SkarpSkarp

Chapter 21 of 27

Incident Response: Process, Roles, and Playbook-Driven Execution

Follow a structured incident response lifecycle from detection through lessons learned, coordinating people, tools, and communication under pressure.

27 min readen

Big Picture: What Incident Response Really Is

What Is Incident Response?

Incident response (IR) is a disciplined, repeatable process to detect, analyze, contain, eradicate, and recover from security incidents, then learn from them to improve defenses.

Link to Previous Modules

IAM and zero trust help prevent and limit incidents; automation and orchestration help execute IR playbooks quickly and consistently when prevention fails.

Security+ Expectations

For SY0-701, you must recognize IR phases, know key roles, understand communication and evidence handling, and apply the lifecycle to simple scenarios.

Hybrid Environments

In a hybrid environment with cloud, mobile, IoT, OT, and on-prem, the IR process is stable even though tools and data sources vary widely.

The Incident Response Lifecycle: 6 Core Phases

6-Phase IR Lifecycle

Remember the core phases: 1) Preparation, 2) Identification, 3) Containment, 4) Eradication, 5) Recovery, 6) Lessons Learned. It is a loop, not a straight line.

Preparation and Identification

Preparation: build team, tools, and playbooks. Identification: detect, analyze, and confirm whether suspicious activity is truly a security incident.

Containment and Eradication

Containment stops the bleeding while keeping business running; eradication removes root causes like malware, bad accounts, and misconfigurations.

Recovery and Lessons Learned

Recovery restores safe operations and monitors closely. Lessons learned capture what happened and improve policies, controls, and playbooks.

Phase 1 – Preparation: Building the IR Capability

Why Preparation Matters

Most incidents are won or lost before they start. Preparation defines what an incident is, who responds, and what tools and playbooks are ready.

Policies and Governance

Define incidents and severity, and align with governance, risk, and compliance so legal, regulatory, and internal policy requirements are built in.

Plans, Playbooks, and People

Create an IR plan and detailed playbooks for common scenarios. Assign roles such as incident commander, technical responders, legal, HR, and comms.

Tools and Visibility

Set up SIEM, EDR/XDR, network and cloud logs, IAM audit logs, plus ticketing and secure collaboration tools to support investigations.

Phase 2 – Identification: From Alert to Confirmed Incident

Goal of Identification

Identification turns raw alerts and reports into a confirmed security incident with an initial understanding of what happened and how serious it is.

Sources and Triage

Alerts come from tools and people. You must triage to filter noise, correlate related events, and focus on likely real incidents.

Analyze and Prioritize

Analyze logs and telemetry to confirm the incident, then classify and prioritize based on impact and likelihood of spread.

Avoid Common Mistakes

Do not jump directly to wiping systems before understanding scope, and always consider business impact when setting severity.

Phases 3–5 – Containment, Eradication, and Recovery

Containment: Stop the Damage

Containment uses quick actions like isolating hosts, disabling accounts, and blocking IPs to limit spread while balancing evidence needs and continuity.

Eradication: Remove the Cause

Eradication removes malware, backdoors, and misconfigurations, patches vulnerabilities, and rotates credentials to eliminate the attacker’s foothold.

Recovery: Restore Safely

Recovery restores from clean backups, gradually returns systems to production, validates operations, and monitors for any signs of reinfection.

Phase Identification on Exams

Blocking or isolating = containment; removing malware and patching = eradication; bringing systems back online and monitoring = recovery.

Phase 6 – Lessons Learned and Continuous Improvement

Purpose of Lessons Learned

Lessons learned converts incident experience into concrete improvements so the same attack is less likely or less damaging next time.

Post-Incident Review

A structured review asks what happened, why, what worked, what failed, and what must change. It focuses on facts and improvement, not blame.

Outputs and Improvements

Outputs include updated playbooks, tuned detections, policy and control changes, and new training materials tied into risk and governance.

Exam Angle

If the incident is over and the question asks how to prevent recurrence, think lessons learned: post-incident review and improvements.

