Root cause analysis, threat hunting, digital forensics (legal hold, chain of custody, acquisition, reporting, preservation, e-discovery)

4.6 Incident response

📘CompTIA Security+ (SY0-701)

1. Root Cause Analysis (RCA)

Definition:
Root Cause Analysis is the process of finding the original cause of a security incident or problem. It’s not just about fixing the issue; it’s about understanding why it happened so it doesn’t happen again.

Key Points for Exam:

  • RCA goes beyond symptoms. For example, if malware infected a server, RCA asks: How did it get there? Was it a phishing email, unpatched software, or misconfigured permissions?
  • Tools used in IT for RCA:
    • Logs: Server logs, firewall logs, and application logs help track the source of problems.
    • SIEM (Security Information and Event Management): Aggregates logs and highlights anomalies.
  • Outcomes of RCA:
    • Corrective actions (patching, configuration changes)
    • Preventive measures (better monitoring, staff training)

Exam Tip: RCA is about finding the “why” and fixing it permanently, not just stopping the immediate problem.

2. Threat Hunting

Definition:
Threat hunting is the proactive process of looking for threats that may already exist in your environment, even if no alerts have triggered.

Key Points for Exam:

  • Proactive, not reactive: Unlike incident response, which reacts to alerts, threat hunting seeks hidden threats.
  • Techniques:
    • Analyzing network traffic for unusual patterns
    • Checking for suspicious login behavior
    • Searching endpoints for malware indicators
  • Tools commonly used:
    • EDR (Endpoint Detection and Response): Monitors endpoints for suspicious activity.
    • Threat intelligence feeds: Provide information about new malware, attack patterns, and IP addresses associated with attacks.
  • Goal: Find threats before they cause major damage.

Example: A security analyst notices a server connecting to an unusual external IP address outside of business hours. This could indicate a hidden malware infection.

Exam Tip: Remember: Threat hunting is proactive detection of threats, often using logs, endpoints, and intelligence feeds.

3. Digital Forensics

Digital forensics is the process of collecting, preserving, analyzing, and reporting on digital evidence after a security incident.

Subtopics to Know:

a) Legal Hold

  • Definition: A legal hold is a process to preserve all data that may be relevant to an investigation.
  • Ensures that evidence is not deleted or altered.
  • Example: If a server is suspected of being compromised, all logs, files, and emails may be put on legal hold.

b) Chain of Custody

  • Definition: Documentation that tracks who has handled the evidence, when, and for what purpose.
  • Important for court or regulatory compliance.
  • Example: If a USB drive containing logs is collected, you record each person who handles it and when.

c) Acquisition

  • Definition: Collecting digital evidence safely.
  • Must not alter the original data.
  • Example: Creating a bit-for-bit copy (forensic image) of a hard drive or memory without changing the original files.

d) Preservation

  • Definition: Making sure evidence remains intact during investigation.
  • Techniques:
    • Write blockers to prevent modification
    • Secure storage of images and logs
  • Example: Preserving emails or server logs for investigation.

e) Analysis

  • Definition: Examining collected data to find the root cause, attacker actions, or scope of compromise.
  • Tools:
    • Forensic software: EnCase, FTK, Autopsy
    • Log analysis tools
  • Example: Tracing the origin of a phishing attack via email headers.

f) Reporting

  • Definition: Documenting findings clearly and accurately.
  • Must be understandable for IT and non-IT stakeholders.
  • Example: A report may summarize compromised accounts, affected systems, and recommended actions.

g) e-Discovery

  • Definition: Electronic discovery refers to searching and providing digital data for legal cases.
  • Example: Extracting emails, files, or chat logs relevant to a compliance investigation.
  • Tools: Specialized e-discovery software that ensures data is collected, indexed, and exported safely.

How These Fit Together in Incident Response

  1. Incident happens → Collect data
  2. RCA → Identify why it happened
  3. Threat Hunting → Check for hidden threats elsewhere
  4. Digital Forensics → Preserve and analyze evidence
  5. Reporting & Lessons Learned → Improve defenses, policies, and compliance

Exam Tips:

  • Know definitions and differences: RCA = root cause, Threat Hunting = proactive search, Digital Forensics = evidence handling.
  • Remember the digital forensics steps: Legal hold → Chain of custody → Acquisition → Preservation → Analysis → Reporting → e-Discovery.
  • Understand IT-focused examples, like server logs, endpoint malware, phishing, and unusual network traffic.
  • Think process flow, not just tools: identify, investigate, preserve, report.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by