Domain 7: Security Operations Module 48 of 84

Incident Management Lifecycle

CISSP Domain 7 — Security Operations A — Investigations and Monitoring 11–13 minutes

You Will Be Tested on the Phase You Skip

Every organization that has been through a major security incident says the same thing afterward: “We should have planned for this.” The incident response plan sat on a shared drive, untested. The team roster was outdated. The communication chain was unclear. The containment decision that seemed obvious under pressure turned out to make the situation worse.

Incident management is a lifecycle, not a reaction. The exam will not test whether you can contain a breach at a keyboard. It will test whether you can design and manage the process that ensures the right people make the right decisions at each phase.

This module covers CISSP exam objective 7.6: implement and manage the incident management lifecycle. NIST SP 800-61 (Computer Security Incident Handling Guide) provides the framework the exam draws from, though ISC2 expects you to understand the principles rather than cite specific publications.

Incident Response Plan Components

An incident response plan (IRP) is a documented set of procedures that the organization follows when a security incident occurs. It is not a technical runbook — it is a governance document that defines roles, authority, communication, and decision-making.

An effective IRP includes:

  • Purpose and scope — What constitutes an incident, what types of incidents the plan covers, and what is excluded
  • Roles and responsibilities — Who does what during an incident, who has authority to make containment and communication decisions
  • Classification scheme — How incidents are categorized by severity, which determines the response level
  • Communication procedures — Who is notified, in what order, through what channels, and what they are told
  • Escalation criteria — When and how incidents escalate from the operations team to management, legal, executive leadership, and external parties
  • Coordination with external parties — Law enforcement, regulators, CERT organizations, managed security service providers, and legal counsel
  • Evidence handling procedures — How evidence is preserved, collected, and documented (linking back to Module 43)
  • Post-incident review process — How lessons learned are captured and fed back into the plan

Incident Response Team (CSIRT)

A Computer Security Incident Response Team (CSIRT) is the designated group responsible for executing the incident response plan. The CSIRT can be internal, outsourced, or hybrid.

Core CSIRT Roles

  • Incident Manager (Incident Commander) — Leads the response effort. Makes decisions about containment, escalation, and communication. This is a management role, not a technical one.
  • Technical Lead — Directs the technical investigation and response. Coordinates forensic analysis, system isolation, malware analysis, and recovery actions.
  • Communications Lead — Manages internal and external communications. Works with legal, PR, and management to ensure consistent messaging.
  • Legal Counsel — Advises on legal obligations (notification requirements, evidence preservation, regulatory reporting), attorney-client privilege, and law enforcement engagement.
  • Subject Matter Experts — Database administrators, network engineers, application developers, and other specialists brought in based on the nature of the incident.

The CSIRT should have pre-established authority to take containment actions (isolating systems, blocking IP addresses, disabling accounts) without waiting for management approval during active incidents. Delays in containment while waiting for sign-off allow the attacker to continue operating.

Incident Classification and Triage

Not every security event is an incident, and not every incident warrants the same response. Classification and triage ensure that response effort matches the severity of the situation.

A typical classification scheme:

  • Category — What type of incident: malware, unauthorized access, data breach, denial of service, insider threat, policy violation
  • Severity — The business impact:
    • Critical — Business operations severely impacted, regulated data exposed, executive leadership notification required
    • High — Significant impact to a business unit or system, potential data exposure
    • Medium — Limited impact, contained to a single system or user, no confirmed data exposure
    • Low — Minimal impact, policy violation without broader compromise, informational

Triage is the initial assessment that determines classification. The triage analyst reviews available information — alert data, log evidence, affected systems — and assigns a category and severity. Triage decisions are preliminary and may be updated as investigation reveals more information.

Incident Response Phases

NIST SP 800-61 defines the incident response lifecycle in four phases, though many organizations expand the cycle into more granular steps. The exam recognizes both the NIST four-phase model and the expanded six- or seven-phase model.

1. Preparation

Everything that happens before an incident. This is the most important phase because it determines how well the organization handles everything that follows.

