⚡ What is Incident Response?
Incident response (IR) is the structured process an organisation follows when a security incident occurs — from the moment a threat is detected through containment, eradication, recovery, and a post-incident review. The goal is to minimise damage, reduce recovery time, and prevent recurrence. CompTIA Security+ tests the six-phase IR process extensively — you must know what happens at each phase and in what order.
The 6 Phases of Incident Response — PICERL
CompTIA follows the PICERL model (also aligned with NIST SP 800-61). Memorise the acronym and what each phase involves — the exam will give you a scenario and ask which phase is being performed.
1
Preparation
P
Everything done before an incident occurs — building the capability to respond effectively. This is the most important phase because an organisation that hasn't prepared will be reactive and disorganised when an incident hits.
Key actions: Develop and document the IR plan, form the incident response team (IRT), define roles and responsibilities, establish communication procedures, deploy detection tools (SIEM, IDS/IPS), conduct tabletop exercises, create and maintain asset inventory, establish relationships with law enforcement and legal counsel, set up a secure out-of-band communication channel for use during incidents.
2
Identification
I
Detecting that an incident has occurred and determining its scope. Not every alert is an incident — this phase distinguishes real incidents from false positives and establishes the nature and extent of the compromise.
Key actions: Monitor logs and SIEM alerts, identify indicators of compromise (IoCs), determine the scope and affected systems, classify the incident by severity, assign incident ID and begin documentation, notify the incident response team and management. First responder priority: preserve evidence before taking any remediation action.
3
Containment
C
Stopping the spread of the incident — limiting damage without yet removing the threat. Containment comes before eradication because you must stop the bleeding before you can treat the wound.
Short-term containment: Isolate affected systems (network segmentation, disconnect from network), block malicious IPs/domains at the firewall, disable compromised accounts, preserve memory and disk images for forensics before making changes. Long-term containment: Apply temporary patches, rebuild systems in preparation for return to production, implement additional monitoring on remaining systems.
4
Eradication
E
Removing the threat completely — malware, attacker persistence mechanisms, compromised accounts, and any backdoors the attacker may have installed. Eradication must be thorough; partial removal leads to re-infection.
Key actions: Remove malware from all affected systems, close the vulnerability that was exploited (patch, configuration fix), delete or rebuild compromised accounts, scan for additional compromised systems, verify all persistence mechanisms (scheduled tasks, startup entries, registry keys, cron jobs) have been removed.
5
Recovery
R
Restoring affected systems to normal operation — carefully and with validation. Return systems to production only after confirming they are clean and the vulnerability is patched.
Key actions: Restore systems from clean backups (taken before compromise), apply all patches and security hardening, reset all affected credentials, validate system integrity before reconnecting to the network, monitor closely for signs of re-infection during the post-recovery period, confirm with business owners that systems are functioning correctly.
6
Lessons Learned
L
A post-incident review conducted after the incident is fully resolved — documenting what happened, what was done well, what failed, and what needs to change. This phase feeds back into Preparation to strengthen future response.
Key actions: Conduct a post-incident review meeting with all stakeholders, document a complete timeline of the incident, identify root cause, document what controls failed and why, update the IR plan based on findings, recommend and implement control improvements, file required regulatory reports if applicable, update threat intelligence with new IoCs.
⚡ PICERL exam tips
Memorise the order: Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned. The exam gives scenarios like "After removing malware, the team verifies the system is clean and reconnects it to the network" — that's Recovery, not Eradication.
Containment before Eradication is the most common wrong-order trap. You contain first (stop the spread), then eradicate (remove the threat). Jumping to eradication while the attacker still has active access can alert them and cause them to destroy evidence or cause more damage.
Evidence preservation is always priority in Identification. If the exam asks "What should the first responder do first?" the answer is almost always preserve evidence (memory dump, disk image) before taking action that might alter it.
Indicators of Compromise (IoCs)
IoCs are evidence that a system or network has been compromised. Recognising IoCs is tested in the Identification phase:
| IoC Type | Examples | What It Suggests |
|---|---|---|
| Network IoCs | Unusual outbound traffic, connections to known malicious IPs, DNS queries to suspicious domains, traffic on unusual ports, large data transfers at off-hours | Command-and-control (C2) communication, data exfiltration, beaconing malware |
| Host IoCs | Unexpected processes running, new scheduled tasks or startup entries, modified system files, disabled security tools, new user accounts created, privilege escalation events | Malware persistence, attacker maintaining foothold, lateral movement |
| Account IoCs | Login at unusual times or from unusual locations, multiple failed logins followed by success, accounts accessing resources they never have before, new admin accounts | Credential compromise, brute force attack, insider threat |
| Log IoCs | Gaps in log data (logs cleared or deleted), mass log events, Event ID 4624 (successful login) from unusual source, Event ID 4720 (account created) | Attacker covering tracks, automated attack tools running |
| File IoCs | Unknown executables, files with double extensions (.pdf.exe), files in unusual locations (%temp%, AppData), recently modified system binaries, files with no creation date | Malware dropped on system, trojanised applications |
Containment Strategies
| Strategy | How It Works | When to Use |
|---|---|---|
| Network Isolation | Remove the affected system from the network (unplug cable, disable network adapter, quarantine VLAN) — stops lateral movement and C2 communication | Active malware infection, suspected compromise — isolate immediately while preserving the system for forensics |
| Segmentation | Use VLANs and firewall rules to limit the blast radius — contain the incident to the affected segment without taking entire network offline | When full isolation isn't possible due to business continuity requirements |
| Account Disable / Reset | Disable or change credentials on compromised accounts to cut off attacker access without alerting them that they've been detected (if using a separate account) | Credential compromise, insider threat, account takeover |
| Blackholing / Sinkholing | Redirect malicious domain DNS queries to a controlled server (sinkhole) instead of the attacker's C2 — cuts C2 communication while allowing you to monitor what was infected | Malware using domain generation algorithms (DGA) for C2 |
| System Shutdown | Power off the affected system — most aggressive option, destroys volatile memory (RAM) containing evidence | Last resort — only if the system is actively causing harm and forensics are not a priority |
Digital Forensics in Incident Response
When legal action is possible or required, evidence must be collected following forensic principles to be admissible:
Order of Volatility — Collect Most Volatile First
Evidence should be collected from most volatile to least volatile — data that disappears first must be captured first:
1. CPU registers and cache → 2. RAM (memory dump) → 3. Swap/page file → 4. Running processes and network connections → 5. Disk contents → 6. Remote logs and monitoring data → 7. Physical media (backups, removable drives)
RAM is lost the moment the system is powered off — always capture a memory image before shutting down a compromised system if forensics matter.
