← Back to domain
Domain 2 Module 2.3

Incident Response

Module 2.3: Incident Response

Navigation: Course Index | 2.1 Business Continuity | 2.2 Disaster Recovery

Learning Objectives

By the end of this module, you will be able to:

  • Define an incident and distinguish it from an event
  • Explain all six incident response phases in order
  • Describe the responsibilities of the incident response team
  • Classify incidents by severity and impact
  • Explain evidence handling and chain of custody
  • Describe communication requirements during an incident
  • Explain how AI and SOAR support incident response
  • Recognize notification obligations and real-world breach examples

---

What Incident Response Is

Incident response is the structured process used to detect, analyze, contain, eradicate, recover from, and learn from security incidents.

Event vs incident

These words are not interchangeable.

| Term | Meaning | Example | |---|---|---| | Event | Any observable occurrence | A login attempt, a firewall log entry, a file being opened | | Incident | An event or series of events that threatens confidentiality, integrity, or availability | Malware infection, data breach, unauthorized access |

An event becomes an incident when it requires investigation and response because it may have caused or could cause harm.

Simple analogy

An event is like smoke in the kitchen. An incident is when the smoke might mean a fire. Not every event is a disaster, but some events demand immediate action.

Why IR matters

The longer an attacker remains undetected, the more damage they can do. Strong incident response reduces dwell time, limits spread, preserves evidence, and helps the organization recover in a controlled way.

| IR Benefit | Why It Matters | |---|---| | Faster containment | Limits attacker movement | | Better evidence | Supports investigation and legal action | | Faster recovery | Restores operations sooner | | Improved communication | Reduces confusion and rumor | | Lessons learned | Makes the next response better |

> Exam Tip: Incident response is not just technical cleanup. It also includes legal, communication, and evidence-handling requirements.

---

The Six IR Phases

The standard incident response lifecycle has six phases.

1. Preparation 2. Detection and analysis 3. Containment 4. Eradication 5. Recovery 6. Lessons learned

1. Preparation

Preparation happens before an incident. It is the part many organizations neglect until after a breach.

#### Activities

  • Create policies and procedures
  • Form the incident response team
  • Define severity levels and escalation paths
  • Set up logging, monitoring, and alerting
  • Develop playbooks for common incidents
  • Train staff and run exercises
  • Establish legal and communication procedures

#### Example

An organization that has a ransomware playbook can isolate endpoints, block malicious accounts, and contact leadership quickly. An organization without preparation spends the first hours arguing about who should do what.

2. Detection and analysis

This phase is about identifying suspicious activity and determining whether it is truly an incident.

#### Activities

  • Review alerts, logs, and user reports
  • Verify whether the event is benign or malicious
  • Determine scope, impact, and affected assets
  • Prioritize based on severity

#### Example

A spike in outbound traffic may be a backup job, a patch download, or data exfiltration. Analysis is needed before declaring a breach.

3. Containment

Containment stops the incident from spreading.

#### Short-term containment

  • Isolate infected hosts
  • Disable compromised accounts
  • Block malicious IPs or domains
  • Disconnect segments of the network

#### Long-term containment

  • Apply temporary fixes
  • Add compensating controls
  • Keep systems stable while planning eradication

#### Why containment comes before eradication

If you remove malware before isolating the system, the attacker may still have access and re-enter immediately. Containment buys time.

4. Eradication

Eradication removes the root cause.

#### Activities

  • Delete malware
  • Remove persistence mechanisms
  • Patch vulnerabilities
  • Reset credentials
  • Remove unauthorized tools and accounts

#### Example

If attackers exploited an unpatched VPN appliance, eradication may include patching it, rotating credentials, and checking for hidden backdoors.

5. Recovery

Recovery restores services to normal operation while monitoring for recurrence.

#### Activities

  • Rebuild systems from trusted sources
  • Restore data from known-good backups
  • Validate integrity before reconnecting systems
  • Increase monitoring temporarily

#### Example

After ransomware, recovery may involve wiping systems, restoring clean images, validating application integrity, and gradually returning business units to normal operations.

6. Lessons learned

This phase turns the incident into improvement.

#### Activities

  • Conduct post-incident review
  • Document what happened and how it was handled
  • Identify root causes and control gaps
  • Update policies, playbooks, and training
  • Assign remediation actions and deadlines

#### Why it matters

If lessons learned are skipped, the same incident will happen again in a different form.

Phase comparison table

| Phase | Main Goal | Key Output | |---|---|---| | Preparation | Be ready before incidents happen | Playbooks, tools, training | | Detection and analysis | Determine what happened | Triage and incident confirmation | | Containment | Stop spread | Isolated systems and blocked access | | Eradication | Remove cause | Clean systems and closed holes | | Recovery | Restore business operations | Rebuilt and monitored systems | | Lessons learned | Improve future response | Action items and updated controls |

> Exam Tip: The order matters. Contain first, eradicate second, recover third.

