HKCERT Incident Response Cycle
Click the phases to learn what happens in each step.
1. Preparation
2. Detection
3. Containment
4. Post-Incident
Before the fire starts.
This is what you do every day: Backups, installing Antivirus, and keeping a contact list of who to call (HKCERT/IT).
Smelling smoke.
Recognizing the signs. Distinguishing between a "Precursor" (Warning) and an "Indicator" (Attack happening).
Stopping the fire.
First Aid Phase: Unplug the cable. Do NOT reboot. Isolate the machine to save the network.
Rebuilding.
Learning lessons. Writing a report. Improving defenses so it doesn't happen again.
Detective: Warning or Attack?
HKCERT says you must distinguish signs. Categorize the item below.
Loading...
Precursor
(A sign it MIGHT happen)
(A sign it MIGHT happen)
Indicator
(It IS happening)
(It IS happening)
Containment Drill: Isolate the Host
Scenario: Ransomware is spreading to the company server! Stop it!
Goal: Choose the correct cable to cut the connection.
💻 ➡️ ☁️
System Idle
🔌 Power Cable
🌐 Network Cable
Call for Help
Dial the HKCERT 24-Hour Hotline number to complete the level.
1
2
3
4
5
6
7
8
9
*
0
#
📞 CALL
Clear: Double Click Display