doctor identifies the illness first, then starts treatment. You identified the phishing attack (Identification), then stopped it from spreading (Containment).

Identification: Finding the Attack

In Module 4, you completed these investigation steps as part of the Identification phase. Click each one to review what you did:

Scroll down to continue after exploring all items

Reviewed the Phishing Alert
Analyzed the suspicious email flagged by the system
REVIEW
Analyzed Login Logs
Found the suspicious login from Russia
REVIEW
Confirmed the Compromise
Determined Mike's account was breached
REVIEW

Click each investigation step to review (0/3 reviewed)

Containment Actions - Why They Work

Click each action to learn what you did and WHY it works:

🔒
Reset Mike's Password
Locked out the attacker immediately
EXPLORE
🚫
Kill Active Sessions
Forced logout from all devices
EXPLORE
🛡
Block Attacker IP
Prevented further access attempts
EXPLORE
📧
Quarantine Phishing Email
Removed from all employee inboxes
EXPLORE
🔔
Notify Mike Torres
Informed user of compromise and actions taken
EXPLORE

Click each containment action to learn why it matters (0/5 explored)

🗑

Eradication: Removing All Traces

🔬

"Deep Cleaning After a Break-In"

Containment locked the doors, but eradication checks every room. Did the attacker leave malware? Steal files? Send more phishing emails? We need to find and remove every trace before we can recover.

Eradication Steps From the Playbook

The same phishing playbook that guided containment also includes eradication steps. Click each one to see what we found:

Scroll down to continue after exploring

🔎
Malware Scan
Scan Mike's computer for malware or backdoors
EXPLORE
📁
File Access Audit
Check if the attacker accessed or modified any files
EXPLORE
📧
Phishing Campaign Analysis
Search for similar phishing emails targeting other employees
EXPLORE
📞
Escalation Decision
Determine if this needs to go to a senior analyst or IR team
EXPLORE

Click each step to see the results (0/4 explored)

🔄

Recovery: Returning to Normal

🏥

"Physical Therapy After an Injury"

After treating an injury, you don't just go back to running immediately. Recovery means gradually restoring normal operations while monitoring for problems.

Recovery Steps for Mike's Incident

Click each step to learn how we restored normal operations:

Scroll down to continue after exploring

🔓
Restore Mike's Access
Give Mike a new, secure password and re-enable his account
EXPLORE
Verify Systems Are Clean
Confirm no remaining attacker access or malware
EXPLORE
👁
Enhanced Monitoring
Watch Mike's account closely for any unusual activity
EXPLORE

Click each step to learn more (0/3 explored)

📝

Lessons Learned: Improving for Next Time

🎬

"Watching the Game Film"

After every game, sports teams review the film to see what worked and what didn't. SOC teams do the same after every incident to get better.

Post-Incident Review Questions

Click each question to see what the SOC team discussed after Mike's incident:

Scroll down to continue after exploring

What Happened?
Document the full timeline of the incident
EXPLORE
👍
What Worked Well?
Identify what the team did right
EXPLORE
📈
What Could Improve?
Find gaps and opportunities to get better
EXPLORE
📋
Action Items
Concrete steps to prevent this from happening again
EXPLORE

Click each question to learn more (0/4 explored)

🎯

PICERL Knowledge Check

Match each action from the Mike Torres incident to the correct PICERL phase!

Scroll down to match all items

Action Taken
🗑 Scanned for malware
📖 Had a phishing response playbook ready
📧 Quarantined phishing email
🔄 Restored Mike's account access
🔍 Analyzed the phishing email
📝 Documented what happened
PICERL Phase
P - Preparation
I - Identification
C - Containment
E - Eradication
R - Recovery
L - Lessons Learned

Match all items (0/6 matched)

📝

Knowledge Check