Incident Response Flashcards
Mock Exam Revision
The following refer to the containment, eradication, and recovery stage of the incident response process.
- Restoring normal operations.
- Eliminating the threat.
- Mitigating the impact of the incident.
During the post-incident activity stage, this step involves analysing logs, forensics data, and other evidence to prevent incident reoccurrence.
A. Reporting
B. E-discovery
C. Root cause analysis
D. Threat hunting
Root Cause Analysis (RCA)
A structured method for identifying the underlying source of a problem (rather than its symptoms). In cybersecurity, it involves tracing incidents (e.g., breaches, outages) to systemic failures (e.g., misconfigurations, flawed processes) to implement permanent solutions. Common techniques include the 5 Whys, fishbone diagrams, and fault tree analysis.
The process of identifying, collecting, and producing electronically stored information with the intent of using it in a legal proceeding or investigation is referred to as:
A. Litigation hold
B. Evidence management
C. Digital forensics
D. E-discovery
E-Discovery
The legal process of identifying, preserving, collecting, and analysing electronically stored information (ESI) for litigation, investigations, or compliance. Governed by rules like the U.S. Federal Rules of Civil Procedure (FRCP), it covers emails, documents, databases, social media, and metadata. Specialised software and forensic experts are often employed to manage vast datasets while maintaining chain-of-custody integrity.
IoC
Indicators of Compromise (IoCs)
Forensic artifacts such as IP addresses, file hashes, URLs, or behavioural patterns that suggest unauthorised or malicious activity on a system or network. Used in threat detection, incident response, and threat intelligence sharing (e.g., STIX/TAXII formats).