4.6 Incident response
📘CompTIA Security+ (SY0-701)
Incident Response Process
Incident response is the structured approach an organization uses to handle and recover from security incidents, such as a malware infection, data breach, or ransomware attack. The main goal is to minimize damage, restore normal operations, and prevent future incidents. The process has seven key steps:
1. Preparation
What it is:
Preparation is all about getting ready before an incident happens. It involves creating policies, procedures, tools, and training staff.
Key components:
- Incident response plan (IRP): A document detailing what to do when an incident occurs.
- Policies & standards: Rules for security, like how passwords are managed or access is granted.
- Tools & resources: Security software like firewalls, SIEM (Security Information and Event Management) systems, antivirus, and forensic tools.
- Training & awareness: Teaching employees how to recognize phishing emails or suspicious activity.
IT Example:
A company deploys endpoint detection software on all employee computers and ensures the IT team knows how to respond if malware is detected. They also run tabletop exercises where the team practices responding to simulated attacks.
2. Detection (and Identification)
What it is:
Detection is about finding out that a security incident has occurred. This step determines if an event is normal or a security incident.
Key actions:
- Monitoring logs, network traffic, and alerts from security tools.
- Using SIEM systems to correlate suspicious activity.
- Identifying anomalies like unusual login times or spikes in network traffic.
IT Example:
A network monitoring tool flags unusual outgoing traffic from a server. This may indicate malware is sending data outside the company.
3. Analysis (or Triage)
What it is:
Once an incident is detected, analysis helps determine the scope, cause, and impact. It answers:
- What systems are affected?
- How serious is the incident?
- Who or what caused it?
Key actions:
- Examine logs and alerts.
- Determine if the incident is contained to a small system or widespread.
- Decide priorities (e.g., critical servers first).
IT Example:
The IT team analyzes logs and finds that a ransomware infection affected three servers and is trying to encrypt files. They classify it as high severity.
4. Containment
What it is:
Containment aims to stop the incident from spreading and limit damage.
Key strategies:
- Short-term containment: Immediate actions to isolate affected systems.
- Long-term containment: More structured fixes to prevent recurrence while allowing business continuity.
IT Example:
Disconnect infected servers from the network to prevent the ransomware from spreading, while keeping unaffected servers online.
5. Eradication
What it is:
Eradication removes the root cause of the incident from the systems.
Key actions:
- Remove malware or malicious code.
- Close vulnerabilities (e.g., patch software, update firewalls).
- Delete unauthorized accounts or access points.
IT Example:
IT deletes the ransomware executable from the server and applies a security patch to prevent reinfection.
6. Recovery
What it is:
Recovery is about restoring systems and services to normal operations safely.
Key actions:
- Restore data from backups if needed.
- Bring systems back online gradually, monitoring for residual threats.
- Confirm the environment is secure before fully resuming operations.
IT Example:
After cleaning the server, IT restores encrypted files from backups and reconnects the server to the network. They continue monitoring for unusual activity.
7. Lessons Learned
What it is:
This step is analyzing the incident to prevent future incidents. It involves documentation and review.
Key actions:
- Conduct a post-mortem meeting.
- Identify what went well and what failed.
- Update policies, procedures, and tools based on findings.
IT Example:
The team discovers the ransomware entered through an unpatched vulnerability. They update the patch management process and provide staff with phishing awareness training.
Summary Table for Exam Prep
| Step | Purpose | IT Example |
|---|---|---|
| Preparation | Be ready before an incident happens | Implement endpoint protection, train staff |
| Detection | Identify suspicious activity or incidents | SIEM alerts of unusual server traffic |
| Analysis | Determine cause, impact, and scope | Logs show ransomware affecting three servers |
| Containment | Stop spread, limit damage | Isolate infected servers |
| Eradication | Remove root cause of incident | Delete malware, patch vulnerabilities |
| Recovery | Restore systems to normal safely | Restore from backups, reconnect servers |
| Lessons Learned | Improve future security | Update policies, train staff, strengthen defenses |
Exam Tip:
For Security+ SY0-701, remember the order of these steps:
Preparation → Detection → Analysis → Containment → Eradication → Recovery → Lessons Learned
You may see questions asking “what step comes next” or “which step does this action belong to?”
