This chapter covers the NIST Incident Response Framework, a foundational model for structured incident handling that is heavily tested on the CompTIA CySA+ CS0-003 exam. Understanding the four-phase lifecycle—Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity—is critical, as approximately 15-20% of the exam questions in Domain 3 (Incident Response) directly reference NIST SP 800-61 Rev 2. This chapter provides a deep dive into each phase, with specific procedures, documentation requirements, and common pitfalls that the exam loves to test.
Jump to a section
The NIST Incident Response Framework is like a fire department's standard operating procedure (SOP) for handling a structure fire. The fire department doesn't just show up and start spraying water randomly; they follow a structured process. Preparation is like the fire station: the trucks are maintained, firefighters are trained, and equipment is checked daily. Detection and Analysis is the moment the alarm sounds—dispatchers gather information about the location, type of fire, and potential hazards. The firefighters analyze the situation en route, deciding whether it's a grease fire, electrical fire, or chemical blaze, because each requires a different response. Containment, Eradication, and Recovery is the action phase: the first arriving crew establishes a perimeter (containment), the interior team locates the seat of the fire and extinguishes it (eradication), and then ventilation and overhaul begin to ensure no hidden hotspots remain (recovery). Post-Incident Activity is the after-action review: the chief interviews every firefighter, reviews radio logs, and updates the SOP if a new hazard was encountered. Just like a fire department drills on its process regularly, organizations must practice incident response exercises to ensure the team reacts smoothly under pressure. The NIST framework provides that structured, repeatable process so that when a security incident occurs, the response is coordinated, efficient, and effective.
What is the NIST Incident Response Framework?
The National Institute of Standards and Technology (NIST) Special Publication 800-61 Revision 2, "Computer Security Incident Handling Guide," provides a standardized, systematic approach to incident response. It is the most widely adopted framework in the United States for both government and private sector organizations. The framework divides incident response into four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. The CS0-003 exam expects you to know the objectives of each phase, the key activities, and the order of operations.
Why It Exists
Before formal frameworks, incident response was ad-hoc—analysts reacted based on intuition, leading to inconsistent outcomes, missed evidence, and legal liability. NIST 800-61 provides a common language and process, ensuring that all team members know their roles, that evidence is preserved for prosecution, and that lessons learned are captured to prevent recurrence. The framework also aligns with other standards like ISO 27035 and the SANS PICERL model, but NIST is specifically cited in the CS0-003 objectives.
How It Works Internally
The framework is not a software tool but a documented policy that guides human actions and technical controls. It operates through a series of defined steps within each phase, supported by playbooks, communication plans, and toolchains.
#### Phase 1: Preparation
Preparation is the foundation and includes two main tracks: (1) establishing an incident response capability (people, processes, technology) and (2) preventing incidents through hardening and user training. Key components: - Incident Response Team (IRT): Roles include team lead, technical analysts, communications lead, legal counsel, and management liaison. The CS0-003 exam often asks about the importance of having a designated point of contact. - Communication Plans: Out-of-band communication channels (e.g., secure messaging apps, phone trees) must be established. The exam stresses the need for alternative communication methods if the primary network is compromised. - Tools and Resources: Forensic workstations, imaging tools (e.g., FTK Imager, dd), network capture tools (e.g., Wireshark), and malware analysis sandboxes. The exam expects you to know that tools should be pre-approved and tested. - Preventive Measures: Patch management, endpoint protection, access controls, and user awareness training. The exam may ask which preventive measure reduces the likelihood of incidents.
#### Phase 2: Detection and Analysis
This phase involves identifying that an incident has occurred and gathering initial information. Detection methods include: - IDS/IPS Alerts: Signature-based and anomaly-based alerts. The exam tests understanding of false positives vs. false negatives. - Log Analysis: Firewall logs, system logs (Windows Event Log, syslog), application logs. Correlating multiple sources is critical. - User Reports: Often the first indicator. The exam emphasizes that even low-severity reports should be investigated. - Threat Intelligence Feeds: Indicators of compromise (IOCs) from external sources.
Analysis steps: 1. Validate the Alert: Determine if it's a true positive. The exam warns against immediate action without validation (a common trap). 2. Profile the Incident: Identify the type (malware, unauthorized access, denial of service), scope (affected systems, users), and impact (data loss, service disruption). 3. Document Everything: Timestamped notes, screenshots, chain of custody for evidence. The exam tests that documentation is continuous, not just after the incident. 4. Escalate if Needed: Based on severity—low, medium, high, critical. The exam expects you to know that critical incidents require immediate management notification.
#### Phase 3: Containment, Eradication, and Recovery
This is the action phase, often performed in parallel or iteratively.
