← Incident Response – CompTIA Security+ Flashcards

CompTIA Security+ Certification Study Guide

Key concepts, definitions, and exam tips organized by topic.

26 cards covered

Incident Response – CompTIA Security+ Study Guide


Overview

Incident Response (IR) is the structured process organizations use to prepare for, detect, contain, and recover from cybersecurity incidents. The CompTIA Security+ exam tests your understanding of the NIST IR lifecycle, digital forensics principles, communication protocols, and the tools and techniques used throughout the response process. Mastery of these concepts is essential for both the exam and real-world security operations.


---


IR Lifecycle


Overview of the NIST Incident Response Lifecycle

The NIST framework defines a repeating cycle of four major phases (often expanded to six steps) that guide an organization's response to any security incident.


The Six Phases (in order):

1. Preparation

2. Detection and Analysis

3. Containment

4. Eradication

5. Recovery

6. Post-Incident Activity


> 💡 The exam may present these as 4 phases or 6 steps — know both representations.


Phase-by-Phase Breakdown


| Phase | Primary Goal |

|---|---|

| Preparation | Build capabilities before an incident occurs |

| Detection & Analysis | Identify and confirm the incident |

| Containment | Limit damage and prevent spread |

| Eradication | Remove the root cause entirely |

| Recovery | Restore systems to normal operations |

| Post-Incident Activity | Learn and improve from the experience |


Key Distinctions Between Phases


  • Containment vs. Eradication:

    • - Containment = stop the bleeding (isolate, limit scope, preserve evidence)

    - Eradication = remove the wound (delete malware, close backdoors, disable compromised accounts)

    - Containment does not fix the problem — it only prevents further spread


  • Post-Incident Activity:

    • - Includes the lessons-learned meeting — a structured review of what happened and how well the team responded

    - Produces the after-action report (AAR) — a formal document capturing the incident narrative, response evaluation, and improvement recommendations

    - Goal: update policies, procedures, and playbooks to prevent recurrence


    Key Terms

  • Incident Response Lifecycle – The repeating NIST framework guiding cybersecurity incident management
  • After-Action Report (AAR) – Formal post-incident document with findings and recommendations
  • Lessons-Learned Meeting – Structured debrief conducted during Post-Incident Activity

    • Watch Out For

    > ⚠️ Students frequently confuse eradication and containment. Remember: you can contain an incident (isolate a host) while the malware still exists. Eradication means the threat is gone.


    > ⚠️ Post-Incident Activity is not optional cleanup — it is a critical, formal phase of the lifecycle that feeds back into Preparation.


    ---


    Preparation & Planning


    Building IR Capability Before Incidents Occur

    Preparation is the foundation of effective incident response. Without it, every other phase becomes chaotic and ineffective.


    Core Preparation Components


  • CSIRT (Computer Security Incident Response Team)

    • - A designated group responsible for coordinating and executing incident response

    - May include security analysts, IT staff, legal counsel, HR, and management

    - Must be established and trained before an incident occurs


  • Incident Response Plan (IRP)

    • - The master document defining how the organization will respond to incidents

    - Defines roles, responsibilities, and escalation procedures


  • Playbook (Runbook)

    • - Predefined, step-by-step procedures for specific incident types (e.g., ransomware, phishing, DDoS)

    - Ensures consistency and speed — responders don't improvise under pressure

    - Think of it as a "recipe" for handling a known threat type


  • Call Tree (Contact List)

    • - Defines the chain of notification — who calls whom and in what order

    - Ensures the right personnel, management, and external parties are reached quickly

    - Prevents critical contacts from being missed during high-pressure situations


    Testing IR Preparedness


  • Tabletop Exercise

    • - Discussion-based simulation walking through a hypothetical incident scenario

    - No actual systems are touched — it's a planning and communication test

    - Identifies gaps in plans, roles, and decision-making before a real incident


    Event vs. Incident — Know the Difference


    | Term | Definition |

    |---|---|

    | Event | Any observable occurrence on a network or system |

    | Incident | An event that negatively affects or threatens CIA (Confidentiality, Integrity, Availability) |


    > 💡 A login attempt is an event. A successful unauthorized login is an incident.


    Key Terms

  • CSIRT – Computer Security Incident Response Team
  • Playbook/Runbook – Step-by-step procedures for specific incident types
  • Call Tree – Notification chain ensuring rapid contact of key personnel
  • Tabletop Exercise – Discussion-based IR simulation
  • Event – Any observable system occurrence
  • Incident – An event negatively impacting CIA

    • Watch Out For

    > ⚠️ A tabletop exercise is discussion-based only. Do not confuse it with a simulation or full-scale exercise where systems and resources are actually deployed.


    > ⚠️ Not every security alert is an incident. The exam may test whether you can distinguish events from actual incidents requiring IR activation.


    ---


    Detection & Analysis


    Identifying and Confirming the Incident

    This phase transforms raw alerts and log data into confirmed, actionable incident intelligence.


