Which of the following lists the correct order of the main phases in the incident response lifecycle?
Think about what must happen before an incident occurs and what happens after it is resolved.
The incident response lifecycle starts with Preparation to get ready, then Detection and Analysis to find and understand the incident, followed by Containment to limit damage, Eradication and Recovery to remove threats and restore systems, and finally Post-Incident Activity to learn and improve.
What is the primary goal during the Containment phase of the incident response lifecycle?
Think about what you want to achieve immediately after detecting an incident to prevent further damage.
The Containment phase focuses on stopping the incident from spreading and minimizing its impact on the organization.
During an incident, the team isolates affected systems but does not immediately remove the malware. Which phase does this action belong to, and why?
Consider the difference between stopping damage and removing threats.
Isolating affected systems is part of Containment to stop the incident from spreading while keeping evidence intact for analysis and later eradication.
Which statement best describes the difference between the Eradication and Recovery phases in the incident response lifecycle?
Think about what happens after the threat is removed but before normal work resumes.
Eradication removes the root cause and threats, while Recovery restores and validates systems to normal working condition.
Why is the Post-Incident Activity phase critical to improving an organization's security posture?
Consider how learning from past incidents can prevent future problems.
Post-Incident Activity reviews what happened, what worked, and what didn’t, helping the organization strengthen defenses and response strategies.