🍈 Zettelkasten

❯

❯

Incident Response Process

Incident Response Process

Aug 21, 20251 min read

security

Process

Preparation

Organizations establish Incident Response Plans
Cybersecurity Incident Response Team is established
System configurations, Network Topology Diagram, inventory of critical assets are documented

Detection

Setup EDR on network endpoints
Setup IDS
Set up logging with a Syslog server
Setup SIEM

Analysis

SIEM analyzes for correlations and anomalies
We can use MITRE ATT&CK, Cyber Kill Chain or Diamond Model of Intrusion Analysis to categorize severity of incident

Containment

Isolate and Quarantine affected systems
Compromised user accounts and credentials should be disabled
Volatile evidence like running processes, network connection should be collected for future analysis
Grab a sample of malware and isolate it

Eradication

Destroy the root cause of incident. If its malware, then purge it
Delete infected files
Patching
Protect environment against future attacks

Recovery

Restore operations to a normal state
- Data restoration
- Devices brought back online
Reach the Recovery Point Objective as early as possible

Lessons Learned

Conduct a post-incident analysis

Graph View

Process
Preparation
Detection
Analysis
Containment
Eradication
Recovery
Lessons Learned

Backlinks

CompTIA Security+
Incident Response
Root Cause Analysis

Created with Quartz v4.4.0 © 2025

GitHub
Discord Community