Incident response is the structured process for detecting, containing, and recovering from security incidents. CompTIA Network+ N10-009 tests the incident response lifecycle, first responder actions, and the role of network infrastructure in incident containment. Network administrators are often the first responders to security incidents — knowing the proper process prevents mistakes that destroy forensic evidence or worsen the breach.
Practice this topic
NIST SP 800-61 defines the incident response lifecycle: (1) Preparation — policies, procedures, tools, and team training before incidents occur. IRP (Incident Response Plan), runbooks, and contact lists. (2) Detection and Analysis — identifying that an incident has occurred and understanding its scope. Log analysis, IDS/IPS alerts, user reports, SIEM correlation. (3) Containment — limiting the spread of the incident. Short-term containment (isolate affected systems) and long-term containment (clean systems while maintaining operations). (4) Eradication — removing the threat (malware, backdoors, compromised accounts). (5) Recovery — restoring systems to normal operations. Verify systems are clean before reconnecting. (6) Post-Incident Activity (Lessons Learned) — document what happened, update procedures, improve defenses.
Order of volatility: when collecting forensic evidence, capture most volatile data first. Order: CPU registers/cache → RAM (running processes, network connections) → Network traffic (currently flowing) → Disk (persistent) → Remote logs (offsite). RAM is lost when the system is powered off — capture it before pulling the plug.
Containment actions available to network admins: VLAN isolation (move compromised device to quarantine VLAN), ACL blocking (block traffic to/from compromised IP), port shutdown (disable switch port of compromised device), null routing (blackhole route to block traffic to C2 server), DNS sinkholing (redirect malicious domain to a sinkhole IP), firewall rule changes.
Evidence preservation: do not power off systems without capturing volatile evidence first. Do not run AV scans immediately — they modify timestamps and may destroy evidence. Capture network traffic (SPAN port), preserve log files (copy to write-protected media), photograph screen and capture running processes. Follow chain of custody procedures.
The first action in incident response is always to power off the affected system
Powering off destroys volatile evidence (RAM, running processes, network connections). The first action is containment while preserving evidence — isolate the system from the network (VLAN isolation, port shutdown) without powering off, then capture RAM and running state
These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.
A network administrator discovers a compromised server actively spreading malware to other systems. What is the first response action?
Explanation: Isolation (containment) stops the spread while preserving the system for forensic analysis. Moving the server to a quarantine VLAN or disabling its switch port disconnects it from other systems without destroying volatile evidence. Powering off destroys RAM evidence and may complicate analysis. Running AV may modify evidence and miss sophisticated malware. Restoring from backup skips containment and investigation.
A CIRT (also called CSIRT — Computer Security Incident Response Team) is the dedicated group responsible for managing security incidents. It typically includes security analysts, network engineers, system administrators, legal counsel, and communications/PR staff. The CIRT follows the incident response plan, coordinates investigation and containment, communicates with stakeholders, and conducts post-incident analysis.
Try free Incident Response practice questions with explanations, topic links and progress tracking.