3.2 Given a scenario, perform incident response activities.
📘CompTIA CySA+ (CS0-003)
🔐 Incident Response Activities (Containment, Eradication, and Recovery)
When a security incident happens (such as malware infection, data breach, or unauthorized access), the goal is to stop the attack, remove the threat, and restore normal operations safely.
This phase has three main parts:
- Containment
- Eradication
- Recovery
Before doing these steps, analysts must understand:
- Scope
- Impact
1. 📌 Scope (How big is the incident?)
Scope means identifying how far the incident has spread.
You must answer:
- Which systems are affected?
- Which users are involved?
- Is it one device or many?
- Is it inside one network segment or multiple networks?
🔍 IT Example:
- Malware is found on one employee laptop.
- Investigation shows it has also spread to:
- File server
- Two other workstations
👉 Scope = 3 endpoints + server
🎯 Exam Point:
Scope helps determine how serious and widespread the incident is.
2. ⚠️ Impact (What damage is caused?)
Impact means the effect of the incident on business and systems.
You evaluate:
- Data loss or theft
- System downtime
- Service disruption
- Financial loss
- Reputation damage
- Compliance violations
🔍 IT Example:
- Ransomware encrypts a database server.
- Users cannot access customer records.
👉 Impact:
- Service downtime
- Data unavailable
- Possible financial loss
🎯 Exam Point:
Higher impact = higher priority response.
3. 🚧 Containment (Stop the spread)
Containment means limiting the damage and preventing the incident from spreading further.
There are two types:
🔹 Short-term containment
Quick actions to stop spread immediately.
Examples:
- Disconnect infected device from network
- Disable user account
- Block malicious IPs at firewall
- Isolate infected VM in cloud environment
🔹 Long-term containment
Temporary solutions while full cleanup is prepared.
Examples:
- Apply firewall rules
- Restrict access to critical servers
- Deploy endpoint protection policies
🎯 Exam Point:
Containment does NOT remove the threat — it only stops spread.
4. 🧹 Isolation (Separating affected systems)
Isolation is a key part of containment. It means separating infected systems from healthy systems.
🔍 IT Examples:
- Move infected workstation to a quarantine VLAN
- Disconnect server from production network
- Disable Wi-Fi or VPN access for compromised device
🎯 Exam Point:
Isolation helps preserve evidence and prevents lateral movement.
5. 🛠️ Eradication (Remove the threat completely)
Eradication means eliminating the root cause of the incident.
You must remove:
- Malware
- Malicious files
- Unauthorized accounts
- Backdoors
- Registry changes or persistence mechanisms
🔍 IT Examples:
- Run antivirus/EDR cleanup tools
- Delete malicious scripts from servers
- Remove unauthorized admin accounts
- Patch vulnerable software used in attack
🎯 Exam Point:
If eradication is incomplete, the attack can return.
6. 🔄 Recovery (Restore systems to normal)
Recovery means bringing systems back into production safely.
Steps include:
- Restoring data from clean backups
- Rebuilding systems if needed
- Reconnecting systems to the network
- Monitoring for reinfection
- Validating system integrity
🔍 IT Examples:
- Restore database from last clean backup
- Rebuild infected workstation using standard image
- Bring server back online after security validation
🎯 Exam Point:
Recovery must ensure systems are clean and safe before returning to production.
7. 💿 Re-imaging (Clean rebuild of systems)
Re-imaging means wiping a system and reinstalling a fresh, trusted operating system image.
Used when:
- System is deeply compromised
- Malware cannot be fully removed
- Integrity of system is not trusted
🔍 IT Examples:
- Wipe infected laptop
- Install standard corporate OS image
- Reinstall required security tools and patches
🎯 Exam Point:
Re-imaging is often safer than trying to clean complex infections.
8. 🛡️ Remediation (Fix the root weakness)
Remediation means fixing the vulnerability that allowed the attack.
This prevents recurrence.
🔍 IT Examples:
- Patch unpatched software exploited by attacker
- Disable insecure services (e.g., unused RDP)
- Fix misconfigured firewall rules
- Strengthen password policies
🎯 Exam Point:
Eradication removes the threat, but remediation fixes the cause.
9. 🧩 Compensating Controls (Temporary protection)
Compensating controls are temporary security measures used when proper fixes cannot be applied immediately.
Used when:
- System cannot be patched right away
- Application cannot be modified immediately
- Business needs system to stay online
🔍 IT Examples:
- Enable strict firewall rules instead of patching immediately
- Use network segmentation to limit access
- Increase monitoring and logging on affected systems
- Restrict user permissions temporarily
🎯 Exam Point:
Compensating controls reduce risk until permanent fixes are applied.
📊 Full Incident Response Flow (Simple View)
- Detect incident
- Analyze scope and impact
- Contain threat (stop spread)
- Isolate affected systems
- Eradicate threat
- Apply remediation
- Recover systems
- Re-image if needed
- Apply compensating controls if required
- Monitor continuously
🧠 Key Exam Tips (Very Important)
- Containment = stop spread
- Eradication = remove threat
- Recovery = restore operations
- Isolation = separate infected systems
- Re-imaging = rebuild system clean
- Remediation = fix vulnerability
- Compensating controls = temporary security workaround
- Scope = how far incident spread
- Impact = damage caused
