Incident Response

ELI5: What is Incident Response?

Think about a fire drill at school. Before any fire happens, you practice what to do: who calls for help, which exit to use, where to meet outside. Incident response is a plan like that, but for cyberattacks. It spells out what the team should do step by step when something bad happens — how to spot the problem, stop it from spreading, clean it up, and learn from it so it does not happen again.

ELI5: 應變流程 (繁體中文版)

應變流程就像火災演習。發生問題時，先隔離 (滅火)、清除 (打掃)、最後檢討改進 (避免下次火災)。

[發生事件] -> [抑制/隔離] -> [根除] -> [復原]

Overview

Incident response (IR) is the organized approach to addressing and managing the aftermath of a security breach or cyberattack. The goal is to handle the situation in a way that limits damage, reduces recovery time and costs, and preserves evidence for potential legal action. A well-defined IR plan is essential for every organization and is heavily tested on the SY0-701 exam.

Key Concepts

• NIST IR lifecycle: Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity
• Preparation: Building the IR team, creating playbooks, deploying tools, conducting tabletop exercises
• Detection and analysis: Identifying incidents through alerts, logs, user reports, and threat intelligence
• Containment: Short-term (isolate the system) and long-term (apply temporary fixes while building permanent solutions)
• Eradication: Removing the threat — deleting malware, closing vulnerabilities, resetting compromised credentials
• Recovery: Restoring systems to normal operations, monitoring for re-infection
• Post-incident review: Documenting what happened, what worked, what failed, and how to improve
• Chain of custody: Maintaining evidence integrity for legal proceedings
• Communication plan: Who to notify (management, legal, law enforcement, customers, regulators)
• Tabletop exercises: Discussion-based simulations that walk through IR scenarios without touching systems
• NIST SP 800-61: Computer Security Incident Handling Guide; defines the IR lifecycle
• PICERL: Mnemonic for IR phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
• Exercise types: Tabletop (discussion-based), walkthrough (step-by-step review), simulation (hands-on practice)
• MITRE ATT&CK: Knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations
• Diamond Model: Intrusion analysis using four vertices: adversary, capability, infrastructure, victim
• Cyber Kill Chain: Lockheed Martin model: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → C2 → Actions on Objectives

Exam Tips

Remember

NIST phases: Prep → Detect → Contain → Eradicate → Recover → Lessons Learned. The exam loves scenario questions asking “what do you do FIRST?” — answer: contain the threat to prevent spread.

• Containment before eradication — you must stop the bleeding before cleaning up
• Lessons learned phase is NOT optional — it drives continuous improvement
• Evidence preservation is critical — image drives before wiping them

Connections

• Directly supports business-continuity by minimizing downtime and data loss during incidents
• Relies on indicators-of-compromise for detection and analysis of potential security events
• digital-forensics provides the evidence collection and analysis techniques used during IR
• soar automates containment and eradication steps defined in IR playbooks

Practice Questions

Q-Bank: Incident Response (4 Questions)

Q1. A SOC analyst detects ransomware actively encrypting files on a workstation that is connected to a shared network drive containing critical business data. What should the analyst do FIRST?

A. Begin eradicating the malware from the workstation B. Isolate the affected workstation from the network to contain the threat C. Restore the encrypted files from the latest backup D. Conduct a lessons learned meeting with the team

Show Answer B. Isolate the affected workstation from the network to contain the threat

containment must come before eradication — the analyst must stop the ransomware from spreading to the shared drive and other network resources. Option A skips containment, allowing continued encryption of network files during eradication. Option C is a recovery step that should occur after containment and eradication. Option D is a post-incident activity, not an immediate response action.

Q2. After successfully containing and eradicating a security breach, the incident response team restores affected systems from clean backups and monitors them for signs of reinfection. Which phase of the NIST IR lifecycle does this represent?

A. Preparation B. Detection and Analysis C. Recovery D. Post-Incident Activity

Show Answer C. Recovery

The recovery phase involves restoring systems to normal operations and monitoring for signs of re-infection to ensure the threat has been fully eliminated. Option A occurs before any incident and involves building the IR capability. Option B involves identifying and understanding the incident. Option D (lessons learned) occurs after recovery and focuses on documenting improvements.

Q3. An organization’s incident response team conducts a discussion-based exercise where team members walk through a simulated phishing attack scenario, reviewing their roles and response procedures without touching any actual systems. What type of exercise is this?

A. Penetration test B. Tabletop exercise C. Red team engagement D. Vulnerability scan

Show Answer B. Tabletop exercise

tabletop-exercises are discussion-based simulations that walk through incident response scenarios without interacting with live systems, testing team coordination and procedure familiarity. Option A actively exploits vulnerabilities on real systems. Option C simulates real adversary attacks against production infrastructure. Option D is an automated technical assessment, not a team exercise.

Q4. During the post-incident review of a data breach, the IR team discovers that the initial containment was delayed by two hours because the on-call analyst could not reach the network team to isolate the affected VLAN. What should the organization improve PRIMARILY based on this finding?

A. Deploy more advanced EDR tools B. Update the communication plan with clear escalation paths and emergency contacts C. Increase the frequency of vulnerability scans D. Implement full disk encryption on all servers

Show Answer B. Update the communication plan with clear escalation paths and emergency contacts

The communication-plan is critical to incident response effectiveness. The delay was caused by a communication breakdown, not a technical control gap. The lessons learned phase exists specifically to identify and address such process failures. Option A addresses detection capability, not communication. Option C addresses vulnerability discovery, not incident response speed. Option D protects data at rest, unrelated to the communication issue.

Scenario

See case-incident-response for a practical DevOps scenario applying these concepts.

Resources

• Professor Messer’s SY0-701 Security+ Course
  • 4.8 – Incident Response