Explain appropriate incident response activities
Incident response is the structured approach to handling security incidents — from detection through recovery and lessons learned. The exam tests the phases, the order, and the decisions within each phase.
Incident Response Process
1. Preparation
Everything before an incident occurs. The most important phase — determines how effective the rest will be.
- IR plan: Documented procedures for detection, analysis, containment, eradication, and recovery
- IR team: Defined roles — incident commander, analysts, communications lead, legal liaison, management
- Communication plan: Who is notified, when, and through what channels (internal and external)
- Tools and access: Forensic tools staged, network diagrams current, credentials for critical systems accessible to IR team
- Training and exercises: Tabletop exercises, simulated incidents, red team/blue team drills
- Contact lists: Legal counsel, law enforcement, insurance provider, PR, affected third parties
2. Detection and Analysis
Identifying that an incident is occurring and determining its nature and scope.
Detection sources:
- SIEM alerts, EDR notifications, IDS/IPS alerts
- User reports (suspicious email, unusual system behavior)
- External notification (vendor, law enforcement, threat intel)
- Anomaly detection (behavioral analytics, impossible travel)
Analysis activities:
- Triage: Determine if the alert is a true positive or false positive
- Scoping: Identify affected systems, accounts, and data
- Classification: Categorize the incident (malware, unauthorized access, data breach, DoS, insider threat)
- Severity assignment: Based on impact and scope — drives response urgency and resources
3. Containment
Stop the incident from spreading while preserving evidence for investigation.
Short-term containment:
- Isolate affected systems from the network (but don’t power off — preserve volatile evidence)
- Block attacker IP addresses at the firewall
- Disable compromised accounts
- Redirect DNS for compromised domains
Long-term containment:
- Rebuild compromised systems from clean images on isolated network
- Apply patches that address the exploited vulnerability
- Enhance monitoring on affected systems and adjacent assets
Key decision: Containment must balance speed (stop the spread) with evidence preservation (don’t destroy forensic data). Pulling the network cable preserves disk evidence but loses volatile memory data.
4. Eradication
Remove the threat completely from the environment.
- Remove malware, backdoors, rootkits from all affected systems
- Identify and close the initial attack vector (patched vulnerability, disabled phishing vector)
- Reset all potentially compromised credentials
- Verify: Scan for persistence mechanisms — attackers install multiple backdoors expecting you’ll miss one
5. Recovery
Restore affected systems to normal operations.
- Restore from known-good backups (verify backup integrity first)
- Rebuild systems from clean images where necessary
- Gradually reintroduce systems to production with enhanced monitoring
- Validation: Monitor restored systems closely for signs of reinfection
- Confirm all business functions are operational
6. Post-Incident Activity (Lessons Learned)
After the incident is resolved — arguably the most valuable phase.
- Post-incident review: What happened, when, how was it detected, how was it contained?
- Root cause analysis: What was the underlying vulnerability/failure that enabled the incident?
- What worked: Effective detections, fast containment decisions, good communication
- What didn’t: Missed detections, slow response, communication gaps, missing procedures
- Recommendations: Specific, actionable improvements to prevent recurrence
- Documentation: Full incident report including timeline, actions taken, and outcomes
- IR plan updates: Incorporate lessons learned into procedures
Incident Types and Classification
| Type | Examples |
|---|---|
| Malware | Ransomware, trojans, worms, rootkits |
| Unauthorized access | Compromised credentials, brute force, privilege escalation |
| Data breach | Exfiltration, accidental exposure, unauthorized disclosure |
| Denial of service | DDoS, resource exhaustion, application-layer attacks |
| Insider threat | Data theft, sabotage, policy violations |
| Social engineering | Successful phishing, pretexting, BEC |
Communication During Incidents
Internal Communication
- Incident commander coordinates all activities
- Regular status updates to management and stakeholders
- Secure communication channel (don’t use potentially compromised systems)
External Communication
- Legal counsel: Before any external disclosure — legal drives timing and content
- Regulators: Required by law for many incident types (GDPR 72-hour notification, HIPAA breach notification)
- Customers/affected parties: Notification of data breaches as required by law
- Law enforcement: For criminal activity (ransomware, fraud, espionage)
- Media: Through PR/communications team only. Controlled messaging.
What NOT to Communicate
- Technical details that could help the attacker (during active incident)
- Speculation about attribution before investigation is complete
- Information that could increase legal liability without counsel review
Evidence Handling
Order of Volatility
Collect the most volatile evidence first — it disappears when power is lost:
- CPU registers, cache (milliseconds)
- RAM contents (lost on power-off)
- Network connections, running processes (change constantly)
- Disk (temporary files, swap) (may be overwritten)
- Disk (persistent data) (stable until overwritten)
- Remote logging, monitoring data (may be on retention schedule)
- Physical evidence, archival media (most stable)
Chain of Custody
Documented record of who handled evidence, when, and what they did with it.
- Required for evidence to be admissible in legal proceedings
- Any break in chain of custody may invalidate the evidence
Forensic Imaging
- Create bit-for-bit copies of drives using write-blockers
- Hash original and copy to verify integrity (SHA-256)
- Work on the copy, preserve the original
Offensive Context
Incident response is the defensive endgame — it’s what happens when all preventive and detective controls have either failed or succeeded in detecting the breach. Understanding the attacker’s post-exploitation playbook (persistence mechanisms, lateral movement, data staging, exfiltration) directly informs your containment and eradication phases. Attackers who anticipate IR will pre-stage multiple persistence mechanisms, time their exfiltration to avoid business-hours monitoring, and attempt to compromise the IR team’s communication channels. The assume-breach model means your IR plan should account for the possibility that the attacker is watching your response.