By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Incident response (IR) is a structured approach to detecting, containing, eradicating, and recovering from cybersecurity incidents. Organizations use it to minimize damage, restore operations, and prevent future attacks.
Cyberattacks cost businesses $4.45 million per breach (IBM 2023). Without IR, incidents escalate into data breaches, financial losses, and reputational damage. Effective IR reduces downtime, legal liability, and customer churn.
A cyclical process with six phases: - Preparation – Build policies, tools, and teams before an incident occurs.- Identification – Detect and confirm an incident (e.g., malware, unauthorized access).- Containment – Isolate affected systems to prevent spread (short-term vs. long-term).- Eradication – Remove the root cause (e.g., delete malware, patch vulnerabilities).- Recovery – Restore systems safely (e.g., clean backups, monitored re-entry).- Lessons Learned – Document findings and improve future response.
Classify incidents to prioritize response: | Level | Impact | Example | |-----------|--------------------------|---------------------------------| | Low | Minimal disruption | Phishing email (no breach) | | Medium| Limited data exposure | Ransomware on a non-critical server | | High | Significant data loss | Database breach with PII leak | | Critical | Business-critical impact | Full network compromise, ransomware on all systems |
Predefined response procedures for common incidents (e.g., ransomware, DDoS, insider threats). Example:
Ransomware Playbook: 1. Isolate infected systems (disconnect from network).2. Identify patient zero (initial infection vector).3. Check backups (ensure they’re clean and offline).4. Engage law enforcement if required.5. Restore from backups (do not pay ransom).
Simple Diagram (Text-Based):
[Detection] → [Triage] → [Containment] → [Investigation] → [Remediation] → [Recovery] → [Review]
Goal: Contain and recover from a ransomware attack in a test environment.
C:\Important\
tasklist
cmd tasklist | findstr "ransom"
cmd taskkill /PID <PID> /F
Expected Outcome:- Ransomware contained and eradicated.- Files restored from backup.- Playbook updated with improvements.
What is the first step in the incident response lifecycle?A) Containment B) Identification C) Preparation D) Eradication
Correct Answer: C) Preparation Explanation: Preparation (e.g., building playbooks, training teams) happens before an incident occurs. Without it, response is chaotic.Why the Distractors Are Tempting:- A) Containment is often the first action taken, but not the first phase.- B) Identification is the second phase, after preparation.- D) Eradication comes later, after containment.
A SOC analyst detects ransomware encrypting files on a server. What is the most critical immediate action?A) Notify the CEO B) Isolate the server from the network C) Restore from backups D) Run an antivirus scan
Correct Answer: B) Isolate the server from the network Explanation: Isolation prevents the ransomware from spreading to other systems. Other actions (e.g., backups, scans) come later.Why the Distractors Are Tempting:- A) Notification is important but not the most critical immediate step.- C) Restoring from backups is useless if the ransomware is still active.- D) Scans may not stop the encryption in progress.
Which tool is best suited for preserving forensic evidence during an incident?A) Splunk (SIEM) B) Velociraptor (EDR) C) TheHive (case management) D) NIST SP 800-61 (framework)
Correct Answer: B) Velociraptor (EDR) Explanation: Velociraptor is designed for live forensics (e.g., memory dumps, disk imaging). SIEMs (Splunk) are for alerting, not evidence collection.Why the Distractors Are Tempting:- A) Splunk analyzes logs but doesn’t preserve evidence.- C) TheHive tracks incidents but doesn’t collect forensic data.- D) NIST SP 800-61 is a framework, not a tool.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.