| Forensic Concept | What It Means |
|---|---|
| Chain of Custody | A documented record of who collected evidence, who handled it, where it was stored, and who had access — ensures evidence integrity and admissibility in legal proceedings |
| Legal Hold | A directive to preserve all potentially relevant data — stops normal deletion schedules, backup rotation, and log purging for the scope of the investigation |
| Forensic Copy | A bit-for-bit copy of a disk or memory image — preserves all data including deleted files. Work from the copy, never the original evidence. |
| Write Blocker | Hardware or software that prevents writes to the evidence drive during imaging — ensures the imaging process doesn't modify the evidence |
| Hash Verification | Hash the evidence (SHA-256) before and after imaging — proves the copy is identical to the original and has not been tampered with |
| Timeline Analysis | Reconstructing the sequence of events using log timestamps, file system metadata, and event records to establish when and how the compromise occurred |
IR Communication and Escalation
Who gets notified during an incident, and when, is a heavily tested Security+ topic. The wrong communication at the wrong time can tip off an insider threat, compromise an investigation, or create legal liability:
| Stakeholder | When to Notify | Exam Note |
|---|---|---|
| Senior Management | Early — as soon as the severity is understood. Management makes business decisions about containment trade-offs (taking systems offline, cost of downtime). | Management decides to shut down operations; IR team advises on technical options |
| Legal Counsel | Early — before any public disclosure or communication with law enforcement. Legal determines reporting obligations. | Regulatory requirements (GDPR, HIPAA, PCI-DSS) mandate breach notification timelines |
| HR | If insider threat is suspected — HR involvement required for disciplinary actions and ensuring proper process is followed | HR and legal must be involved before any insider is confronted or terminated |
| Law Enforcement | After consulting legal — not all incidents require law enforcement; oversharing can complicate investigations | Law enforcement involvement may restrict what the organisation can do with its own systems |
| Affected Users / Public | After containment, per legal requirements — premature disclosure can cause panic or tip off attackers | Notification timing and content is a legal requirement in many jurisdictions for data breaches |
Exam Scenarios
💬 "A security analyst notices unusual outbound traffic to an unknown external IP at 3am. They confirm the traffic is malicious. What phase of IR are they in?" → Identification — detecting and confirming that an incident has occurred.
💬 "After confirming ransomware on a workstation, the team disconnects it from the network. What phase is this?" → Containment — isolating the affected system to stop the spread before eradicating the malware.
💬 "The IR team removes malware from all affected systems and patches the exploited vulnerability. What phase is this?" → Eradication — removing the threat and closing the vulnerability that allowed it in.
💬 "Systems are restored from clean backups and monitored closely after being reconnected to the network. What phase is this?" → Recovery — returning systems to normal operation after the threat has been eradicated.
💬 "A first responder arrives at a compromised workstation. The system is still running. What should they do first?" → Capture a memory (RAM) dump — RAM is the most volatile evidence and is lost the moment the system powers off. Preserve volatile evidence before taking any other action.
💬 "The IR team is updating the IR plan based on what went wrong during a recent ransomware incident. What phase is this?" → Lessons Learned (Post-Incident Review) — the final phase that feeds improvements back into Preparation.
💬 "Why should eradication not happen before containment?" → Containment stops the spread first. Starting eradication while the attacker has active access can alert them, cause them to destroy evidence, escalate the attack, or move laterally to systems not yet identified.
💬 "A forensic investigator creates a bit-for-bit copy of a compromised hard drive and hashes both the original and copy. What is the hash used to prove?" → Integrity — the hash proves the forensic copy is identical to the original and has not been altered, establishing its validity as evidence (chain of custody).
💬 "Which PICERL phase involves training staff, developing IR plans, and running tabletop exercises?" → Preparation — all proactive activities that occur before an incident happen in this phase.
💬 "An organisation suffers a data breach affecting customer PII. Who should be notified first — the public, law enforcement, or legal counsel?" → Legal counsel — they determine regulatory notification requirements, timing, and guide all other communications to avoid legal liability.
Studying for Security+?
See the study guides and practice exams that cover the full SY0-701 exam.