Roles and Responsibilities in Incident Response

Why Roles Matter

Clear roles prevent confusion. The incident commander leads; specialists execute technical, legal, and communication tasks in coordination.

Core Technical Roles

Technical responders investigate and fix issues, while forensic analysts collect and preserve evidence and perform deep technical analysis.

Legal, Comms, and Management

Legal/compliance and privacy interpret obligations; communications manage external messaging; executives make major risk and disclosure decisions.

HR and Physical Security

HR handles insider issues and employee communication; physical security responds if incidents involve facilities or stolen hardware.

Evidence Handling and Chain of Custody

What Counts as Evidence?

Digital evidence can be disk images, memory dumps, logs, network captures, cloud snapshots, emails, or mobile data collected during an incident.

Integrity and Hashing

Protect evidence integrity using write blockers, collecting forensic images, and hashing data so you can prove it has not been altered.

Chain of Custody

Chain of custody is a documented trail of who handled evidence, when, and why, ensuring it is trustworthy for legal or regulatory use.

Handling and Storage

Store evidence securely, restrict access, and work from copies to minimize handling and avoid accidental modification of originals.

Playbook-Driven Execution and Automation

What Is a Playbook?

A playbook is a step-by-step procedure for a specific incident type, defining triggers, data to collect, actions, and communication steps.

Playbook Structure

Playbooks include triggers, automated and manual steps, decision points, and clear guidance on containment, eradication, and recovery.

Phishing Playbook Example

A phishing playbook might auto-sandbox attachments, search and quarantine similar emails, then guide analysts to reset accounts and update training.

Automation and SOAR

SOAR tools can execute routine playbook steps automatically, improving speed and consistency while humans handle complex decisions.

Thought Exercise: Mapping Actions to Phases

Use this exercise to solidify your understanding of which activities belong to which IR phase. Think through each scenario and decide which phase it best represents.

  1. Scenario A: A SOC analyst notices repeated failed logins from a foreign country on a privileged admin account. They pull related logs, check geolocation, and compare with the user’s normal behavior.
  • Which phase is this? Why?
  1. Scenario B: After a ransomware attack, the team restores affected servers from clean backups, verifies applications are working, and monitors for suspicious process activity over the next 72 hours.
  • Which phase is this? Why?
  1. Scenario C: The security team updates the phishing awareness training to include screenshots and tactics used in a recent successful phishing campaign.
  • Which phase is this? Why?
  1. Scenario D: A playbook instructs the SOAR tool to automatically disable any account that triggers a “login from two distant countries within 5 minutes” alert, then open a ticket for an analyst.
  • Which phase is primarily represented here? Why?

Pause and answer in your own words before checking yourself:

  • A: Identification (detection and analysis of suspicious activity).
  • B: Recovery (restoring operations and monitoring after eradication).
  • C: Lessons learned (post-incident improvement and training updates).
  • D: Containment (automatic isolation of suspected compromised accounts).

Quiz 1: Core Phases and Roles

Answer this question to check your understanding of IR phases and roles.

An organization has just experienced a data breach. The IR team has stopped the attacker’s access, removed backdoors, patched the exploited vulnerability, and is now focused on restoring affected databases from known-good backups and monitoring them for abnormal queries. Which IR phase best describes the team’s current focus?

  1. Containment
  2. Eradication
  3. Recovery
  4. Lessons learned
Show Answer

Answer: C) Recovery

The team has already contained the attack and removed backdoors and vulnerabilities (eradication). They are now restoring from backups and monitoring for stability and reinfection, which is the **recovery** phase. Containment would focus on isolating systems; lessons learned would involve reviewing the incident after operations are restored.

Quiz 2: Evidence Handling and Chain of Custody

Test your understanding of digital evidence handling.

A junior analyst is asked to collect logs and disk images from a compromised server for a potential legal case. Which action is MOST important to ensure that the evidence can be trusted in any future investigation?

