Domain 2 of 5 · Chapter 3 of 3

Incident Response

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified in Cybersecurity premium course — no separate purchase.

Included in this chapter:

  • Event, alert, incident, breach: getting the words right
  • The four-phase incident response lifecycle
  • Contain, then eradicate, then recover
  • The CSIRT and the incident response plan
  • Exam-pattern recognition

Event vs alert vs incident vs breach

TermWhat it isSeverityExample
EventAny observable occurrence on a system or networkUsually harmlessA user logs in; a service restarts
AlertA notification a monitoring tool raises about a suspicious eventNeeds a lookAntivirus flags a file; a login from a new country
IncidentAn event that harms or threatens CIA or violates policyReal harm or threatMalware spreads; an account is taken over
BreachConfirmed exposure, theft, or disclosure of protected dataMost seriousCustomer records are copied out by an attacker

Cheat sheet

  • An event is any observable occurrence, and most events are harmless
  • An alert is a notification to investigate, not a confirmed incident
  • An incident harms or threatens CIA, or violates security policy
  • A breach is confirmed exposure of protected data, and every breach is an incident
  • Know the four NIST incident response phases in order
  • Preparation comes first and never really stops
  • Detection and Analysis decides whether an event is really an incident
  • A precursor warns of a future incident; an indicator shows one now or already past
  • Prioritize incidents by impact, not first-come first-served
  • Contain, then eradicate, then recover, in that order
  • Containment buys time and stops the spread first
  • Eradication removes the root cause, not just the symptom
  • Preserve evidence before containment or recovery destroys it
  • Hold the lessons-learned review soon after the incident closes
  • The CSIRT is a cross-functional team, not just IT security
  • The incident response plan says how; the policy says it will happen
  • Test the incident response plan before a real incident
  • Incident response handles the attack; disaster recovery restores the business
  • Chain of custody documents who handled evidence so it stays admissible
  • A SIEM correlates aggregated log data to detect threats spanning many systems
  • Recover from ransomware by restoring verified clean backups, not by decrypting
  • An incident response plan must cover communication with internal and external stakeholders
  • Incident responders need standing authority and management backing to act fast

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide Whitepaper