5.4 Map elements to these steps of analysis based on the NIST.SP800-61
📘Cisco Certified CyberOps Associate (200-201 CBROPS)
1. Containment
Purpose:
Containment is about stopping the attack from spreading and limiting damage while keeping your systems under control. Think of it as putting a firewall around the infected systems so the threat doesn’t jump to other computers or servers.
Key Concepts:
- Short-term containment: Quickly stop the threat to prevent further damage.
Example in IT:- Disconnecting an infected server from the network.
- Blocking a suspicious IP address at the firewall.
- Stopping a malicious process on a workstation.
- Long-term containment: Keep systems operational while ensuring the threat is controlled.
Example in IT:- Creating a separate VLAN for infected machines so users can still access essential services safely.
- Using backup servers to temporarily replace affected services.
Notes for Exam:
- Containment does not remove the threat; it just limits damage.
- You need to document everything during containment: what actions were taken and why.
2. Eradication
Purpose:
Eradication is about removing the root cause of the incident so it cannot happen again. Once you contain the threat, you now need to clean it up completely.
Key Steps in IT:
- Identify all affected systems:
- Find all devices, servers, or user accounts impacted by the incident.
- Remove malware or malicious activity:
- Delete malicious files or scripts.
- Remove unauthorized accounts or access permissions.
- Apply software patches if the attack exploited a vulnerability.
- Verify that the threat is gone:
- Run antivirus scans or endpoint detection tools.
- Ensure no backdoors or malware remnants remain.
Example in IT:
- If a ransomware infected a file server:
- Delete the ransomware executable.
- Restore the affected files from a clean backup.
- Patch the server to prevent the same exploit.
Notes for Exam:
- Eradication is different from containment. Containment limits damage, eradication removes the threat.
- Always confirm that the environment is clean before moving to recovery.
3. Recovery
Purpose:
Recovery is about restoring systems and services to normal operations safely. You must ensure the systems are fully functional and secure before allowing users back in.
Key Steps in IT:
- Restore systems from clean backups or after eradication:
- Example: Restore a server from a backup taken before it was infected.
- Validate system functionality:
- Check if applications, network services, and security controls are working properly.
- Example: Test a database server to ensure it’s accepting connections correctly.
- Monitor for signs of reinfection:
- Keep an eye on logs and alerts to make sure the threat does not return.
- Example: Monitor endpoint security tools for unusual activity.
Notes for Exam:
- Recovery may happen in stages to avoid further impact.
- Communication is important: inform stakeholders when systems are safe and ready.
Summary Table – Quick Reference
| Step | Goal | Key Actions (IT Example) |
|---|---|---|
| Containment | Stop spread of attack | Disconnect infected PC, block malicious IP, isolate server |
| Eradication | Remove threat completely | Delete malware, remove backdoors, patch vulnerabilities |
| Recovery | Restore systems safely | Restore from backup, validate functionality, monitor logs |
Exam Tips
- Remember the order: Contain → Eradicate → Recover.
- Focus on IT-focused examples for answers; generic real-life examples are not enough.
- Be ready to identify short-term vs long-term containment.
- Understand the difference between containment and eradication.
- Know the importance of monitoring during recovery to prevent reinfection.
