🚨 Iceman's Icecreams — Incident Response Walkthrough
Written by: Aryan Giri
🍦 Company: Iceman’s Icecreams
A cyberattack happens.
Attackers try to access the owner’s old high-school results stored in the company database.
Here is the full story of what happens step-by-step, with every SOC role involved.
🏢 1. Who Works Inside a SOC? (Your Characters)
Inside Iceman’s Icecreams SOC, we have:
👨💻 L1 SOC Analyst
Monitors alerts and triage.
🕵️♂️ L2 SOC Analyst
Investigates deeper, analyzes logs.
🧠 L3 SOC Analyst / Detection Engineer
Builds detection rules, handles advanced cases.
🚨 Incident Responder / CSIRT
Handles containment, remediation, recovery.
🔍 Threat Intelligence Analyst
Checks attacker IPs, domains, and patterns with safe TI sources.
🛠️ SOC Manager
Coordinates the whole team, communicates with leadership.
No one attacks anything — all actions are defensive.
🚨 2. The Attack Begins — What Triggers an Alert?
The attackers try some method to access the database. (We don’t describe any harmful method — just that “suspicious behavior” occurs.)
Example safe triggers:
- Unusual login attempts to the database admin account
- Database queries coming from an unknown location
- Many failed login attempts
- Suspicious API requests
- A user logs in at midnight from another country
These alerts automatically appear in the SOC dashboard (SIEM).
🧊 3. L1 SOC Analyst — First to Notice
L1 sees alerts like:
- “Multiple failed login attempts from unknown IP”
- “Privileged account login from a new device”
- “Unusual query:
SELECT * FROM userdata WHERE… (high-volume)”
L1 Actions:
- Checks if it is a false positive
- Confirms the activity is unusual
- Escalates to L2 because it involves database access + sensitive data
L1 job = Identify “is this worth investigating?”
🔎 4. L2 SOC Analyst — Deep Investigation
L2 takes the case and checks:
✔️ Login logs
Who logged in? From where? Is the device trusted?
✔️ Database logs
What queries were made? Were they reading sensitive tables?
✔️ System behavior
Were there any unexpected processes?
✔️ Network patterns
Is the traffic coming from suspicious IPs?
If L2 sees something like:
- The query tries to read “owner_highschool_results” table
- IP belongs to an unknown region
- Time of access is unusual
- Account never queried such data before
“This is likely a real ongoing attack.”
L2 escalates to Incident Response and informs the SOC Manager.
🚑 5. Incident Response (IR) Team Steps In
The IR Team takes control to stop the attack safely.
They do:
- Isolate affected server from the network
- Disable compromised account
- Block suspicious IPs/domains
- Reset credentials
- Stop malicious sessions
- Ensure attacker is no longer connected
All defensive actions, 100% legal. Nothing offensive or harmful.
🕵️♀️ 6. Threat Intelligence Analyst Joins
They check:
- IP addresses in threat intelligence databases
- Domains against safe blacklists
- Patterns compared with known cybercriminal behaviors
They report:
- “IP used belongs to a known cybercrime botnet”
- or
- “No public record — could be targeted attack”
This helps the team understand the attacker’s intention.
🧠 7. L3 SOC Analyst / Detection Engineer
They analyze:
- How did the attacker bypass initial defenses?
- Was there a misconfiguration?
- Do we need new SIEM rules?
They create or update:
- Detection rules
- Alerts
- Firewall policies
- Use cases
This prevents the SAME attack from happening again.
♻️ 8. Recovery Phase
Once safe, the IR Team:
- Cleans the affected server
- Applies patches
- Rebuilds from backups if needed
- Re-enables service carefully
- Confirms everything is healthy
Database is restored safely.
📄 9. Reporting & Lessons Learned
The SOC Manager prepares a full report:
Report includes:
- Timeline
- How attackers tried to access owner’s high-school data
- What they did
- How SOC responded
- What was the impact
- What improvements will be made
This goes to upper management.
🔐 10. Post-Incident Hardening
SOC makes the company stronger:
- Multi-factor authentication enforced
- Access control improved
- Database access logging enhanced
- Better network segmentation
- New alerts added
- Staff receives awareness training
This ensures future attacks fail.
🌟 Simple Summary
| Stage | What Happens | Who Works |
|---|
| Detection | Alerts fire | L1 SOC |
| Investigation | Deep log + query analysis | L2 SOC |
| Containment | Block attacker, isolate systems | IR Team |
| Intelligence | Check attacker info | TI Team |
| Rule Updates | Improve detection rules | L3 SOC |
| Recovery | Restore systems | IR Team |
| Reporting | Documentation | SOC Manager |
About this Walkthrough
A fictional, safe, educational cybersecurity scenario demonstrating how a Security Operations Center (SOC) responds to an attempted data-access attack. This write-up is suitable for learning SOC workflows, IR lifecycle, and defensive security methodologies.