Incident Response Process
This is the first phase of the incident response lifecycle
What is Preparation?
This type of analysis examines patterns and trends over time.
What is Trend analysis?
This ensures evidence has not been altered during handling.
What is Chain of custody?
This system aggregates logs for centralized analysis.
What is a SIEM (Security Information and Event Management)?
A tool used to detect unauthorized changes to files.
What is File integrity monitoring (FIM)?
This phase focuses on limiting damage during an attack.
What is Containment?
This type of attack involves generating excessive traffic to overwhelm a system.
What is a Denial of Service (DoS) attack?
Digital Forensics
A duplicate of data created for analysis without altering the original.
What is a Forensic image?
Logs from routers, switches, and firewalls fall under this category.
What are Network logs?
This tool captures and analyzes network traffic.
What is a Protocol analyzer (e.g., Wireshark)?
This phase removes the root cause of an incident.
What is Eradication?
The practice of identifying unusual behavior compared to a baseline.
What is Behavioral analysis?
What is Behavioral analysis?
What is Non-volatile data?
Systems that monitor endpoints for malicious activity.
What is EDR (Endpoint Detection and Response)?
This tool automates incident detection and response workflows.
What is SOAR (Security Orchestration, Automation, and Response)?
This phase ensures systems are safely restored to operation.
What is Recovery?
A technique used to analyze malware behavior in a safe environment.
What is Sandboxing?
This provides a mathematical value to verify data integrity.
What is Hashing?
Logs generated by applications such as databases and web servers.
What are Application logs?
This tool correlates data from multiple sources to identify threats.
What is a SIEM correlation engine?
he final phase where improvements are documented and implemented.
What is Post-incident activity (Lessons learned)?
An attack where an adversary maintains long-term access.
What is an Advanced Persistent Threat (APT)?
RAM analysis is critical because this type of data is quickly lost.
What is Volatile memory?
A deception technology used to lure attackers.
What is a Honeypot?
This identifies known malicious patterns using signatures.
What is an IDS/IPS (Intrusion Detection/Prevention System)?