  • Developing and maintaining the incident response plan
  • Building and training the CSIRT
  • Deploying detection tools (SIEM, IDS, EDR)
  • Establishing communication channels and contact lists
  • Conducting tabletop exercises and simulations
  • Securing forensic tools and jump kits
  • Establishing relationships with law enforcement and external response partners

2. Detection and Analysis

Identifying that an incident has occurred and understanding its scope, origin, and impact.

  • Monitoring alerts from SIEM, IDS, EDR, and other detection tools
  • Analyzing logs, network traffic, and system behavior to confirm the incident
  • Determining the attack vector, affected systems, and compromised data
  • Classifying and prioritizing the incident based on the analysis
  • Documenting findings as they emerge — not after the fact

3. Containment, Eradication, and Recovery

Stopping the incident, removing the cause, and restoring normal operations.

Containment limits the damage. Short-term containment (isolating the affected system, blocking the attacking IP) stops the immediate threat. Long-term containment (implementing temporary workarounds, enhanced monitoring) allows business operations to continue while eradication is planned.

A containment decision framework:

  • What is the potential damage if containment is delayed?
  • What is the business impact of the containment action itself?
  • Does containment preserve or destroy evidence?
  • Is the attacker likely to detect containment and escalate their activity?

Eradication removes the root cause: malware, compromised accounts, vulnerable configurations, attacker persistence mechanisms. Eradication must be thorough — if the attacker’s backdoor remains, they will return.

Recovery restores affected systems to normal operation. This includes restoring from backups, rebuilding systems from clean images, verifying system integrity, and monitoring for signs that the attacker is attempting to regain access.

4. Post-Incident Activity (Lessons Learned)

The phase most commonly skipped and most frequently tested on the exam.

  • Post-incident review meeting — Conducted within days of the incident (not weeks or months). All stakeholders participate.
  • Documentation — A complete incident report: timeline, actions taken, what worked, what failed, root cause analysis.
  • Improvement recommendations — Specific, actionable changes to prevent recurrence. These feed back into the preparation phase.
  • Metrics — Time to detect, time to contain, time to recover, cost of the incident. These metrics demonstrate program effectiveness to management.

Communication During Incidents

Communication failures during incidents cause as much damage as the incidents themselves. A well-designed communication plan addresses multiple audiences.

  • Internal technical teams — Need detailed technical information to perform their response tasks. Secure channels (not email on potentially compromised infrastructure).
  • Management and executives — Need business impact summaries, not technical details. What is affected, what is being done, what is the expected timeline.
  • Legal counsel — Must be involved early to advise on evidence preservation, regulatory notification obligations, and attorney-client privilege protections for investigation findings.
  • Regulators — Many regulations require notification within specific timeframes. GDPR requires notification within 72 hours of becoming aware of a personal data breach. HIPAA requires notification within 60 days.
  • Affected individuals — Data subjects whose information was compromised must be notified according to applicable breach notification laws.
  • Media and public — Controlled through the communications team. Inconsistent or premature public statements create confusion and legal risk.

Third-Party Coordination

Most significant incidents involve parties outside the organization.

  • Law enforcement — Report criminal activity. Understand that law enforcement priorities (prosecution) may conflict with organizational priorities (quick recovery). Evidence preservation requirements may delay system restoration.
  • ISACs/ISAOs — Information Sharing and Analysis Centers share threat intelligence across industry sectors. Sharing indicators of compromise helps other organizations defend against the same threat.
  • Managed security service providers (MSSPs) — If detection or response is outsourced, coordination with the provider must be defined in advance, including escalation procedures and data sharing agreements.
  • Cyber insurance — Many policies require notification to the insurer before engaging incident response firms or making public disclosures. Failure to follow policy procedures can jeopardize coverage.

Tabletop Exercises and Simulations

Incident response plans that are never tested are assumptions, not capabilities. Testing validates that the plan works and that the team can execute it under pressure.