---

Incident Response Team Roles

Many organizations use a CSIRT, IRT, or similar team structure. The exact names vary, but the responsibilities are similar.

| Role | Primary Responsibility | |---|---| | Incident manager | Coordinates the response and makes operational decisions | | Security analyst | Investigates alerts and determines scope | | Forensics specialist | Preserves and examines evidence | | IT operations | Restores systems and services | | Legal/compliance | Advises on reporting and legal obligations | | Communications/PR | Handles internal and external messaging | | Management liaison | Briefs executives and supports decisions | | HR | Handles employee-related issues if insiders are involved |

Why role clarity matters

Without clear roles, multiple people may send conflicting messages, preserve evidence incorrectly, or shut down systems too early.

Example

If a finance employee reports a phishing email, the security analyst investigates, the incident manager coordinates, IT blocks the sender, legal evaluates reporting needs, and communications prepares a response if the event becomes public.

---

Incident Classification

Incidents should be ranked so that the most dangerous ones get immediate attention.

Common classification criteria

  • Severity
  • Scope
  • Confidentiality impact
  • Integrity impact
  • Availability impact
  • Data sensitivity
  • Business criticality
  • Legal or regulatory exposure

Severity examples

| Severity | Example | |---|---| | Critical | Active ransomware spreading across multiple systems | | High | Confirmed unauthorized access to sensitive customer data | | Medium | Malware isolated on one workstation | | Low | Suspicious login attempt blocked by MFA |

Classification questions

  • How many systems are affected?
  • Is sensitive data exposed?
  • Is the attacker still active?
  • Is business production interrupted?
  • Does the event require legal notification?

Prioritization example

Two alerts arrive at once:

1. A single failed login from an unusual location 2. A domain controller showing signs of privilege escalation and lateral movement

The second is higher priority because it suggests active compromise and wider impact.

> Exam Tip: Priority is based on impact and urgency, not just on whether an alert looks scary.

---

Evidence Handling and Chain of Custody

Evidence matters because an incident may lead to disciplinary action, civil litigation, or criminal prosecution.

What chain of custody means

Chain of custody is the documented history of evidence handling from collection to presentation.

It answers:

  • Who collected it?
  • When and where was it collected?
  • What was collected?
  • Who had access to it?
  • How was it stored and transferred?
  • Was it altered in any way?

Evidence handling goals

  • Preserve integrity
  • Prevent contamination
  • Maintain authenticity
  • Support admissibility

Good evidence practices

  • Use write blockers when appropriate
  • Make forensic copies, not working copies
  • Record hashes for integrity verification
  • Limit access to authorized personnel only
  • Store evidence securely
  • Document every transfer

Chain of custody table

| Field | Example | |---|---| | Evidence ID | EVT-2026-014 | | Description | Disk image of workstation WS-14 | | Collected by | J. Analyst | | Date/time collected | 2026-06-21 09:15 UTC | | Location | Finance office | | Hash | SHA-256: ... | | Transfer record | Handed to forensics lab by seal number 48A |

Why this matters

If evidence is handled carelessly, an attacker may claim it was altered. Proper custody and hashes reduce that risk.

> Exam Tip: Evidence must be preserved before cleanup when possible. Do not destroy proof just to make the system look clean.

---

Communication During Incidents

Communication is one of the most failure-prone parts of incident response.

Internal communication

  • Inform the incident manager and leadership
  • Alert technical staff and business owners
  • Use approved channels only
  • Keep a timeline of decisions and actions

External communication

  • Customers
  • Regulators
  • Law enforcement
  • Vendors and partners
  • Media, if needed

Communication rules

  • Do not speculate
  • Do not blame prematurely
  • Do not share unverified details
  • Use pre-approved templates when available
  • Coordinate messaging through authorized spokespeople

Example

If a data breach is suspected, employees should not post screenshots on social media or tell customers “we were definitely hacked” before confirmation. That can damage trust and create legal problems.

Communication matrix

| Audience | Needs | Risk if Mishandled | |---|---|---| | Executives | Status and business impact | Poor decisions | | Staff | What to do next | Confusion and rumor | | Customers | Service impact and next steps | Panic or churn | | Regulators | Required facts and deadlines | Compliance failure | | Media | Accurate public statement | Reputational damage |

---

Notification Requirements

Many incidents trigger legal, contractual, or regulatory notification duties.

Common notification triggers

  • Personal data exposure
  • Health information compromise
  • Financial data compromise
  • Critical infrastructure impact
  • Contractually required breach notice
  • Law enforcement involvement

Why timing matters

Some laws require notification within a specific time window. Delays can increase penalties and reputational harm.

Example

A healthcare breach may trigger HIPAA-related obligations. A company handling EU personal data may need to consider GDPR requirements. The exact rules depend on the jurisdiction and data type.