    Core Detection Tools and Concepts


  • Indicator of Compromise (IoC)

    • - Forensic evidence or artifacts suggesting a system has been breached

    - Examples: unusual IP addresses, known malicious file hashes, suspicious registry changes, unexpected outbound connections

    - IoCs are first identified and triaged during the Detection and Analysis phase


  • SIEM (Security Information and Event Management)

    • - Aggregates and correlates log data from multiple sources in real time

    - Generates alerts based on rules and behavioral anomalies

    - The primary tool for large-scale detection and analysis

    - Enables analysts to investigate potential incidents with centralized visibility


  • Threat Hunting

    • - A proactive process where analysts search for hidden threats that have evaded automated detection

    - Assumption: "The attacker is already inside"

    - Complements SIEM by finding threats that don't trigger automated alerts


    Building the Incident Timeline


  • • Reconstructs the sequence of attacker actions and system events
  • • Answers: What happened? When? In what order?
  • • Critical for:

    • - Understanding the attack vector (how they got in)

    - Determining scope and impact

    - Supporting legal and regulatory requirements


    Key Terms

  • IoC (Indicator of Compromise) – Forensic artifact suggesting a breach
  • SIEM – Security Information and Event Management system
  • Threat Hunting – Proactive search for hidden threats
  • Incident Timeline – Chronological reconstruction of attacker actions and system events

    • Watch Out For

    > ⚠️ Threat hunting is proactive — analysts initiate it. This is different from reactive alert-based detection through a SIEM.


    > ⚠️ An IoC does not automatically confirm an incident — it must be analyzed and validated during the Detection and Analysis phase.


    ---


    Containment, Eradication & Recovery


    Stopping the Threat, Removing It, and Restoring Operations


    Containment Strategies


    | Type | Description | Example |

    |---|---|---|

    | Short-term containment | Immediately limits damage | Isolating/quarantining a compromised host |

    | Long-term containment | Sustainable controls allowing operations to continue | Network segmentation, emergency patching |


    Strategic Decision — Monitor vs. Isolate:

  • Isolate immediately → Stops damage faster, but attacker knows they've been detected
  • Monitor first → Gathers threat intelligence (TTPs — Tactics, Techniques, Procedures)

    • - Risk: Additional systems may be compromised during monitoring period

    - Used when intelligence value outweighs the risk of continued exposure


    Eradication Best Practices

  • • Remove all malware, backdoors, and persistence mechanisms
  • • Disable or reset compromised accounts
  • • Close exploited vulnerabilities (patch, configuration change)
  • • Verify the environment is clean before proceeding to recovery

    • Recovery Best Practices

  • Restore from a known-good, clean backup taken before the compromise
  • • Apply all current patches before returning systems to production
  • Verify integrity of restored systems
  • • Monitor closely after restoration for signs of re-infection

    • Key Terms

  • Short-term Containment – Immediate action to stop damage (e.g., host isolation)
  • Long-term Containment – Sustained measures allowing safe operations during IR
  • Eradication – Complete removal of the threat and its root cause
  • Known-Good Backup – A pre-compromise backup used for clean restoration

    • Watch Out For

    > ⚠️ Never restore from a backup taken after the compromise — it may contain the malware.


    > ⚠️ Recovery is not complete until systems are patched, verified, and monitored post-restoration.


    ---


    Digital Forensics


    Preserving and Analyzing Evidence Properly

    Digital forensics ensures that evidence is collected, preserved, and analyzed in a manner that maintains its integrity and legal admissibility.


    Order of Volatility

    Collect evidence from most volatile to least volatile — perishable evidence disappears first.


    ```

    Most Volatile ←——————————————————→ Least Volatile

    CPU Registers → RAM → Swap/Page File → Disk → Remote Logs → Backups/Archives

    ```


    > 💡 If you lose RAM contents before capturing them, that evidence is gone forever.


    Forensic Imaging

  • • A forensic image is a bit-for-bit copy of the original storage media
  • • Analysts work from the copy, never from the original
  • • Preserves evidentiary integrity — the original is never modified

    • Cryptographic Hashing in Forensics

  • • Algorithms: MD5, SHA-1, SHA-256
  • • Generate a unique "fingerprint" of a file or image
  • Process:

    • 1. Hash the original evidence at collection

    2. Hash the forensic copy

    3. Hashes must match → proves no tampering occurred

    4. Any change to the file changes the hash → proves tampering


    Chain of Custody

  • • A documented record tracking:

    • - Who collected the evidence

    - Who handled or transferred it

    - Who analyzed it

    - How it was stored

  • • Ensures integrity and legal admissibility in court
  • • A broken chain of custody can make evidence inadmissible

    • Legal Hold (Litigation Hold)

  • • A directive to preserve all potentially relevant evidence
  • • Triggered when litigation or regulatory investigation is reasonably anticipated
  • • Overrides normal data retention/deletion policies
  • • Failure to implement legal hold = potential spoliation of evidence (legal liability)

    • Key Terms

  • Order of Volatility – Ranking of evidence sources from most to least perishable
  • Forensic Image – Exact bit-for-bit copy of storage media for safe analysis
  • Chain of Custody – Documentation trail of evidence handling
  • Cryptographic Hashing – Generating a unique fingerprint to verify evidence integrity
  • Legal Hold – Directive to preserve evidence when legal action is anticipated
  • MD5/SHA-256 – Common hashing algorithms used in forensics

    • Watch Out For

    > ⚠️ Chain of custody is about documentation and process, not technical controls. A gap in documentation — even with no actual tampering — can invalidate evidence.


