04 Incident Response Flashcards
(15 cards)
What is Incident Response?
The process by which a Cyber Incident Response Team (CIRT) handles security breaches, malware, and other critical cyber incidents, coordinating technical, HR, PR, legal, and recovery efforts.
What does CIRT stand for and who’s on it?
Cyber Incident Response Team—includes technical experts plus HR, PR, legal, and disaster-recovery professionals.
Why must defenders always be vigilant?
Because attackers only need to succeed once, whereas defenders must prevent every attack.
Why is preparedness key in incident response?
Because cyber incidents are inevitable, not optional
Define a “Security Breach” threat type.
An incident caused by weak security measures or limited coverage, allowing unauthorized access.
Define a “Cyber Attack” threat type.
Exploitation of systems/devices via networks to compromise confidentiality, integrity, availability, or authenticity.
Why are “Untested Applications” a threat?
They may contain unknown bugs or misconfigurations that attackers can exploit.
Why are “Old Version Systems” targeted?
Because they often lack the latest patches, making known exploits effective.
What’s an “Exploitable Vulnerability”?
A weakness in security controls that an attacker can leverage to gain unauthorized access.
What is the first phase of the Incident Response workflow?
Preparation—create policies, define CIRT, develop response plan, set access controls, prepare tools, and conduct training/checklists.
What happens during the Identification phase?
Detect and confirm incidents via logs, firewalls, IDS/IPS; determine scope, impact, origin, and affected systems.
What are the three sub-steps of Containment?
Short-term isolation of affected files, forensic snapshots (backup), and long-term removal of backdoors/accounts and patching.
What is Eradication in the workflow?
Fully removing threats—often via reimaging systems and patching—then rescanning to confirm elimination.
What is the goal of the Recovery phase?
Safely restore systems to operation and monitor/test to ensure integrity and normal function.
What is involved in the Lessons Learned phase?
Conducting a postmortem, root-cause analysis, updating documentation, and adjusting training and procedures.
