Fourth Lab
.
Incident Escalation and Handover Drill
Objective
To help participants practice structured escalation, clear communication, and seamless handover between shifts or tiers during an ongoing security incident.
Learning Outcomes
By the end, participants should be able to:
- Recognize when an incident requires escalation.
- Communicate key details concisely during handover.
- Use standard escalation and documentation protocols.
- Maintain incident continuity between shifts or teams.
Scenario Setup
Background:
At 10:30 a.m., the SOC Tier 1 analyst receives multiple EDR alerts from WIN-SRV02 — “Suspicious PowerShell activity.”
The host is a file server connected to HR and Finance shared folders.
Additional context:
- Tier 1 confirms repeated
powershell.execalls with base64 encoding. - Network logs show outbound connections to
203.0.113.22. - Tier 1 isolates the host and starts gathering logs.
At 11:00 a.m., the Tier 1 shift is ending. The investigation needs escalation to Tier 2 for deeper analysis and containment.
Drill Participants
- Tier 1 Analyst: Initial responder and documenter.
- Tier 2 Analyst: Takes over investigation and containment.
- Incident Manager (optional): Supervises escalation quality.
- Observer/Instructor: Monitors accuracy and timing of communication.
Escalation Process (Simulated)
- Trigger point: Tier 1 identifies suspicious activity beyond their authority or toolset.
- Decision: Determine severity using internal escalation matrix.
- Preparation:
- Update incident ticket with summary and timeline.
- Attach relevant logs, screenshots, and EDR alert IDs.
- Draft escalation message (using provided template).
- Escalation: Send notification to Tier 2 and verbally brief within five minutes.
- Handover: Tier 1 performs structured 10-minute debrief to Tier 2, following the 5W1H model.
Escalation Message Template
Handover Checklist (for Tier 1 Analyst)
Before handover, confirm:
- [ ] All containment actions logged and timestamped.
- [ ] Affected systems and users clearly identified.
- [ ] Known indicators of compromise documented.
- [ ] Communication records (internal emails, alerts) attached.
- [ ] Pending tasks listed clearly (e.g., forensic dump pending, credentials reset).
- [ ] Ticket status updated to “Escalated – Tier 2.”
Tier 2 Responsibilities
Upon receiving the handover:
- [ ] Acknowledge receipt within 5 minutes.
- [ ] Verify evidence completeness.
- [ ] Analyze PowerShell command (decode base64, assess payload).
- [ ] Check for data exfiltration using proxy/DNS logs.
- [ ] Report findings to Incident Manager with recommendations.
Instructor Evaluation Points
| Criteria | Points | Notes |
|---|---|---|
| Timely escalation (within window) | 20 | Delay reduces score |
| Clarity of escalation summary | 25 | Facts > opinions |
| Completeness of evidence and logs | 20 | Missing attachments penalized |
| Quality of handover briefing | 20 | Should be under 10 minutes |
| Response from Tier 2 | 15 | Confirm understanding, ask relevant questions |
Total: 100 points (Pass ≥ 75)
Discussion & Debrief
After the drill, discuss:
- What information helped Tier 2 act quickly?
- What details were missing or unclear?
- How did the tone of escalation affect urgency?
- What could improve in documentation or process?
Optional Variations
- Shift Change Simulation: Run it with real-time clock pressure — Tier 1 leaves in 10 minutes.
- Tool Disruption: Tier 1 can’t access the SIEM for the final logs; how do they still escalate effectively?
- Severity Escalation: Mid-handover, Tier 2 discovers lateral movement — test communication with Incident Manager.
Deliverables
- Escalation message (email or ticket note).
- Handover summary (short written note).
- Tier 2 analysis report.
- Instructor feedback form.