πCisco Certified CyberOps Associate (200-201 CBROPS)
π· What is Incident Handling?
Incident handling is the process used to:
- Detect
- Analyze
- Contain
- Remove
- Recover from
- Learn from
a security incident (such as malware infection, unauthorized access, or data breach).
The standard used is:
π NIST SP 800-61 (Computer Security Incident Handling Guide)
π· The 4 Phases of Incident Handling
According to NIST, there are 4 main phases:
- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-Incident Activity
π© 1. Preparation Phase
πΉ Purpose:
To get ready before an incident happens
πΉ Key Activities:
- Create an Incident Response Plan (IRP)
- Define roles and responsibilities
- Train the incident response team
- Set up tools and systems
- Maintain asset inventory
- Establish communication channels
πΉ Important Components:
- Security tools:
- SIEM (Security Information and Event Management)
- IDS/IPS (Intrusion Detection/Prevention Systems)
- Antivirus / EDR
- Documentation:
- Policies
- Procedures
- Contact lists
πΉ Example (IT-based):
- Configure SIEM to collect logs from servers and firewalls
- Maintain a list of critical servers and their owners
πΉ Exam Tips:
- Preparation is proactive
- Focuses on readiness and prevention
π¨ 2. Detection and Analysis Phase
πΉ Purpose:
To identify whether an event is actually a security incident
πΉ Key Activities:
- Monitor alerts
- Analyze logs and data
- Confirm incident
- Determine scope and impact
πΉ Steps:
1. Event Detection
- Alerts from:
- SIEM
- IDS/IPS
- Antivirus
- Users
2. Event Analysis
- Check:
- Log files
- Network traffic
- System behavior
3. Incident Validation
- Determine:
- Is it a false positive or real attack?
4. Incident Classification
- Categorize:
- Malware
- Phishing
- Unauthorized access
- DoS attack
5. Prioritization
- Based on:
- Impact (high/medium/low)
- Sensitivity of affected system
πΉ Example (IT-based):
- SIEM alert shows multiple failed logins β analyze logs β confirm brute-force attack
πΉ Exam Tips:
- Focus on:
- Distinguishing events vs incidents
- False positives vs true positives
- Severity classification
π₯ 3. Containment, Eradication, and Recovery
This is the main response phase
πΈ A. Containment
πΉ Purpose:
Stop the incident from spreading
πΉ Types:
- Short-term containment
- Immediate action
- Long-term containment
- Temporary fixes until full solution
πΉ Actions:
- Isolate infected system
- Block malicious IP addresses
- Disable compromised accounts
πΉ Example:
- Disconnect infected host from network
πΈ B. Eradication
πΉ Purpose:
Remove the root cause of the incident
πΉ Actions:
- Delete malware
- Remove unauthorized access
- Patch vulnerabilities
πΉ Example:
- Remove malicious files and close exploited ports
πΈ C. Recovery
πΉ Purpose:
Restore systems to normal operation
πΉ Actions:
- Restore from backups
- Reconnect systems to network
- Monitor for re-infection
πΉ Example:
- Restore clean server image and monitor logs
πΉ Exam Tips:
- Containment = stop spread
- Eradication = remove cause
- Recovery = restore operations
π¦ 4. Post-Incident Activity
πΉ Purpose:
Learn from the incident and improve security
πΉ Key Activities:
- Conduct lessons learned meeting
- Document the incident
- Update policies and procedures
- Improve detection and response
πΉ Reporting:
- Incident reports include:
- Timeline
- Impact
- Actions taken
- Recommendations
πΉ Example:
- Update firewall rules after analyzing attack behavior
πΉ Exam Tips:
- Focus on:
- Documentation
- Process improvement
- Future prevention
π· Applying the Process to an Event (Important for Exam)
When given a scenario, you must:
Step 1: Identify the Phase
Ask:
- Is this preparation?
- Is this detection?
- Is this response?
- Is this post-incident?
Step 2: Identify the Correct Action
| Situation | Phase | Action |
|---|---|---|
| Writing IR plan | Preparation | Planning |
| SIEM alert triggered | Detection | Analyze logs |
| System isolated | Containment | Stop spread |
| Malware removed | Eradication | Clean system |
| System restored | Recovery | Resume operations |
| Report written | Post-Incident | Documentation |
π· Key Concepts You Must Know
πΉ 1. Incident vs Event
- Event = Any observable activity
- Incident = Event that violates security policy
πΉ 2. Indicators of Compromise (IoCs)
- Evidence of attack:
- Suspicious IP
- File hashes
- Domain names
πΉ 3. Chain of Custody
- Track evidence handling for legal use
πΉ 4. Communication
- Internal:
- Security team
- External:
- Management
- Legal teams
πΉ 5. Documentation
- Every step must be recorded
π· Common Tools Used
- SIEM β Log analysis
- EDR β Endpoint detection
- IDS/IPS β Network monitoring
- Packet analyzers β Traffic inspection
π· Common Exam Questions Patterns
You may be asked to:
β Identify which phase an action belongs to
β Choose the correct next step in a scenario
β Differentiate between containment and eradication
β Recognize proper incident response workflow
β Identify incorrect actions in a phase
π· Quick Summary (Memory Trick)
π PDCR Model:
- P β Preparation
- D β Detection & Analysis
- C β Containment, Eradication, Recovery
- R β Reporting (Post-Incident)
π· Final Exam Tips
- Always think in order of phases
- Understand why each step is done
- Focus on decision-making in scenarios
- Know difference between:
- Detection vs Response
- Containment vs Eradication
- Event vs Incident
