This chapter covers the incident response process, a core domain of the CS0-003 exam. Incident response questions typically account for about 15-20% of the exam, making it one of the most heavily tested areas. You will need to know the formal phases (NIST SP 800-61), the order of steps, key documentation, and how to distinguish between similar-sounding activities like containment and eradication. This chapter provides a deep, mechanism-level understanding of each phase, including specific tools, commands, and artifacts that the exam expects you to know.
Jump to a section
Incident response is like a fire department's response to a building fire. The fire alarm (IDS/IPS) detects smoke or heat (anomalous activity) and triggers an alert. The dispatcher (SIEM) correlates multiple alarms, determines the fire's location and severity, and pages the fire crew (incident response team). The crew arrives, performs triage: they assess whether it's a small trash fire (low-severity incident) or a chemical blaze requiring hazmat (critical incident). They establish command (incident commander) who coordinates: one team evacuates occupants (isolate affected systems), another fights the fire (contain and eradicate the threat), and a third documents everything (forensic evidence collection). After the fire is out, they investigate the cause (root cause analysis) and recommend changes: install sprinklers (update security controls), revise evacuation routes (update incident response plan), and conduct a drill (lessons learned). Every step is documented for insurance (compliance) and to improve future response. Just as a fire crew doesn't improvise at the scene, an incident response team follows a structured, pre-practiced process to minimize damage and restore normal operations quickly.
What is the Incident Response Process?
The incident response process is a structured, documented approach for handling security incidents. It ensures that when a breach or attack occurs, the organization can detect it quickly, contain the damage, eradicate the threat, and recover normal operations while preserving evidence for legal or disciplinary action. The process is defined by NIST SP 800-61 Revision 2 and consists of four main phases: Preparation, Detection & Analysis, Containment Eradication & Recovery, and Post-Incident Activity. The exam tests your knowledge of these phases, their sub-steps, and the order in which they occur.
Why a Formal Process Exists
Without a formal process, incident response becomes chaotic. People panic, steps are skipped, evidence is destroyed, and the same incident may recur. The process provides:
Consistency: Every incident is handled the same way, reducing errors.
Efficiency: Teams know their roles and don't waste time deciding what to do.
Legal Defensibility: Proper evidence handling ensures that findings can be used in court or termination proceedings.
Continuous Improvement: Lessons learned feed back into security controls and the plan itself.
The Four Phases (NIST SP 800-61)
The exam expects you to know these phases in order and what happens in each:
Preparation - The organization gets ready before an incident occurs.
Detection & Analysis - The incident is discovered and assessed.
Containment, Eradication & Recovery - The threat is stopped, removed, and normal operations are restored.
Post-Incident Activity - Lessons are learned, and the plan is improved.
Let's drill into each phase.
Phase 1: Preparation (Before Anything Happens)
Preparation is the most critical phase because it determines the success of all subsequent phases. The exam tests specific preparation activities:
Policy and Plan Development: Create an incident response policy that defines what constitutes an incident, roles and responsibilities, and escalation paths. The incident response plan (IRP) operationalizes the policy with step-by-step procedures.
Team Formation: Establish a Computer Security Incident Response Team (CSIRT) with defined roles: incident commander, technical lead, communications lead, legal counsel, etc.
Tooling and Infrastructure: Deploy detection tools (IDS/IPS, SIEM, EDR), forensic workstations, secure storage for evidence, and communication channels (e.g., encrypted chat, phone tree).
Training and Exercises: Conduct tabletop exercises and full-scale simulations to test the plan. The exam may ask about the difference between a tabletop exercise (discussion-based) and a full-scale exercise (operational).
Baselines: Establish normal network and system behavior baselines to make anomalies easier to detect.
Common trap: Candidates confuse preparation with prevention. Preparation does not prevent incidents; it ensures effective response when they occur.
Phase 2: Detection & Analysis
This phase involves identifying that an incident is occurring or has occurred, and analyzing the scope and impact. The exam tests specific detection sources and analysis techniques.
Detection Sources:
IDS/IPS Alerts: Signature-based (known attacks) or anomaly-based (behavioral deviations).
SIEM Correlation: Aggregates logs from multiple sources (firewalls, servers, endpoints) and triggers alerts based on rules.
Log Analysis: Manual review of system, application, and security logs.