Containment: The goal is to stop the incident from spreading. Short-term containment might involve disconnecting a system from the network, while long-term containment could involve applying temporary firewall rules. Key considerations: - Preserve Evidence: Before containment, if possible, capture volatile data (memory, running processes) using tools like Volatility or FTK Imager. The exam stresses that pulling the plug destroys volatile evidence. - Isolation vs. Disconnection: Isolating a system (e.g., VLAN separation) may allow continued monitoring, while disconnection stops all traffic. The exam may ask which approach is better for forensic preservation. - System Imaging: Create a forensic image (bit-for-bit copy) using tools like dd or FTK Imager. The hash (MD5/SHA256) must be recorded to verify integrity.
Eradication: Remove the root cause. This could involve:
Removing malware via antivirus or manual cleanup.
Patching vulnerabilities.
Rebuilding systems from known-good images.
Resetting compromised credentials.
The exam tests that eradication must be thorough; leaving any backdoor can lead to reinfection.
Recovery: Restore normal operations. Steps:
Restore data from backups (tested to ensure they are clean).
Monitor systems for signs of lingering compromise.
Communicate with stakeholders.
Gradually reintroduce systems to production.
The exam may ask about the importance of monitoring after recovery—attackers often return.
#### Phase 4: Post-Incident Activity
This phase is often overlooked but is heavily tested. Activities include: - Lessons Learned Meeting: Within two weeks of the incident. Participants include all team members and relevant stakeholders. The meeting reviews what went well, what didn't, and what should change. - Incident Report: A formal document detailing the timeline, actions taken, evidence collected, root cause, and recommendations. The exam expects you to know that the report should be shared with relevant parties but may be protected by attorney-client privilege. - Update Policies and Procedures: Incorporate lessons learned into playbooks, security policies, and training. - Evidence Retention: Preserve evidence for legal or regulatory requirements (often 90 days to years). The exam may ask about retention policies.
Key Components, Values, and Defaults
NIST SP 800-61 Rev 2: The specific publication referenced in CS0-003 objectives.
Four Phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity.
Chain of Custody: Must be documented for every piece of evidence, including who collected it, when, where, and who has possessed it since.
Severity Levels: Typically low, medium, high, critical. The exam may use a 1-5 scale.
Response Timeframes: Not specified in NIST but often defined by SLAs (e.g., 15 minutes for critical incidents).
Interaction with Related Technologies
SIEM Systems: Used in Detection and Analysis to correlate logs and trigger alerts. The exam tests that SIEM rules must be tuned to reduce false positives.
SOAR Platforms: Automate containment actions (e.g., blocking an IP on a firewall). The exam may ask about the benefits of automation in incident response.
Forensic Tools: Used in Containment and Eradication for imaging and analysis. The exam expects familiarity with tools like FTK Imager, Volatility, and Wireshark.
Threat Intelligence Platforms: Feed IOCs into detection systems. The exam tests that threat intelligence should be continuously updated.
Verification Commands (Example)
While NIST is a framework, not a tool, the exam may include scenario-based questions where you need to know commands for evidence collection:
- Linux: dd if=/dev/sda of=/mnt/evidence/image.dd bs=4M and sha256sum /mnt/evidence/image.dd
- Windows: Using FTK Imager GUI or reg.exe save HKLM\SYSTEM system.save
The exam does not require memorizing command syntax but expects you to know the purpose of such commands.
Preparation Phase
In this foundational phase, the organization establishes the incident response capability. This includes forming the incident response team (IRT) with defined roles (team lead, technical analysts, legal, communications). A communication plan is created with out-of-band channels. Tools and resources are procured and tested: forensic workstations, imaging software, network capture tools, and malware analysis sandboxes. Preventive measures are implemented: patch management, endpoint protection, access controls, and user training. The IRT develops playbooks for common incident types (e.g., ransomware, phishing). The exam expects you to know that preparation is a continuous process, not a one-time event.
Detection and Analysis
This phase begins when an alert or report indicates a potential incident. The team validates the alert to confirm it is a true positive, not a false positive. They gather initial information: source IPs, affected systems, user accounts, and timestamps. Logs from firewalls, IDS/IPS, servers, and endpoints are correlated. The incident is profiled: type (malware, unauthorized access, DoS), scope (number of systems, data affected), and impact (availability, confidentiality, integrity). Documentation is critical—every action is timestamped. If the incident is severe, escalation to management occurs. The exam tests that analysis must be thorough before jumping to containment.