Exam focus

You usually do not need to memorize specific legal deadlines for the CC exam, but you do need to know that incident response includes notification responsibilities and that legal/compliance teams must be involved early.

> Exam Tip: If a question mentions reporting obligations, think legal/compliance and approved communication channels.

---

AI in Incident Response

AI is increasingly used to help defenders work faster.

SOAR and automation

SOAR stands for Security Orchestration, Automation, and Response. It uses workflows, playbooks, and integrations to automate repetitive response steps.

Examples:

  • Automatically isolate a host after malware detection
  • Disable a suspicious account
  • Enrich an alert with threat intelligence
  • Open a ticket and notify the incident team

Benefits of AI and SOAR

| Benefit | Example | |---|---| | Speed | Contain a phishing campaign faster | | Consistency | Follow the same playbook every time | | Scale | Handle large alert volumes | | Triage support | Sort noise from real incidents |

Risks of AI in IR

AI can help, but it can also mislead.

| Risk | Why It Matters | |---|---| | False positives | Wastes time and attention | | False negatives | Misses real incidents | | Model drift | Detection quality degrades over time | | Prompt injection | Automated assistants may be manipulated | | Over-automation | Teams stop thinking critically |

Example

An AI tool flags a file as malware based on similarity to a known sample. A human analyst should still confirm context before wiping a production machine.

> Exam Tip: AI supports IR, but it does not replace human judgment, especially for confirmation and escalation.

---

Real-World Breach Examples

Equifax

Equifax suffered a major breach after attackers exploited a known vulnerability that had not been patched. The lesson for IR is that response speed, patch management, and logging matter. Once a breach occurs, the organization must confirm scope, preserve evidence, and notify appropriately.

Target

Target’s breach showed how third-party access can be abused. Incident response must consider supplier and vendor paths, not only direct employee accounts.

SolarWinds

SolarWinds demonstrated supply chain compromise. IR teams had to determine what was affected, what was trusted, and how far the compromise reached.

Colonial Pipeline

The incident showed how a cyberattack can become a business continuity event. Even if operational technology is not directly hit, fear of spread can force shutdowns.

WannaCry / NHS

Hospitals affected by WannaCry had to continue patient care under severe constraints. This is a strong example of why IR and BC/DR are related but distinct.

---

Common Mistakes and Exam Pointers

| Mistake | Why It Is Wrong | |---|---| | Treating every event as an incident | Many events are benign | | Eradicating before containment | The attacker may still be active | | Skipping evidence preservation | Legal and forensic options are lost | | Communicating casually | Can create legal and reputational harm | | Relying only on automation | Human review is still essential |

Memory aid

  • Prepare before trouble
  • Detect and analyze
  • Contain spread
  • Eradicate cause
  • Recover systems
  • Learn and improve

---

Practice Questions

1. What is an incident?

  • A. Any log entry
  • B. Any business meeting
  • C. An event that threatens confidentiality, integrity, or availability
  • D. A planned maintenance window
  • Answer: ✅ C

2. Which phase happens first?

  • A. Recovery
  • B. Containment
  • C. Preparation
  • D. Lessons learned
  • Answer: ✅ C

3. What should happen before eradication?

  • A. Public disclosure
  • B. Containment
  • C. Lessons learned
  • D. Decommissioning the SOC
  • Answer: ✅ B

4. What is chain of custody?

  • A. A backup rotation method
  • B. A record of who handled evidence and when
  • C. A firewall rule set
  • D. A user access model
  • Answer: ✅ B

5. Which role coordinates the incident response effort?

  • A. Security analyst
  • B. Incident manager
  • C. Help desk only
  • D. Vendor account manager
  • Answer: ✅ B

6. Which is a long-term goal of lessons learned?

  • A. Hide the incident
  • B. Improve future response
  • C. Delete all logs
  • D. Delay reporting
  • Answer: ✅ B

7. Which communication rule is best?

  • A. Share rumors quickly
  • B. Use approved channels and verified facts only
  • C. Let every employee talk to the media
  • D. Post details on social media first
  • Answer: ✅ B

8. What does SOAR help with?

  • A. Replacing all backups
  • B. Automating and orchestrating security response workflows
  • C. Encrypting hard drives
  • D. Avoiding incident tickets
  • Answer: ✅ B

9. Which incident is most severe?

  • A. One failed login blocked by MFA
  • B. One malware alert in isolation
  • C. Active ransomware spreading across the network
  • D. A typo in a user email address
  • Answer: ✅ C

10. Why is evidence preservation important?

  • A. It makes systems run faster
  • B. It supports forensic analysis and legal action
  • C. It removes the need for communication
  • D. It replaces backup recovery
  • Answer: ✅ B

---

Navigation: Course Index | 2.1 Business Continuity | 2.2 Disaster Recovery

← Previous: 2.2