Unit 5 – Incident Response Vocabulary

Vocabulary flashcards covering key terms and definitions from Unit 5 Incident Response lecture notes.

Incident Response Team

Designated group responsible for preparing for, responding to, and recovering from security incidents.

Team Leader (Incident Response)

Ensures all team members understand their roles during a security incident.

Technical Specialist

Provides the technical expertise to assess and determine the scale of a security incident.

Documentation Specialist

Records and maintains all details of the incident response process.

Legal Advisor

Interprets laws and regulations relevant to computer forensics and incident response for the organization.

Incident Response Plan

Formal document that defines team roles, responsibilities, procedures, and reporting requirements for handling incidents.

Incident Categories

Standard classifications used to label types of security events or incidents (Cat 0–Cat 9).

Roles and Responsibilities

Section of the incident response plan that assigns duties to each team member.

Reporting Requirements/Escalation

Guidelines detailing how and when users must report potential security incidents and to whom they escalate issues.

Exercise Planning

Scheduled simulations used to test the effectiveness of the incident response plan and team readiness.

User Roles

Expectations and duties of end-users regarding detection, reporting, and mitigation of security incidents.

Event

Any observable occurrence in a system or network.

Incident

An assessed event that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system.

Category 0 – Training/Exercise

Activities related to training events or exercises that simulate incidents.

Category 1 – Root-Level Intrusion

Unauthorized access to administrator or root functions of a system.

Category 2 – User-Level Intrusion

Unauthorized access gained at a non-administrator (user) level.

Category 3 – Unsuccessful Activity Attempt

Failed attempt at unauthorized access or malicious activity.

Category 4 – Denial of Service

Activity that prevents or impairs normal system or network functionality.

Category 5 – Non-Compliance Activity

Authorized user actions that violate Air Force or organizational policy.

Category 6 – Reconnaissance

Activity that gathers information about a network or system (e.g., scanning).

Category 7 – Malicious Logic

Installation or execution of software such as viruses, worms, or Trojan horses.

Category 8 – Investigating

Events currently under review to determine if they constitute an incident.

Category 9 – Explained Anomaly

Events identified as false alarms or benign activities after analysis.

First Responder (Cyber)

Person who initially reacts to an incident with the primary goal of containment.

Containment

Immediate actions taken to limit the scope and impact of an incident (e.g., isolating an infected host).

Six Phases of Incident Response

Detection & Reporting; Preliminary Analysis & Identification; Preliminary Response Actions; Incident Analysis; Response & Recovery; Post-Incident Analysis.

Detection and Reporting

Phase in which potential incidents are discovered and communicated to responders.

Preliminary Analysis and Identification

Initial review to confirm the incident type and severity.

Preliminary Response Actions

Steps taken to contain a potential threat and prevent further contamination.

Incident Analysis (Phase)

Detailed examination to determine what happened and identify the root cause.

Response and Recovery

Efforts to eradicate threats, restore services, and implement preventive measures.

Post-Incident Analysis

Formal review capturing lessons learned and improvement actions after recovery.

Plan of Action & Milestones (POA&M)

Document developed by the Comm Focal Point outlining tasks, timelines, and responsibilities for restoration and prevention.

Root Cause Analysis

Series of analytical steps used to identify the fundamental reason an incident occurred.

Gather Information (RCA Step)

Collect all relevant data, logs, and details about the incident for analysis.

Validate the Incident

Continuous review to confirm accuracy of information and that an incident truly occurred.

Determine the Operational Impact

Assess how the incident affects missions and coordinate with AF-DAMO or other bodies for impact analysis.

Coordinate (RCA Step)

Engage appropriate organizations and stakeholders during the analysis process.

Determine Reporting Requirements

Identify mandatory reports and notifications based on incident type and scope.

Cyber Incident Report

Detailed document outlining affected systems, probable attacker, attack vector, and technical/operational impacts.

Network Intelligence Report

Report focusing on incidents or activities linked to foreign threats or potential threats to DoD networks.

Postmortem (Incident Response)

Review capturing lessons learned, root causes, execution issues, policy gaps, and defense inadequacies after an incident.