Domain 4 of 5 · Chapter 8 of 9

Incident Response

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Security+ premium course — no separate purchase.

Included in this chapter:

  • The incident response process: seven phases on a NIST spine
  • Preparation, training, and testing: tabletop vs. simulation
  • Root cause analysis, threat hunting, and lessons learned
  • Digital forensics: chain of custody, order of volatility, e-discovery

The seven IR phases: goal and key activity

IR phaseGoalKey activityNIST 800-61 mapping
PreparationBe ready before an incidentIR plan, team, tools, training, testingPreparation
DetectionNotice something is wrongAlerts, IoCs, reports trigger triageDetection and Analysis
AnalysisConfirm and scope the incidentValidate true positive, determine impactDetection and Analysis
ContainmentStop the spreadIsolate hosts, segment, disable accountsContainment, Eradication, Recovery
EradicationRemove the root causeDelete malware, patch flaw, rebuild cleanContainment, Eradication, Recovery
RecoveryReturn to normal operationsRestore systems, monitor for recurrenceContainment, Eradication, Recovery
Lessons learnedImprove future responsePost-incident review, RCA, update planPost-Incident Activity

Decision tree

Incident confirmed? Is the threat still spreading? Not yet declared Yes, active Detection / Analysis triage alert, validate, scope impact Containment isolate host, segment, disable acct Root cause removed and systems verified clean? No Yes Eradication remove malware, patch, rebuild clean Recovery restore, monitor for recurrence Collecting evidence from a live (powered-on) host? Yes No, powered off Capture memory first order of volatility: RAM before disk Image the disk hash + chain of custody Always after recovery: lessons learned + root cause analysis feed back into preparation tabletop and simulation exercises in preparation keep the team ready

Cheat sheet

  • CompTIA's 7 IR steps split NIST's 4-phase life cycle
  • Containment precedes eradication, which precedes recovery
  • Preparation is the only phase done before an incident
  • Containment isolates the threat to stop it spreading
  • Eradication removes the root cause, not just symptoms
  • Recovery returns systems to verified-normal operation
  • Short-term containment buys time; long-term keeps business running
  • A tabletop exercise is a discussion-based walkthrough
  • A simulation runs an actual technical drill
  • Lessons learned feeds improvements back into preparation
  • Root cause analysis fixes why it happened, not just the symptom
  • Threat hunting is proactive and assumes a breach already exists
  • NIST SP 800-86's forensic process: collect, examine, analyze, report
  • Chain of custody is the documented trail that keeps evidence admissible
  • Order of volatility: capture the most ephemeral evidence first
  • On a live host, capture memory before imaging the disk
  • Preservation means working from a hashed forensic image, never the original
  • Acquisition is making the forensically sound bit-for-bit copy
  • A legal hold suspends routine deletion of relevant data
  • E-discovery identifies and produces ESI for a legal request
  • A matching hash proves the image was not altered
  • Incident response begins where alerting and monitoring end

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. CompTIA Security+ (SY0-701) certification
  2. NIST SP 800-61 Rev. 2: Computer Security Incident Handling Guide
  3. NIST SP 800-86: Guide to Integrating Forensic Techniques into Incident Response Whitepaper
  4. RFC 3227: Guidelines for Evidence Collection and Archiving Whitepaper