Incident Response
5 min read Quiz at the end
NIST IR lifecycle: Prepare, Detect, Contain, Eradicate, Recover, Post-Incident — know each phase.
Incident Response
# Incident Response lifecycle (NIST)
# 1. Preparation: IR plan, tools, team contacts
# 2. Detection: SIEM alerts, anomaly detection
# 3. Containment: isolate affected systems
# 4. Eradication: remove threat, patch vulnerability
# 5. Recovery: restore from clean backups, verify
# 6. Post-Incident: lessons learned, improve controls
# Containment commands
# Isolate compromised Linux host from network
iptables -I INPUT -j DROP
iptables -I OUTPUT -j DROP
# Allow only management IP
iptables -I INPUT -s 10.0.0.1 -j ACCEPT
iptables -I OUTPUT -d 10.0.0.1 -j ACCEPT
# Forensic evidence collection (before changes)
dd if=/dev/sda of=/mnt/backup/disk.img # full disk image
volatility3 -f memory.dmp windows.pslist # memory analysis
find / -mtime -1 -type f 2>/dev/null # recently modified files
ss -tulnp # active connections
# Indicators of Compromise (IoC)
# Unusual outbound connections
# New admin accounts
# Modified system binaries
# Unusual cron jobs or services
Topic Quiz · 1 questions
Test your understanding before moving on
1. What is the correct order of the NIST Incident Response phases?
💡 NIST SP 800-61 defines: Preparation, Detection, Containment, Eradication, Recovery, Post-Incident Activity.