Chapter 102 · Security Operations

Incident Planning

Exercising response procedures through tabletop discussions and simulations, diagnosing failures with root cause analysis, and proactively hunting threats before they manifest as incidents.

Confidential
Report ID: IP-2024-001Domain: Security OperationsTopic: Exercising & Tabletop

Exercising Incident Response Procedures

Security professionals cannot rely on reading procedures for the first time during an active incident. Exercising — rehearsing response procedures in controlled settings — ensures teams know their roles, identify gaps, and build the muscle memory required to act decisively under pressure.

Why Exercising Is Non-Negotiable

Real incidents move fast: alerts fire, stakeholders demand updates, systems may be actively compromised while the team is still assembling. The first time a responder encounters a procedure cannot be during a live event. Exercising converts written procedures into practiced capability by repeatedly simulating incident conditions in lower-stakes environments.

Principle: An incident is not a training event. If the team is learning how to respond while an attacker is active, the attacker wins.

Tabletop Exercises

A tabletop exercise is a structured, discussion-based activity where incident response team members sit around a table (or meet virtually) and walk through a hypothetical security scenario step by step. No live systems are touched. No actual response actions are executed. The exercise exists entirely in conversation.

Comparison: Tabletop vs. Simulation vs. Red Team

MethodLive SystemsCostWhat It Tests
Tabletop exerciseNoLowPlans, communication, roles, escalation
SimulationYes (test environment)ModerateTechnical skills, tool use, response speed
Red team / purple teamYes (production-equivalent)HighReal detection and response capability

Exercises should be conducted at all three levels. Tabletops are appropriate for quarterly planning reviews. Simulations test technical readiness. Red team exercises reveal the gap between what the team believes it can detect and what it actually detects.

What a Tabletop Must Produce

Every tabletop exercise should end with documented findings: which procedures worked, which were unclear, which roles had gaps, and what changes are required. A tabletop with no action items is a tabletop that was not run rigorously enough. Findings must be addressed before the next exercise or the same gaps will appear again.

Confidential
Report ID: IP-2024-002Domain: Security OperationsTopic: Simulations & Root Cause Analysis

Simulations and Root Cause Analysis

Simulations: Testing Real Controls Against Realistic Threats

Unlike tabletop exercises, simulations execute actual response procedures against a realistic scenario in a test environment — or in some cases, against the live environment itself when the goal is to measure genuine capability rather than best-case performance.

The most common simulation used in security training is the phishing simulation: real phishing emails are sent to real users in the organization, and the results are measured.

Simulation principle: A phishing simulation that no one clicks and every filter blocks teaches nothing. A good simulation uses realistic lures and reveals genuine gaps.

Root Cause Analysis

After any security incident, the immediate goal is containment and recovery. The medium-term goal is understanding why the incident happened — not just what happened. Root cause analysis (RCA) is the structured process for answering that question.

RCA Failure ModeWhy It Produces Bad Results
Stopping at the first "why"Produces a proximate cause that, when fixed, does not prevent recurrence
Tunnel vision on one causeMisses contributing factors; the incident recurs through a different path
Assumption-based conclusionsRecommendations address the assumed cause, not the actual cause
Blame focusCreates a culture of concealment; mistakes are hidden rather than reported and fixed
Ignoring multiple root causesPartial fix leaves remaining causes active; risk reduction is incomplete
Confidential
Report ID: IP-2024-003Domain: Security OperationsTopic: Threat Hunting

Threat Hunting

Traditional security monitoring is reactive: an alert fires when a known signature matches or a threshold is crossed, and then the security team responds. Threat hunting is the opposite: a proactive discipline where analysts search for evidence of compromise or malicious activity that has not yet triggered any alert.

The Reactive Gap

Security intelligence — threat feeds, SIEM rules, IPS signatures — is inherently backward-looking. It detects what was already known to be malicious. Sophisticated attackers deliberately operate below detection thresholds, use legitimate tools, and avoid known-bad indicators. An organization that relies exclusively on reactive detection will not detect sophisticated intrusions until significant damage has already occurred.

Threat intelligence is reactive. Threat hunting is proactive. Both are necessary; neither replaces the other.

How Threat Hunting Works

Threat hunting follows a hypothesis-driven cycle:

Technology Used in Threat Hunting

TechnologyRole in Threat Hunting
SIEM (Security Information and Event Management)Central log aggregation; ad-hoc query capability for hunting across historical data
EDR (Endpoint Detection and Response)Deep endpoint telemetry: process trees, file writes, registry changes, network connections per process
Behavioral analytics / UBABaselines normal behavior; flags deviations (unusual login times, new lateral movement paths)
Network flow data (NetFlow/IPFIX)Identifies unusual data volumes, unexpected connections, lateral movement patterns
Threat intelligence feedsProvides IOCs (indicators of compromise) and TTPs to guide hypothesis formation

Cat-and-Mouse Nature of Threat Hunting

Threat hunting is inherently adversarial. As defenders develop new hunting techniques and detection rules, sophisticated attackers adapt their techniques to avoid those specific detections. This creates a continuous cat-and-mouse dynamic: hunters find new hiding places; attackers find new techniques; hunters adapt again. This cycle cannot be won permanently — it must be maintained continuously. Organizations that stop hunting give attackers time to re-establish footholds without detection.

Outcome of a Successful Hunt

Even a hunt that finds no evidence of compromise is valuable. It confirms that the hypothesized attack technique has not been used (at least not in the data examined), and the documentation of the hunt methodology can be repeated automatically by converting it into a detection rule. The best hunts produce: (1) evidence of compromise or confirmation of absence, (2) new automated detections, and (3) improved understanding of the organization's data and normal behavior patterns.