Professor Messer SY0-601 4.2 Incident Response Lifecycle

Diamond Model of Intrusion Analysis

A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim

MITRE ATT&CK Framework

A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures

IR Preparation

Communication methods Incident handling hardware/software Incident analysis resources Incident mitigation software Policies for incident handling

IR Detection & Analysis

Determine if an incident has taken place, triage it, and notify relevant stakeholders

IR Containment, Eradication, and Recovery

Limiting the scope and impact of the incident. The typical response is to "pull the plug" on the affected system, but this is not always appropriate. Once the incident is contained, the cause can then be removed and the system brought back to a secure state

NIST

National Institute of Standards and Technology

What phase of the IR lifecycle includes Continuity of Operations Planning (COOP)?

Preparation

What phase of the IR lifecycle includes Walkthrough?

Preparation

What phase of the IR lifecycle includes a communication plan?

Preparation

What phase of the IR lifecycle includes a disaster recover plan?

Preparation

What phase of the IR lifecycle includes gathering a team to receive, review, and respond to incidents?

Preparation

What phase of the IR lifecycle includes retention policies for data, compliance, and operational needs?

Preparation

What phase of the IR lifecycle includes simulation?

Preparation

What phase of the IR lifecycle includes stakeholder management?

Preparation

What phase of the IR lifecycle is running exercises for specific scenarios and using well-defined rules of engagement?

Preparation

Incident Response Lifecycle

Preparation Detection & Analysis Containment, Eradication, & Recovery Post-Incident Activity

IR Post-Incident Activity

The process of reviewing an incident to identify areas for improvement during incident handling

Incident Response Team

The team that manages and executes the IR plan by detecting, evaluating, and responding to incidents.