Incident Response Flashcards
The phase focused on establishing policies, tools, and procedures to prevent and handle security incidents effectively.
Example: Creating an incident response plan and training employees on security best practices.
Preparation stage
The phase where potential incidents are identified, assessed, and confirmed to determine their scope and impact.
Example: Using SIEM tools to analyze unusual login activity for signs of a breach.
Detection and analysis stage
The phase where the incident is contained to prevent further damage, the root cause is eliminated, and affected systems are restored to normal.
Example: Isolating an infected system, removing malware, and restoring data from backups.
Containment, eradication, and recovery stage
The phase focused on reviewing the incident, analyzing the response, and implementing improvements to prevent future occurrences.
Example: Conducting a post-incident review meeting to update the incident response plan.
Post-incident activity stage
A process used to document and preserve the integrity of evidence by maintaining a detailed log of its collection, transfer, analysis, and storage.
Example: Recording each handoff of a seized hard drive to ensure it can be admitted as evidence in court.
Chain of Custody
The process of identifying, preserving, analyzing, and presenting electronic data in a way that is admissible in a court of law.
Example: Recovering deleted emails from a suspect’s computer to investigate fraud.
Digital Forensics
A secure server used as an intermediary to access other servers or network devices, often used in sensitive environments to limit direct access.
Example: Using a jump server to access a database server in a restricted network without exposing the database to external connections.
Jump Server
A server used by attackers to control compromised systems and send commands, often part of a botnet or malware attack.
Example: A hacker uses a C2 server to send commands to infected devices, causing them to carry out denial-of-service attacks.
D2 Server
A server that collects, stores, and processes log messages from various network devices and servers to help monitor and troubleshoot systems.
Example: A syslog server collects data from firewalls and routers to detect potential security incidents.
Syslog Server
A server that manages and monitors industrial control systems, which are used to control physical processes like manufacturing, energy, and transportation.
Example: An ICS server monitors the operations of an electrical grid, ensuring the system remains stable and efficient.
ICS Server
Data that provides information about other data, such as its origin, format, size, or creation date, without revealing the actual content.
Meta Data
A strategy and set of procedures for recovering and protecting IT infrastructure in the event of a disaster, such as hardware failure or cyberattack.
DRP (Disaster Recovery Plan)
A predefined set of procedures for detecting, responding to, and recovering from security incidents, such as data breaches or cyberattacks.
IRP (Incident Response Plan)
A plan outlining actions to be taken during an emergency (non-IT related), such as a natural disaster or health crisis, to ensure safety and minimize damage.
ERP (Emergency Response Plan)