Containment
The immediate priority is to stop the incident from spreading. Short-term containment might involve disconnecting the affected system from the network, blocking malicious IPs on the firewall, or suspending user accounts. Before containment, volatile data (memory, running processes) should be captured if possible. A forensic image of the system is created using tools like dd or FTK Imager, and the hash is recorded. Long-term containment may involve applying temporary patches or moving the system to an isolated VLAN. The exam stresses that containment actions must balance stopping the threat with preserving evidence.
Eradication
After containment, the root cause must be removed. This could involve deleting malware, patching vulnerabilities, rebuilding systems from known-good images, or resetting all compromised passwords. The team must ensure no backdoors remain—this may require a thorough scan or manual inspection. For widespread incidents, all affected systems should be rebuilt rather than cleaned, as cleaning can miss hidden persistence mechanisms. The exam tests that eradication is not complete until the root cause is eliminated and the system is verified clean.
Recovery
Systems are restored to normal operation. Data is restored from clean backups, and systems are reconnected to the network gradually. Monitoring is intensified to detect any signs of lingering compromise—attackers often return. Stakeholders are notified of the restoration status. The team verifies that all security controls are functioning correctly. Recovery may be phased: first non-critical systems, then critical ones. The exam expects you to know that recovery is not the end; continuous monitoring is essential.
Post-Incident Activity
This final phase involves a lessons learned meeting within two weeks of the incident. The team reviews the timeline, actions taken, and what could be improved. An incident report is written, documenting the entire response, including evidence, root cause, and recommendations. Policies, playbooks, and security controls are updated based on lessons learned. Evidence is retained according to legal/regulatory requirements. The exam tests that this phase is crucial for improving future response and preventing recurrence.
In a large financial institution, the NIST framework is used to handle phishing incidents. The preparation phase includes a dedicated SOC team, a phishing playbook, and user awareness training that teaches employees to report suspicious emails. Detection and Analysis involves the SIEM correlating email gateway logs with endpoint alerts. When a user reports a phishing email, the SOC analyst validates the email headers, checks the link against threat intelligence, and determines if any user clicked the link. Containment might involve blocking the sender's domain at the email gateway and isolating any endpoints that clicked the link. Eradication includes removing malicious emails from user mailboxes and running antivirus scans on affected endpoints. Recovery involves restoring any quarantined emails and monitoring for follow-up attacks. Post-incident activity: the team updates the phishing playbook with the new TTPs and retrains users.
Another scenario: a healthcare provider suffers a ransomware attack. Preparation includes regular backups stored offline, a ransomware playbook, and a communication plan with legal and PR. Detection occurs when the SIEM alerts on mass file encryption events. The team immediately isolates affected servers (containment) while preserving memory from one server for forensic analysis. Eradication involves rebuilding all affected servers from clean backups after ensuring the initial infection vector (a vulnerable RDP port) is closed. Recovery is phased: first critical patient care systems, then administrative systems. Post-incident, the team conducts a lessons learned meeting, updates the RDP security policy, and implements multi-factor authentication. Common misconfigurations: failing to test backups before restoration (backups were also encrypted) or not having an out-of-band communication plan (primary email was down).
The CS0-003 exam tests NIST Incident Response Framework under Objective 3.2: "Given a scenario, apply the appropriate incident response procedure." Specifically, you must know the four phases in order and the key activities within each. The exam often presents a scenario and asks which phase a specific action belongs to. Common wrong answers: 1. Choosing "Containment" when the scenario describes eradication. Containment stops the spread; eradication removes the root cause. Many candidates confuse these because both involve active response, but containment is immediate, while eradication is after containment. 2. Selecting "Preparation" when the question asks for post-incident activity. Preparation is proactive; post-incident activity is reactive and focuses on improvement. The exam loves to test that lessons learned is part of Post-Incident Activity, not Preparation. 3. Believing that "Detection and Analysis" includes containment. Detection and Analysis is purely identification and validation; containment is a separate phase. The exam may describe an action like "disconnect the system" and ask which phase—many incorrectly choose Detection and Analysis. 4. Forgetting that "Eradication" may involve rebuilding systems. Some candidates think eradication is only removing malware, but NIST includes rebuilding from known-good images as a valid eradication method.
Numbers and terms that appear verbatim: "NIST SP 800-61 Rev 2", "four phases", "lessons learned meeting", "chain of custody", "forensic image". Edge cases: what if the incident is still ongoing during Post-Incident Activity? The answer: Post-Incident Activity should only begin after recovery is complete. Another edge: if evidence is needed for court, the chain of custody must be documented from the moment of collection. The exam may test that pulling the plug (hard power-off) is not recommended because it destroys volatile evidence.