User Reports: End users reporting suspicious activity (phishing emails, unusual system behavior).
Threat Intelligence Feeds: Indicators of compromise (IOCs) from external sources.
File Integrity Monitoring (FIM): Detects unauthorized changes to critical files.
Analysis Steps:
Validate the Alert: Determine if the alert is a true positive or a false positive. For example, a user downloading a large file might be a false positive if it's a legitimate backup. The exam loves testing this step.
Profile the Incident: Gather initial information: what systems are affected, what type of attack (malware, unauthorized access, DDoS), and the current impact.
Escalate if Necessary: Based on severity (e.g., critical if sensitive data is exfiltrated), escalate to the incident commander.
Document Everything: Create a ticket or log entry with timestamps, actions taken, and evidence collected.
Common Analysis Techniques:
Indicators of Compromise (IOCs): Specific artifacts like file hashes, IP addresses, domain names, registry keys. The exam may ask you to distinguish between IOCs and IOAs (Indicators of Attack), which focus on behavior rather than static artifacts.
Indicators of Attack (IOAs): Behavioral patterns, e.g., a process spawning cmd.exe unexpectedly.
Threat Hunting: Proactively searching for threats using hypothesis-driven analysis, not waiting for alerts.
Key Timers and Thresholds:
Mean Time to Detect (MTTD): Average time between compromise and detection. The exam may not ask for a specific value but expects you to know this metric.
Mean Time to Respond (MTTR): Average time between detection and containment/eradication.
Service Level Agreements (SLAs): For example, critical incidents must be contained within 1 hour.
Phase 3: Containment, Eradication & Recovery
This phase stops the threat from spreading, removes it from the environment, and restores normal operations. The exam tests the order of these steps and specific containment strategies.
Containment
Containment aims to limit the damage and prevent the attacker from moving laterally. Strategies include:
Short-Term Containment: Immediate actions like disconnecting affected systems from the network, blocking suspicious IP addresses at the firewall, or disabling compromised user accounts. The exam may ask: "What is the first action in containment?" Answer: Disconnect affected systems from the network.
Long-Term Containment: Applying temporary security controls, such as implementing network segmentation, applying firewall rules, or deploying patches.
Eradication
Eradication removes the root cause of the incident. This may involve:
Removing Malware: Using antivirus or specialized removal tools.
Patching Vulnerabilities: Applying security patches that were exploited.
Rebuilding Systems: Reformatting and reinstalling compromised systems from known-good images.
Disabling Backdoors: Removing attacker-created accounts, scheduled tasks, or remote access tools.
Recovery
Recovery restores normal operations. Steps include:
Restoring from Backups: Ensure backups are clean (not compromised) before restoring.
Monitoring for Recurrence: Increased monitoring of restored systems for signs of the attacker returning.
Gradual Restoration: Bring systems back online in a staged manner, verifying each stage.
Communication: Notify stakeholders (management, affected users, customers, if required).
Common Trap: Candidates often confuse containment with eradication. Containment is about stopping the spread; eradication is about removing the threat. The exam may ask: "After containment, what is the next step?" Answer: Eradication.
Phase 4: Post-Incident Activity
This phase ensures that the organization learns from the incident and improves its security posture. The exam tests specific activities:
Lessons Learned Meeting: A formal meeting within two weeks of the incident to discuss what went well, what went wrong, and how to improve.
Root Cause Analysis (RCA): A detailed investigation to determine the underlying cause of the incident (e.g., unpatched vulnerability, weak password, misconfigured firewall).
Incident Report: A comprehensive document that includes timeline, evidence, actions taken, findings, and recommendations. This report may be used for legal purposes, insurance claims, or regulatory compliance.
Update Incident Response Plan: Based on lessons learned, update the IRP, playbooks, and tool configurations.
Update Security Controls: Implement new detections, block IOCs, patch vulnerabilities, and improve training.
Key Artifacts:
Chain of Custody: Documentation of who handled evidence and when, to ensure admissibility in court.
Forensic Image: Bit-for-bit copy of a compromised system's hard drive.
Timeline Analysis: Correlating logs from multiple sources to reconstruct the attack sequence.
Interaction with Other Processes
The incident response process does not operate in isolation. It interacts with:
Business Continuity and Disaster Recovery (BC/DR): If an incident causes major disruption, the BC/DR plan may be activated to restore critical business functions.
