This chapter covers incident response procedures for the CompTIA A+ Core 2 (220-1102) exam, focusing on the Security domain objective 2.2. Incident response is a critical skill for IT support professionals, as security incidents are inevitable. Expect 5-10% of the exam questions to test your knowledge of the incident response process, including identification, containment, eradication, recovery, and reporting. Mastering these steps will help you respond effectively to malware infections, data breaches, and other security events.
Jump to a section
Incident response is exactly like a well-rehearsed fire drill in a large office building. The building has a fire alarm system (detection), a designated fire warden on each floor (incident response team), and a clear evacuation plan (incident response policy). When a fire starts in a break room, the smoke detector triggers the alarm (detection). The fire warden immediately announces the evacuation (containment), directing people away from the fire area. A second warden uses the fire extinguisher on the small fire (eradication) while another calls the fire department (notification). After the fire is out, the wardens check that everyone is safe (recovery) and then fill out an incident report (post-incident activities). The entire process is practiced quarterly (tabletop exercises) so that everyone knows their role without hesitation. If the warden had not been trained, they might panic and try to fight a large fire themselves instead of evacuating – a common mistake in incident response: attempting to contain an incident without the proper authority or tools, making it worse.
What is Incident Response?
Incident response (IR) is a structured approach to handling security incidents—events that compromise the confidentiality, integrity, or availability of information or systems. For the A+ exam, incident response is not about becoming a forensic analyst; it's about knowing the correct steps a support technician should take when a security incident occurs. The goal is to minimize damage, reduce recovery time, and preserve evidence for potential legal action.
The Incident Response Process (NIST SP 800-61)
The National Institute of Standards and Technology (NIST) defines a four-phase incident response process that is widely adopted and tested on the A+ exam:
Preparation – Making the organization ready to handle incidents before they occur.
Detection & Analysis – Identifying that an incident has occurred and determining its scope.
Containment, Eradication, & Recovery – Stopping the incident, removing the cause, and restoring normal operations.
Post-Incident Activity – Learning from the incident to improve future response.
For the A+ exam, you need to know the specific actions within each phase, especially the order of steps during containment and eradication.
Step 1: Preparation
Preparation includes creating an incident response policy, forming a response team, acquiring tools (e.g., imaging software, write blockers), and conducting training and exercises. The exam tests that preparation is the first phase—you cannot respond effectively without a plan.
Step 2: Detection & Analysis
Detection involves monitoring systems for signs of an incident, such as:
Unusual network traffic (e.g., large outbound data transfers)
Antivirus or intrusion detection system (IDS) alerts
User reports of suspicious behavior (e.g., phishing emails)
System crashes or performance degradation
Once detected, the incident must be analyzed to confirm it is a real incident (not a false positive) and to understand its scope: what systems are affected, what data is at risk, and what type of incident it is (malware, unauthorized access, denial of service, etc.).
Step 3: Containment, Eradication, & Recovery
This is the most test-heavy phase. The steps must be performed in order:
#### Containment
Containment aims to stop the incident from spreading and limit damage. Actions include: - Isolating affected systems – Disconnecting the system from the network (unplugging the Ethernet cable or disabling the wireless adapter). - Disabling compromised accounts – Immediately disable user accounts that are suspected of being used by an attacker. - Powering down the system – Only as a last resort, because it may destroy volatile evidence (RAM, running processes). For A+, the preferred containment action is to disconnect from the network, not power off. - Blocking malicious IP addresses at the firewall.
#### Eradication
Eradication removes the cause of the incident. This may involve: - Removing malware using antivirus or antimalware tools. - Patching vulnerabilities that were exploited. - Rebuilding systems from known-good images – This is the most reliable method to ensure no remnant of the attack remains. - Resetting compromised passwords.
#### Recovery
Recovery restores the system to normal operation. This includes: - Restoring data from backups – Ensure backups are clean and not compromised. - Monitoring for signs of recurrence – Watch for any residual malicious activity. - Returning systems to production after verification.
Step 4: Post-Incident Activity
After recovery, the incident is not over. Post-incident activities include: - Documentation – Creating a detailed incident report that includes timeline, actions taken, and evidence collected. - Lessons learned – Conducting a meeting to discuss what went well and what could be improved. - Evidence retention – Preserving evidence for potential legal proceedings (chain of custody). - Policy updates – Updating security policies based on lessons learned.
Key Concepts for the Exam
#### Chain of Custody
Chain of custody is the process of documenting every person who handled evidence, when, and what changes were made. It is critical for legal admissibility. For A+, you must know that evidence must be labeled, sealed, and tracked with a form that includes signatures and timestamps.
#### First Responder Actions
The first person to discover an incident must: 1. Preserve evidence – Do not modify the system. Avoid using the keyboard or mouse. 2. Report the incident – Notify the incident response team or manager immediately. 3. Isolate the system – Disconnect from the network if instructed, but do not turn off the power.
#### Common Mistakes on the Exam
Powering off the system – This destroys volatile data (RAM, running processes). The correct first step is to isolate the system by disconnecting from the network.