How to eliminate wrong answers: focus on the primary goal of the action. If the action is about stopping the spread, it's Containment. If it's about removing the cause, it's Eradication. If it's about identifying the incident, it's Detection and Analysis. If it's about preparing for future incidents, it's either Preparation (proactive) or Post-Incident Activity (reactive).
The NIST Incident Response Framework has four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity.
Preparation includes forming the IRT, creating communication plans, acquiring tools, and implementing preventive measures.
Detection and Analysis involves validating alerts, profiling the incident, and documenting evidence with timestamps.
Containment stops the incident from spreading; Eradication removes the root cause; Recovery restores normal operations.
Post-Incident Activity includes a lessons learned meeting, incident report, and updating policies.
Chain of custody must be documented for all evidence to maintain admissibility in legal proceedings.
The exam tests that pulling the plug destroys volatile evidence; instead, capture memory before disconnecting.
Eradication may involve rebuilding systems from known-good images to ensure no backdoors remain.
Lessons learned meetings should occur within two weeks of the incident.
NIST SP 800-61 Rev 2 is the specific publication referenced on the CS0-003 exam.
These come up on the exam all the time. Here's how to tell them apart.
NIST Incident Response Framework
Four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; Post-Incident Activity.
Developed by U.S. government agency NIST.
Widely used in government and regulated industries.
Emphasizes a continuous lifecycle with feedback loops.
Explicitly includes 'Preparation' as a distinct phase.
SANS PICERL Framework
Six phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.
Developed by the SANS Institute (private training organization).
Popular in private sector and cybersecurity training.
Separates Identification from Analysis; NIST combines Detection and Analysis.
Uses 'Lessons Learned' instead of 'Post-Incident Activity'.
Mistake
The NIST framework has five phases.
Correct
NIST SP 800-61 Rev 2 defines four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Incident Activity. Some other frameworks (e.g., SANS PICERL) have six phases, but NIST specifically has four.
Mistake
Containment and Eradication are the same phase.
Correct
They are distinct sub-phases within the third phase. Containment stops the spread; Eradication removes the root cause. The CS0-003 exam tests that you can differentiate between actions like isolating a system (containment) and removing malware (eradication).
Mistake
Post-Incident Activity is optional for small incidents.
Correct
NIST recommends lessons learned and reporting for every incident, regardless of size. Skipping this phase leads to repeated incidents. The exam expects that all incidents should have a post-incident review.
Mistake
Preparation only happens once at the start.
Correct
Preparation is a continuous process. The IRT must regularly update playbooks, train new members, and test tools. The exam may test that preparation includes ongoing activities like patch management and user awareness training.
Mistake
Detection and Analysis ends when containment begins.
Correct
Analysis continues throughout the response. New evidence may emerge during containment that changes the understanding of the incident. The exam tests that documentation and analysis are ongoing.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The four phases are: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Preparation involves setting up the incident response capability. Detection and Analysis is identifying and validating the incident. Containment stops the spread, Eradication removes the root cause, and Recovery restores operations. Post-Incident Activity includes lessons learned and reporting. The CS0-003 exam expects you to know these phases in order.
Containment is the immediate action to stop the incident from spreading, such as disconnecting a system from the network or blocking an IP address. Eradication is the removal of the root cause, such as deleting malware or patching a vulnerability. Containment happens first to limit damage; eradication follows to prevent recurrence. On the exam, if an action is about stopping the spread, it's containment; if it's about removing the cause, it's eradication.
Chain of custody documents who collected evidence, when, where, and who has possessed it since. This ensures evidence is admissible in court and maintains its integrity. Without proper chain of custody, evidence can be challenged as tampered. The exam tests that you must record every transfer of evidence, including timestamps and signatures.
Activities include conducting a lessons learned meeting within two weeks, writing an incident report, updating policies and playbooks, and retaining evidence per legal requirements. The exam emphasizes that this phase is critical for improving future response and preventing recurrence. Skipping it is a common mistake.
Before containment, volatile data (memory, running processes) should be captured. Then a forensic image of the system is created, and the hash is recorded. The chain of custody is documented. The exam warns against pulling the plug, which destroys volatile evidence. Proper evidence preservation is essential for analysis and potential prosecution.
A playbook is a step-by-step guide for handling specific incident types (e.g., ransomware, phishing). It standardizes response, reduces errors, and speeds up reaction time. Playbooks are developed during the Preparation phase and updated after incidents. The exam may ask which document contains specific response procedures.
While designed for computer security incidents, the framework's lifecycle can be adapted for other types of incidents (e.g., physical security breaches). However, the CS0-003 exam focuses strictly on its application to cybersecurity incidents. The core principles of preparation, detection, containment, and lessons learned are universal.
You've just covered NIST Incident Response Framework — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?