Threat Intelligence: IOCs from incidents can be fed back into threat intelligence platforms to improve future detection.
Vulnerability Management: Incidents often reveal unpatched vulnerabilities, triggering emergency patching cycles.
Change Management: Recovery may involve changes to systems, which must go through change management to avoid introducing new issues.
Specific Commands and Tools
The exam expects you to know the purpose of common incident response tools and commands.
Windows:
- wevtutil or Get-WinEvent (PowerShell) to export event logs.
- netstat -anob to display active connections with process IDs.
- tasklist /svc to list running processes and services.
- reg query to examine registry keys.
- fsutil to analyze file system.
- PowerShell Get-Process and Get-Service for process/service enumeration.
Linux:
- ps aux to list processes.
- netstat -tulpn to show listening ports and associated processes.
- lsof -i to list open files and network connections.
- journalctl or tail -f /var/log/syslog to view system logs.
- dd if=/dev/sda of=/mnt/evidence/image.dd to create a forensic image.
- md5sum or sha256sum to compute file hashes.
Network:
- tcpdump to capture network traffic.
- Wireshark for deep packet analysis.
- nmap for network reconnaissance (but be careful not to disrupt production).
- curl or wget to test connectivity or download samples.
Metrics and KPIs
The exam may test your understanding of incident response metrics:
Mean Time to Detect (MTTD): Lower is better.
Mean Time to Respond (MTTR): Lower is better.
Mean Time to Contain (MTTC): Lower is better.
Number of Incidents: Track over time to show trends.
False Positive Rate: High false positive rates can lead to alert fatigue.
Cost of Incident: Direct costs (forensics, legal) and indirect costs (reputation, lost business).
1. Preparation Phase
Before any incident occurs, the organization must prepare. This includes developing an incident response policy and plan, forming a CSIRT, acquiring necessary tools (SIEM, EDR, forensic workstations), establishing baselines, and conducting training exercises. The exam tests specific preparation activities such as creating a communication plan, defining roles, and setting up secure evidence storage. Without preparation, the response will be disorganized and ineffective.
2. Detection and Analysis
An incident is detected through various sources: IDS/IPS alerts, SIEM correlations, user reports, or threat intelligence. The analyst validates the alert to confirm it's a true positive. They then profile the incident by gathering initial data: affected systems, type of attack, and impact. If the incident is severe, they escalate to the incident commander. All actions are documented with timestamps. Common analysis techniques include examining IOCs (file hashes, IPs) and IOAs (behavioral patterns).
3. Containment
Containment stops the incident from spreading. Short-term containment includes immediate actions like disconnecting affected systems from the network, blocking malicious IPs, or disabling compromised accounts. Long-term containment involves applying temporary security controls, such as network segmentation or firewall rules. The goal is to limit damage while preserving evidence for further analysis. The exam emphasizes that containment must be done before eradication.
4. Eradication
Eradication removes the root cause of the incident. This may involve removing malware, patching vulnerabilities, rebuilding compromised systems from clean images, and disabling attacker backdoors. Eradication is more thorough than containment; it ensures the threat is completely removed. The exam may test the difference: containment stops the bleeding, eradication heals the wound. After eradication, systems are ready for recovery.
5. Recovery and Post-Incident Activity
Recovery restores normal operations by bringing systems back online, often from clean backups. Systems are monitored for signs of recurrence. Post-incident activities include a lessons learned meeting, root cause analysis, and updating the incident response plan and security controls. A final incident report is created, documenting the timeline, evidence, actions taken, and recommendations. This phase ensures continuous improvement.
Enterprise Scenario 1: Ransomware Attack on a Hospital
A hospital suffers a ransomware attack that encrypts patient records and demands payment. The incident response team follows the NIST process. Preparation: The hospital had a CSIRT with pre-defined roles and an isolated backup system. Detection: The EDR alerts on mass file encryption events. The SIEM correlates with failed login attempts from an external IP. Containment: The team immediately disconnects affected servers from the network and blocks the attacker's IP at the firewall. They also disable the compromised domain admin account. Eradication: They restore encrypted files from clean backups after verifying the backups are not infected. They patch the vulnerability (unpatched RDP) that allowed the attacker in. Recovery: Systems are brought back online in stages, and monitoring is increased. Post-incident: A lessons learned meeting reveals the need for multi-factor authentication on RDP and more frequent backups. The incident response plan is updated accordingly. Scale: 500-bed hospital, 2000 endpoints. Performance consideration: Backup restoration must be fast to minimize downtime; they use incremental backups to speed recovery. Misconfiguration: If containment had not been done quickly, the ransomware could have spread to the entire network, encrypting backups as well.
