Security+ Flashcards: Incident Response, Digital Forensics, Business Continuity

The NIST incident response process has four phases. Preparation establishes the incident response team, policies, communication plans, and tools before an incident occurs. Detection and analysis uses monitoring, logging, and alerts to identify incidents and determine their scope, impact, and severity. Containment, eradication, and recovery isolates affected systems to stop the spread, removes the threat, restores operations from clean states, and validates that systems are functioning normally.

Containment stops the incident from spreading by isolating affected systems through network disconnection, account disabling, or firewall rule changes. Short-term containment acts immediately, while long-term containment maintains operations during investigation. Eradication removes the root cause by deleting malware, closing exploited vulnerabilities, rebuilding compromised systems from clean images, and resetting compromised credentials.

Chain of custody is the documented chronological record of who handled evidence, when, where, and why, from the moment of collection through presentation in court or final disposition. Each transfer must be recorded with signatures, dates, and descriptions of actions taken. For digital evidence, chain of custody also includes cryptographic hashes computed at collection time and verified at each transfer to prove data integrity. A broken chain of custody may cause evidence to be ruled inadmissible in legal proceedings because its authenticity and integrity cannot be guaranteed.

A Business Continuity Plan, or BCP, is a comprehensive strategy that ensures critical business functions continue during and after a disruption, addressing people, processes, facilities, and technology. A Disaster Recovery Plan, or DRP, is a subset of the BCP focused specifically on restoring IT systems and data after a disruption. The BCP addresses the broader business including alternate work locations, manual workarounds, and customer communications, while the DRP addresses technical recovery including backup restoration, failover procedures, and system rebuilds.

A business impact analysis, or BIA, identifies critical business functions and quantifies the impact of their disruption over time. It determines the maximum tolerable downtime for each function, the recovery time objective setting when the function must be restored, the recovery point objective setting the maximum acceptable data loss, and the dependencies between functions including systems, personnel, and suppliers. The BIA drives all continuity planning because it establishes which functions are most critical and how quickly they must recover.

A tabletop exercise is a discussion-based walkthrough where team members review the incident response or continuity plan by discussing their roles and actions in a hypothetical scenario without actually performing recovery procedures. It is low-cost, low-risk, and identifies gaps in plans and communication. A full-scale test, also called a full interruption test, actually simulates a disaster by shutting down primary systems and activating recovery procedures, validating that failover sites, backups, and procedures work in practice.

An incident response playbook is a predefined, step-by-step procedure for handling a specific type of security incident, such as ransomware, phishing compromise, data breach, or distributed denial of service attack. Each playbook outlines detection criteria, containment actions, eradication steps, recovery procedures, communication requirements, and escalation paths specific to that incident type. Playbooks reduce response time by eliminating decision paralysis during high-stress incidents and ensure consistent, thorough responses regardless of which team member is on call. ---