Running antivirus on a compromised system – This may alter evidence. Instead, create a forensic image of the drive before any scanning.
Ignoring the chain of custody – Without proper documentation, evidence is inadmissible in court.
Incident Response in Different Scenarios
#### Malware Infection
If a user reports a pop-up or slow system: 1. Isolate the system from the network. 2. Run a scan with updated antivirus (after imaging if possible). 3. If malware is found, remove it or reimage the system. 4. Reset user passwords. 5. Document the incident.
#### Phishing Attack
If a user clicks a malicious link: 1. Instruct the user to close the browser and not interact further. 2. Disconnect the system from the network. 3. Report the incident to security. 4. Scan the system for malware. 5. Change the user's password. 6. Educate the user.
#### Data Breach
If sensitive data is exfiltrated: 1. Contain the breach (isolate systems, block access). 2. Preserve logs and evidence. 3. Notify legal and management. 4. Determine the scope (what data was taken). 5. Eradicate the vulnerability. 6. Notify affected parties (following legal requirements).
Tools Used in Incident Response
Write blockers – Hardware or software tools that prevent writing to a storage device during forensic imaging.
Forensic imaging software – Creates a bit-for-bit copy of a drive (e.g., FTK Imager, dd).
Antimalware/antivirus – For eradication.
Network monitoring tools – For detection (e.g., Wireshark, IDS).
System imaging tools – For recovery.
Summary of Exam-Critical Points
The correct order of steps: Identify, Contain, Eradicate, Recover, Document.
Never power off a system unless absolutely necessary; isolate from network first.
Chain of custody is essential for evidence.
Preparation is the foundation of effective incident response.
Always report incidents immediately.
Identify the Incident
The first step is to confirm that a security incident has actually occurred. This involves collecting initial information from users, monitoring alerts, or noticing unusual system behavior. For example, a user may report a ransomware pop-up, or an antivirus alert may flag a suspicious file. At this stage, do not touch the system—observe and document what you see. Note the time, date, and any visible symptoms. This information will be crucial for the incident report. The goal is to recognize that something is wrong without altering the state of the system.
Contain the Incident
Containment is the immediate priority after identification. The primary action is to isolate the affected system from the network to prevent the spread of malware or unauthorized access. For a single computer, this means unplugging the Ethernet cable or disabling the Wi-Fi. Do not power off the system, as that destroys volatile evidence like running processes and network connections. For a server or network device, you may need to disable the switch port or block the IP address at the firewall. Containment buys time for further analysis and prevents the incident from escalating.
Eradicate the Threat
Once contained, the next step is to remove the cause of the incident. This could involve scanning with updated antivirus software to remove malware, patching vulnerabilities that were exploited, or deleting malicious files. For severe infections, the most reliable eradication method is to reimage the system from a known-good backup or clean installation media. If the system is part of a larger attack, you may need to reset all compromised passwords and revoke credentials. Eradication must be thorough to prevent recurrence.
Recover the System
Recovery involves restoring the system to normal operation. This includes restoring data from backups, reinstalling applications, and reconnecting the system to the network. Before returning to production, verify that the system is clean and fully patched. Monitor the system closely for any signs of residual malicious activity. Recovery may also involve repairing any damage caused by the incident, such as restoring corrupted files. The goal is to resume business operations with minimal downtime.
Document and Report
The final step is to create a detailed incident report that documents everything: how the incident was detected, what actions were taken, what evidence was collected, and what the outcome was. This report serves as a record for legal purposes, helps improve future incident response, and may be required for compliance. Include a timeline, chain of custody documentation, and lessons learned. Reporting should be done to the appropriate authority, such as a manager or security team. Never skip this step—it is as important as the technical response.
In a real enterprise, incident response is a coordinated effort involving multiple teams. Consider a mid-sized company with 500 employees. One day, the helpdesk receives multiple calls about a ransomware message appearing on screens. The first technician identifies the incident and immediately instructs users to disconnect their computers from the network. The incident response team is notified and begins containment by disabling the switch ports of affected systems. They discover that the ransomware spread via a phishing email attachment. The team isolates the email server and blocks the sender's domain at the firewall. For eradication, they use a centralized antimalware tool to scan all affected endpoints and remove the ransomware. However, because the ransomware encrypted files, they must restore data from backups. The recovery process takes two days, during which users work from offline copies. Post-incident, they identify that the backup system was also partially compromised because the attacker had gained domain admin credentials. This leads to a full password reset for all administrators and implementation of multi-factor authentication. A common misconfiguration in this scenario is failing to isolate the system quickly enough—if the user stays connected, the ransomware can encrypt network shares. Another mistake is not preserving the email attachment for forensic analysis, which could help identify the attacker. The incident report documents the chain of custody for the email file, showing who handled it and when, ensuring it can be used as evidence if the attacker is prosecuted. This real-world example highlights why the A+ exam emphasizes the order of steps and the importance of documentation.