Enterprise Scenario 2: Data Breach at a Financial Institution
A bank detects unusual outbound traffic from a database server containing customer financial data. Preparation: The bank has a well-documented incident response plan and a dedicated forensic lab. Detection: A DLP alert flags the data exfiltration. The SIEM shows the database server communicating with an unknown IP in a foreign country. Containment: The team isolates the database server by blocking its outbound traffic at the network switch and disabling the database service. They also change all database passwords. Eradication: They analyze the server and find a SQL injection vulnerability that allowed the attacker to extract data. They patch the application and review database access logs to identify compromised records. Recovery: The database server is restored from a clean backup, and the application is redeployed with the fix. Post-incident: The bank notifies affected customers and regulators (GDPR/SOX compliance). Root cause analysis reveals that the vulnerability was introduced in a recent code update that bypassed the change management process. The incident response plan is updated to include stricter change management controls. Scale: 10,000 employees, millions of customer records. Performance consideration: Forensic analysis must be thorough to determine the exact data accessed; they use a forensic workstation with write blockers and hashing tools. Misconfiguration: If the DLP rule had been too broad, it could have generated false positives, leading to alert fatigue and delayed detection.
What CS0-003 Tests on Incident Response Process
The CS0-003 exam objectives (Domain: Incident Response, Objective 3.2) specifically test your ability to apply the incident response process phases in the correct order and understand the activities within each phase. The exam expects you to know the NIST SP 800-61 four-phase model, but you may also encounter the SANS PICERL model (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned). The exam does not favor one model over the other; you need to recognize the steps regardless of naming.
Common Wrong Answers and Why Candidates Choose Them
"Containment before detection": Candidates mistakenly think containment happens first. In reality, you must detect and analyze before you can contain. The exam will present a scenario where detection is needed first. Wrong answer: 'Immediately disconnect the server.' Correct: 'Verify the alert is a true positive, then contain.'
"Eradication before containment": Some candidates think you should remove the threat immediately. But if you haven't contained it, the threat may spread while you're eradicating. The exam tests the order: contain first, then eradicate.
"Recovery is the same as eradication": Recovery is about restoring operations; eradication is about removing the threat. The exam may describe a scenario where the threat is removed but systems are still down, and ask what phase is next (recovery).
"Lessons learned is optional": Candidates may think that after recovery, the incident is over. The exam stresses that post-incident activity is mandatory for continuous improvement. Questions may ask: 'What should be done after recovery?' Answer: Conduct a lessons learned meeting.
Specific Numbers, Values, and Terms
NIST SP 800-61 Revision 2: The standard reference. Know the four phases.
MTTD and MTTR: Know the definitions, not specific values.
Chain of Custody: Must be documented for evidence admissibility.
Indicators of Compromise (IOC) vs Indicators of Attack (IOA): IOCs are static artifacts; IOAs are behavioral patterns.
Tabletop Exercise vs Full-Scale Exercise: Tabletop is discussion-based; full-scale is operational.
Edge Cases and Exceptions
What if containment is not possible? For example, a DDoS attack cannot be contained on the target server; you must use upstream filtering or scrubbing centers. The exam may test alternative containment strategies.
What if the incident is a false positive? The process still applies: you document the false positive, analyze why it triggered, and adjust detection rules to reduce future false positives. The exam expects you to know that false positives are still handled through the process.
What if the attacker is still active during recovery? Recovery should not proceed until eradication is complete and the attacker is no longer present. The exam may ask: 'When can recovery begin?' Answer: After eradication and verification that the threat is gone.
How to Eliminate Wrong Answers
Look for order-of-operations traps: the correct answer will always follow the phase sequence (Preparation -> Detection -> Containment -> Eradication -> Recovery -> Post-Incident).
If an answer suggests skipping a phase (e.g., 'After detection, immediately recover'), it is wrong.
If an answer confuses containment with eradication (e.g., 'Remove malware' during containment), it is wrong. Containment is about isolation, not removal.