  1. Immediately reboot the server to clear any malware from memory before imaging it.
  2. Calculate and record cryptographic hashes for collected images and maintain a chain of custody log.
  3. Email the collected evidence to their personal account to work on it from home if needed.
  4. Compress all evidence into a single archive file and delete the originals to save storage space.
Show Answer

Answer: B) Calculate and record cryptographic hashes for collected images and maintain a chain of custody log.

The most important step is to preserve **integrity** and **provenance** of evidence: calculate and record hashes and maintain a clear chain of custody. Rebooting can destroy volatile evidence; sending data to a personal account and deleting originals both undermine security and integrity.

Key Term Flashcards: Incident Response Essentials

Use these flashcards to reinforce core IR terms that you are likely to see on Security+.

Incident response
The structured set of activities an organization uses to detect, analyze, contain, eradicate, and recover from security incidents, and then learn from them to improve defenses.
Incident response lifecycle (6 phases)
Preparation, Identification (detection and analysis), Containment, Eradication, Recovery, Lessons Learned (post-incident activity).
Incident commander
The person responsible for leading and coordinating the overall incident response effort, setting priorities, and making final decisions during an incident.
Playbook
A documented, step-by-step procedure for handling a specific type of incident, including triggers, data to collect, actions to take, and communication steps.
Chain of custody
The documented trail that records who collected, handled, transferred, and stored evidence, including times and purposes, to prove that the evidence is trustworthy and unaltered.
Containment
The IR phase focused on limiting the scope and impact of an incident, often by isolating affected systems, disabling accounts, or blocking malicious traffic.
Eradication
The IR phase in which responders remove the root cause of the incident, such as malware, backdoors, compromised accounts, and exploitable vulnerabilities.
Recovery
The IR phase in which systems and services are safely restored to normal operation, typically from clean backups or images, with close monitoring for reinfection.
Lessons learned
The post-incident phase where the organization reviews what happened, identifies root causes and gaps, and updates controls, playbooks, and training to prevent recurrence.
Forensic image
A bit-for-bit copy of digital media collected in a way that preserves evidence integrity, typically used for detailed forensic analysis rather than normal operations.

Pulling It Together: Applying IR on the Security+ Exam

Phase Recognition Strategy

On questions, first decide which IR phase you are in; then remove answers that belong to other phases to narrow your choices.

Objectives and Roles

Map the scenario’s objective (stop spread, remove cause, restore, improve) and match actions to the correct roles: technical, legal, comms, or management.

Evidence and Playbooks

Keywords about legal trustworthiness point to chain of custody and hashing; references to standardized or automated steps point to playbook-driven IR.

Next Steps in Your Study Path

Use the diagnostic and mock exams to see which IR phases or roles you miss most; your spaced review queue will reinforce those weak spots.

Key Terms

playbook
A documented, step-by-step procedure for handling a specific type of incident, including triggers, data to collect, actions to take, and communication steps.
recovery
The IR phase in which systems and services are safely restored to normal operation, typically from clean backups or images, with close monitoring for reinfection.
containment
The IR phase focused on limiting the scope and impact of an incident, often by isolating affected systems, disabling accounts, or blocking malicious traffic.
eradication
The IR phase in which responders remove the root cause of the incident, such as malware, backdoors, compromised accounts, and exploitable vulnerabilities.
forensic image
A bit-for-bit copy of digital media collected in a way that preserves evidence integrity, typically used for detailed forensic analysis rather than normal operations.
lessons learned
The post-incident phase where the organization reviews what happened, identifies root causes and gaps, and updates controls, playbooks, and training to prevent recurrence.
chain of custody
The documented trail that records who collected, handled, transferred, and stored evidence, including times and purposes, to prove that the evidence is trustworthy and unaltered.
incident response
The structured set of activities an organization uses to detect, analyze, contain, eradicate, and recover from security incidents, and then learn from them to improve defenses.
hybrid environment
A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
incident commander
The person responsible for leading and coordinating the overall incident response effort, setting priorities, and making final decisions during an incident.
incident response lifecycle
A repeatable cycle of phases for handling security incidents, commonly: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
governance, risk, and compliance
Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself