Incident Response and Monitoring

CompTIA Security+ SY0-701 โ€” Domain 12

๐Ÿ” Incident Response Lifecycle

  • Preparation: Develop policies, communication plans, and access controls before an incident occurs. Learn more about preparation on NIST.
  • Identification: Detect and confirm potential security incidents using alerts, logs, or user reports.
  • Containment: Limit damage by isolating affected systems.
  • Eradication: Remove malware, close exploited vulnerabilities, and clean infected hosts.
  • Recovery: Restore systems to operational state and monitor for reinfection.
  • Lessons Learned: Conduct after-action reviews and update policies or playbooks.

๐Ÿ” Incident Identification Tools

  • SIEM: Aggregates logs, normalizes data, and correlates events across platforms. Learn more about SIEM on Splunk.
  • IDS/IPS: Alert or block malicious activity in real-time. Learn more about IDS/IPS on Palo Alto Networks.
  • Syslogs: Provide structured logs from Linux/Unix systems.
  • Trend Analysis: Spot anomalies using baselines and behavior monitoring.

๐Ÿงช Forensics and Evidence Handling

Gathering evidence must be methodical and defensible:

  • Chain of Custody: Document who handled evidence, when, and how. Learn more about chain of custody on SANS Institute.
  • Preservation: Use write blockers and image creation tools to avoid altering evidence.
  • Volatile vs. Non-volatile: Memory and logs must be captured in priority order.
  • Tools: Use disk imaging, packet captures, and endpoint snapshots for investigation.