If an answer ignores documentation or evidence preservation, it is likely wrong because the exam emphasizes legal defensibility.
The incident response process consists of four phases per NIST SP 800-61: Preparation, Detection & Analysis, Containment Eradication & Recovery, and Post-Incident Activity.
Preparation is the most critical phase; it occurs before any incident and includes policy, team, tools, and training.
Detection sources include IDS/IPS, SIEM, logs, user reports, and threat intelligence; validation is key to avoid false positives.
Containment must occur before eradication; containment stops the spread, eradication removes the root cause.
Recovery involves restoring systems from clean backups and monitoring for recurrence; it follows eradication.
Post-incident activities include lessons learned, root cause analysis, and updating the incident response plan.
Chain of custody must be maintained for all evidence to ensure legal admissibility.
Common metrics: MTTD (Mean Time to Detect), MTTR (Mean Time to Respond), and MTTC (Mean Time to Contain).
The exam tests the order of phases and activities; beware of traps that swap containment and eradication.
Incident response plans should be tested regularly with tabletop and full-scale exercises.
These come up on the exam all the time. Here's how to tell them apart.
NIST SP 800-61 (4 Phases)
Preparation, Detection & Analysis, Containment Eradication & Recovery, Post-Incident Activity
Combines containment, eradication, and recovery into one phase
Emphasizes analysis within detection phase
Widely adopted in US government and regulated industries
Post-incident activity includes lessons learned and report
SANS PICERL (6 Phases)
Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
Separates containment, eradication, and recovery into distinct phases
Identification phase is equivalent to detection and analysis
Popular in private sector and SANS training
Lessons learned is a standalone phase, emphasizing its importance
Mistake
Incident response begins when an alert is received.
Correct
Incident response actually begins with preparation, which occurs before any alert. Without preparation, the response will be chaotic. The exam tests that preparation is a phase, not an afterthought.
Mistake
Containment and eradication are the same thing.
Correct
Containment stops the spread (e.g., disconnecting a system), while eradication removes the root cause (e.g., removing malware). They are distinct phases; containment always comes before eradication.
Mistake
Recovery means restoring from backups immediately after containment.
Correct
Recovery must follow eradication. If you restore from backups before eradicating the threat, you may reintroduce the vulnerability or malware. The correct order is containment, eradication, then recovery.
Mistake
Post-incident activities are optional if the incident was minor.
Correct
Post-incident activities, including lessons learned and root cause analysis, are mandatory for all incidents. They drive continuous improvement. The exam emphasizes that even minor incidents should be reviewed.
Mistake
The incident response plan never changes after an incident.
Correct
The plan should be updated based on lessons learned. If a gap was identified, the plan must be revised to address it. The exam tests that the plan is a living document.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The first step is Preparation, which involves creating policies, forming a CSIRT, acquiring tools, and training staff. Without preparation, the response will be ineffective. The exam expects you to know that preparation is phase 1, even though it happens before an incident.
Containment stops the incident from spreading (e.g., disconnecting a compromised system from the network). Eradication removes the root cause (e.g., deleting malware, patching a vulnerability). Containment is done first to limit damage, then eradication removes the threat completely. The exam tests this order.
A tabletop exercise is a discussion-based session where team members walk through a scenario verbally. A full-scale exercise involves actual operational actions, such as deploying tools, isolating systems, and restoring backups. The exam may ask which type is more realistic (full-scale) or which is easier to organize (tabletop).
The lessons learned meeting is held after an incident to discuss what went well, what went wrong, and how to improve. It leads to updates in the incident response plan, security controls, and training. The exam stresses that this meeting is not optional and should occur within two weeks of the incident.
Chain of custody is a documented record of who handled evidence, when, and what was done to it. It ensures that evidence is admissible in court or disciplinary proceedings. The exam tests that chain of custody must be maintained from collection through analysis and storage.
An IOC is a static artifact like a file hash, IP address, or domain name that indicates a compromise. An IOA is a behavioral pattern, such as a process spawning cmd.exe unexpectedly or unusual network traffic. IOAs focus on the attack in progress, while IOCs are evidence of past compromise.
Recovery should begin only after eradication is complete and the threat is verified to be gone. If you recover too early, you may reintroduce the threat. The exam may present a scenario where eradication is incomplete and ask if recovery is appropriate (answer: no).
You've just covered Incident Response Process — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?