Lesson 17: Performing Incident Response — VOCABULARY Flashcards
Studied by 0 people
Call with Kai
Knowt Play
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/27
Earn XP
Description and Tags
Vocabulary flashcards covering key incident response concepts and frameworks from the lecture notes.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
28 Terms
Incident response
A structured, policy-driven set of activities to detect, contain, eradicate, and recover from security incidents.
Incident response life cycle
A six-phase cycle used to manage incidents: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
Preparation
Hardening systems, writing policies, establishing secure communications, and creating incident response resources and procedures.
Identification
Determining whether an incident has occurred, assessing severity (triage), and notifying stakeholders.
Containment
Limiting the scope and magnitude of an incident to protect data and minimize impact.
Eradication
Removing the root cause and restoring the system to a secure state, applying patches and secure configurations.
Recovery
Reintegrating the system into business operations after eradication, including data restoration and monitoring for reoccurrence.
Lessons learned
Post-incident analysis and documentation to improve policies, procedures, and controls.
NIST SP. 800-61r2
NIST's Computer Security Incident Handling Guide outlining standard incident handling process.
Cyber Incident Response Team (CIRT)
A cross-functional team responsible for responding to security incidents; may be called CSIRT or CERT.
Security Operations Center (SOC)
A central unit that monitors, detects, and responds to security events and incidents.
Incident Response Plan (IRP)
A documented plan listing procedures, contacts, resources, and communication rules for responders.
Playbook
A data-driven standard operating procedure for detecting and responding to specific threat scenarios.
Runbook
An automated or semi-automated companion to a playbook guiding responders through actions.
Cyber Kill Chain
A framework describing the stages an attacker goes through to complete an intrusion.
Cyber Kill Chain stages
Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives.
MITRE ATT&CK
A publicly available framework cataloging attacker tactics, techniques, and procedures (TTPs).
Diamond Model of Intrusion Analysis
A framework analyzing intrusions via Adversary, Capability, Infrastructure, and Victim.
SIEM
Security Information and Event Management; centralizes logging, normalizes data, and supports incident detection.
SIEM correlation rule
A logical rule that combines indicators to trigger alerts when specific conditions are met.
First responder
The person on the CIRT who is notified first and takes charge of the initial response.
Data sources for incident response
Log files, IDS/firewall alerts, monitoring data, user reports, and other evidence sources used to identify incidents.
Retention policy
Policy specifying how long logs and evidence are kept for investigations and threat hunting.
Isolation-based containment
Isolating or removing an affected component from production networks to stop spread.
Segmentation-based containment
Using network segmentation (VLANs, subnets, ACLs) to isolate hosts and control traffic.
SOAR
Security Orchestration, Automation, and Response; automates and coordinates incident response workflows.
UEBA
User and Entity Behavior Analytics; uses AI to detect anomalous user or entity behavior.
Out-of-band communications
Secure, non-regular channels for incident communications that cannot be intercepted by attackers.