    > ⚠️ Remember the order of volatility: RAM before Disk. The exam loves testing whether candidates know to capture volatile memory first.


    > ⚠️ MD5 is considered cryptographically weak for security purposes but is still commonly used for forensic integrity verification — know the context.


    ---


    Communication & Reporting


    Notifying the Right People the Right Way


    Stakeholder Notification Categories


    | Category | Examples |

    |---|---|

    | Internal | Executive leadership, Legal, HR, IT, PR/Communications |

    | External | Customers/users, Regulators, Law enforcement (FBI, local), Cyber insurers, Media (if necessary) |


    Who gets notified depends on the nature and scope of the incident.


    Out-of-Band Communications

  • Why: Attackers may be monitoring compromised systems, including email and chat
  • What: Use separate, unaffected communication channels during suspected breaches
  • Examples: Personal phones, encrypted messaging apps, in-person meetings
  • Purpose: Prevents tipping off the attacker and protects response coordination integrity

    • Breach Notification Laws


    | Regulation | Scope | Key Requirement |

    |---|---|---|

    | GDPR | EU personal data | Notify supervisory authority within 72 hours |

    | State Breach Laws (e.g., CCPA) | Varies by state | Notify affected individuals within defined timeframes |

    | HIPAA | Healthcare data | Notify HHS and affected individuals |


    Key Points:

  • • These laws impose legal deadlines — non-compliance = penalties and fines
  • • Notification requirements apply even if the full scope of the breach is not yet known
  • • Legal counsel should be involved from the early stages of significant incidents

    • Key Terms

  • Out-of-Band Communication – Using alternative channels not relying on potentially compromised systems
  • Breach Notification Laws – Legal requirements to notify individuals and regulators after a data breach
  • GDPR – EU data protection regulation with 72-hour breach notification requirement
  • Stakeholder Notification – Structured communication to all relevant internal and external parties

    • Watch Out For

    > ⚠️ The 72-hour GDPR notification window is a favorite exam fact — memorize it.


    > ⚠️ Using regular email to coordinate response when email servers may be compromised is a critical mistake. Always use out-of-band channels when a breach is suspected.


    > ⚠️ Breach notification laws vary by jurisdiction and data type — the exam may test whether you know which law applies in a given scenario.


    ---


    Quick Review Checklist


    Use this checklist to confirm you're exam-ready:


    IR Lifecycle

  • • [ ] Can recite the 6 NIST IR phases in correct order
  • • [ ] Know what happens in each phase
  • • [ ] Distinguish containment (limit spread) from eradication (remove root cause)
  • • [ ] Explain the purpose of lessons-learned meetings and AARs

    • Preparation & Planning

  • • [ ] Define CSIRT and its role
  • • [ ] Explain the difference between an IRP, playbook, and call tree
  • • [ ] Describe what a tabletop exercise tests (and what it doesn't)
  • • [ ] Distinguish an event from an incident

    • Detection & Analysis

  • • [ ] Define IoC with examples
  • • [ ] Explain SIEM's role in centralized detection and correlation
  • • [ ] Distinguish reactive SIEM detection from proactive threat hunting
  • • [ ] Explain why building an incident timeline matters

    • Containment, Eradication & Recovery

  • • [ ] Distinguish short-term vs. long-term containment
  • • [ ] Explain the tradeoff between monitoring and immediately isolating a compromised system
  • • [ ] Know the proper recovery process: clean backup → patch → verify → monitor

    • Digital Forensics

  • • [ ] Recite the order of volatility (RAM before disk)
  • • [ ] Explain what a forensic image is and why analysts use copies, not originals
  • • [ ] Describe how cryptographic hashing verifies evidence integrity
  • • [ ] Define chain of custody and explain why gaps are problematic
  • • [ ] Know when and why a legal hold is triggered

    • Communication & Reporting

  • • [ ] Identify internal vs. external stakeholders requiring notification
  • • [ ] Explain why out-of-band communication channels are used during incidents
  • • [ ] Know the GDPR 72-hour breach notification requirement
  • • [ ] Understand that breach notification laws carry legal deadlines and penalties

    • ---


    Good luck on the Security+ exam! Focus on understanding the why behind each concept, not just memorizing definitions — scenario-based questions will test your ability to apply these principles.

    📝

    Take a Practice Test

    Test yourself with multiple choice questions
    📇

    Study with Flashcards

    Flip through all 26 cards

    Want more study tools?

    Subscribe for $7.99/mo and turn your own notes into personalized flashcards and study guides.

    View Pricing