Lesson 05intermediateKnowledge

Incident Response

When something goes wrong β€” and it will β€” what do you do?

Overview

Incident response is tested heavily on Security+. You need to know the phases, understand forensic principles, and be able to reason through real scenarios under pressure. Answer the five questions below. Several of them present scenarios β€” walk through your reasoning, not just the textbook answer.

Read before you answer

Incident response (IR) is the structured process an organisation follows when a security event occurs. Security+ maps IR to a defined lifecycle: Preparation (building the capability before incidents happen β€” policies, playbooks, tools, trained teams); Identification (detecting and confirming that an incident has occurred and scoping its extent); Containment (limiting the damage β€” isolating affected systems, blocking attacker access, preserving evidence); Eradication (removing the threat β€” eliminating malware, closing vulnerabilities, disabling compromised accounts); Recovery (restoring systems to normal operation and verifying they are clean); and Lessons Learned (post-incident review to identify what can be improved in detection, response, and prevention). This lifecycle is sometimes abbreviated as PICERL.

The distinction between an event and an incident matters: a security event is any observable occurrence in a system (a login, a failed authentication, a network connection); a security incident is an event or series of events that has or threatens to have a significant adverse impact on the organisation. Not every alert is an incident, and triage β€” the process of classifying and prioritising alerts β€” is a core IR skill. Digital forensics is the discipline of collecting, preserving, and analysing digital evidence in a way that maintains its integrity and admissibility. Chain of custody documentation tracks who has handled evidence and when; order of volatility dictates that the most transient evidence (RAM, running processes, network connections) must be captured before less volatile evidence (disk images, logs).

Business Continuity (BC) and Disaster Recovery (DR) are closely related to IR but focus on maintaining and restoring operations rather than the security investigation itself. Key metrics include: RPO (Recovery Point Objective β€” the maximum acceptable data loss, measured in time), and RTO (Recovery Time Objective β€” how quickly systems must be restored). Tabletop exercises test IR plans without deploying real resources; simulations and red team exercises provide more realistic testing. A mature IR capability also includes threat hunting β€” proactively searching for attackers who have not yet triggered automated detection β€” and threat intelligence, which provides context about adversary tools, techniques, and targets to improve detection and prioritisation.