On the 220-1102 exam, incident response questions fall under Objective 2.2 (Security) and are typically scenario-based. You will be given a description of an incident and asked to select the correct next step. The most common wrong answers are:
Powering off the system – Candidates choose this because they think it stops the attack immediately. However, it destroys volatile evidence. The correct answer is to isolate the system from the network.
Running antivirus immediately – While this seems logical, it can alter evidence. The proper sequence is to contain first, then eradicate (which may include antivirus).
Ignoring the incident or waiting – Candidates may think the issue will resolve itself. The correct action is to report and contain.
Restoring from backup before containment – This can reinfect the system if the backup is compromised. Containment and eradication must come first.
Key terms that appear verbatim: "chain of custody," "write blocker," "forensic image," "isolation," "eradication," "recovery." The exam loves to test the order of steps: Know that containment comes before eradication, and recovery comes after eradication. Also, remember that preparation is the first phase of the NIST framework, even though it occurs before an incident.
Edge cases: If a system is a critical server that cannot be isolated, the correct answer may be to create a forensic image before taking any other action. Another edge case is when the incident involves a physical security breach (e.g., stolen laptop) – then the priority is to report to law enforcement and change passwords, not to contain a network.
To eliminate wrong answers, focus on the mechanism: The goal is to preserve evidence and prevent spread. Any action that destroys evidence or spreads the incident is wrong. If in doubt, choose the option that isolates without modifying the system.
The correct order of incident response steps: Identify, Contain, Eradicate, Recover, Document.
Never power off a compromised system; isolate from network first.
Chain of custody is required for any evidence that may be used in legal proceedings.
Preparation is the first phase of incident response (NIST SP 800-61).
Containment aims to limit damage; eradication removes the threat.
Always report incidents to the appropriate authority immediately.
Post-incident activities include documentation, lessons learned, and policy updates.
These come up on the exam all the time. Here's how to tell them apart.
Containment
Goal: Stop the incident from spreading.
Performed immediately after identification.
Actions: Disconnect from network, disable accounts, block IPs.
Does not remove the cause of the incident.
Preserves evidence for later analysis.
Eradication
Goal: Remove the cause of the incident (malware, vulnerability).
Performed after containment.
Actions: Run antivirus, patch, reimage, reset passwords.
May alter or destroy evidence if not done carefully.
Must be thorough to prevent recurrence.
Mistake
You should always power off a compromised system immediately.
Correct
Powering off destroys volatile evidence in RAM and active network connections. The correct first step is to isolate the system from the network (e.g., unplug Ethernet). Power off only if the system is a physical threat (e.g., fire) or if instructed by a forensic expert.
Mistake
Running antivirus is the first thing to do when you suspect malware.
Correct
Running antivirus can alter evidence (e.g., quarantine or delete malicious files). The proper order is: identify, contain, then eradicate (which may include antivirus). Always preserve the original state for forensic analysis if possible.
Mistake
Incident response only matters for large companies with security teams.
Correct
Even a small business or home user should follow incident response steps. A+ certifies technicians who work in all environments. Knowing how to contain and report an incident is critical regardless of organization size.
Mistake
Once the incident is over, you can delete all evidence.
Correct
Evidence must be preserved for legal reasons and for post-incident analysis. Chain of custody documentation is required if the incident leads to prosecution. Never destroy evidence without authorization.
Mistake
The incident response process ends when the system is recovered.
Correct
Recovery is not the final step. Post-incident activities (documentation, lessons learned, policy updates) are essential to prevent future incidents. The exam emphasizes that the process continues after recovery.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The first step is identification: recognizing that an incident has occurred. This involves gathering initial information from alerts, user reports, or system anomalies. Do not modify the system at this stage. After identification, the next step is containment.
No. Turning off the computer destroys volatile evidence such as running processes and network connections. Instead, isolate the system by disconnecting from the network (unplug Ethernet or disable Wi-Fi). Then report the incident to your manager or security team.
Chain of custody is a documented record of every person who handled evidence, the date and time, and any changes made. It ensures evidence is admissible in court. For A+, remember that evidence must be labeled, sealed, and tracked with a form that includes signatures.
Not immediately. Running antivirus can alter or delete evidence. The correct order is to contain the system (isolate from network), then if possible, create a forensic image of the drive before scanning. Antivirus is part of eradication, which comes after containment.
Containment stops the incident from spreading (e.g., disconnecting from network). Eradication removes the cause (e.g., deleting malware, patching). Containment always comes first. For example, if a worm is spreading, you contain by blocking the port, then eradicate by removing the worm from infected systems.
An incident report should include: date and time of discovery, how it was detected, systems affected, actions taken (containment, eradication, recovery), evidence collected (with chain of custody), and lessons learned. It should be submitted to management or the security team.
The exam uses scenario-based multiple-choice questions. You are given a situation (e.g., 'A user reports a pop-up demanding payment') and asked to select the best next step. The key is to know the correct order of steps and to avoid common mistakes like powering off or running antivirus too early.
You've just covered Incident Response for A+ — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?