  • Tabletop exercises — Discussion-based sessions where the team walks through a scenario verbally. No systems are touched. The goal is to identify gaps in the plan, unclear responsibilities, and communication breakdowns. Low cost, low risk, high learning value.
  • Functional exercises — The team executes parts of the plan in a simulated environment. Forensic tools are used, communication chains are activated, containment procedures are practiced. More resource-intensive than tabletops but reveals operational gaps that discussion alone cannot.
  • Full-scale simulations — Live exercises that simulate an actual attack, sometimes with red team support. Systems may be intentionally compromised in a controlled manner. Tests the full response capability including detection, analysis, containment, and recovery.

Exercises should be conducted at least annually and after significant changes to the environment, organization, or threat profile. Each exercise should produce documented findings that feed improvements into the incident response plan.

Pattern Recognition

Incident management questions on the CISSP follow these structures:

  • What phase comes next? — Know the order: preparation, detection/analysis, containment/eradication/recovery, lessons learned. The exam tests whether you know what to do at each stage.
  • Who should be notified? — Communication questions test whether you notify the right parties in the right order. Legal counsel early. Regulators within required timeframes. Affected individuals per breach notification laws.
  • What is the FIRST action? — During active incidents, containment takes priority over eradication. During post-incident, lessons learned takes priority over blame assignment.
  • Plan was not tested — Untested plans are assumptions. The answer involves tabletop exercises, simulations, or functional testing.

Trap Patterns

Watch for these wrong answers:

  • “Eradicate the threat before containing it” — Containment comes first. You must stop the bleeding before you can treat the wound.
  • “Skip the lessons learned meeting because the team is exhausted” — Post-incident review is a mandatory phase, not optional. Delaying it risks losing critical details while memories are fresh.
  • “The security team handles all communications during an incident” — External communications should involve legal, management, and the communications team. Security teams should not be making public statements or legal decisions.
  • “Immediately restore from backup and get systems running” — Recovery without eradication means the root cause remains. The attacker’s persistence mechanisms may survive the restore, leading to reinfection.

Scenario Practice

Question 1

A ransomware attack encrypts 200 workstations and 5 file servers across the organization. The CSIRT has contained the spread by isolating the affected network segment. The CEO asks the incident manager for a recovery timeline and wants to know if the organization should pay the ransom.

What phase of the incident lifecycle should the team complete BEFORE making the ransom decision?

A. Lessons learned — review what went wrong before deciding next steps
B. Detection and analysis — determine the full scope of the compromise, identify the ransomware variant, and assess backup viability before evaluating options
C. Preparation — ensure the incident response plan accounts for ransomware scenarios
D. Recovery — attempt restoration first and only consider ransom if recovery fails

Answer & reasoning

Correct: B

Before making a strategic decision about ransom payment, the team needs complete analysis: What ransomware variant is it? Are decryption tools available? Are backups intact and usable? What data was affected? Was data exfiltrated in addition to being encrypted? Without this analysis, the organization cannot make an informed decision. Jumping to recovery (D) without understanding the full scope risks incomplete remediation. Ransom decisions should involve legal counsel, executive leadership, and potentially law enforcement.

Question 2

During a post-incident review for a data breach, the team identifies that the attacker gained initial access through a phishing email six weeks before detection. The SIEM generated an alert for the suspicious authentication that followed, but the alert was closed without investigation due to a high volume of false positives that week.

What is the MOST important improvement from this finding?

A. Implement mandatory phishing awareness training for all employees
B. Replace the current SIEM with a more advanced product
C. Tune SIEM correlation rules to reduce false positives and establish alert investigation SLAs to prevent alerts from being closed without review
D. Add additional security analysts to handle the alert volume

Answer & reasoning

Correct: C

The SIEM detected the attack — the detection capability worked. The failure was operational: too many false positives drowned out the real alert, and no process prevented analysts from closing alerts without investigation. Tuning the rules addresses the noise problem. Investigation SLAs establish accountability for alert handling. Phishing training (A) addresses the initial vector but not the detection failure. Replacing the SIEM (B) replaces a tool that was actually working. More analysts (D) does not fix the false positive problem.

Question 3

An organization’s incident response plan has never been tested. The CISO proposes a tabletop exercise. The CTO objects, arguing that a tabletop exercise is too simple and the organization should conduct a full red team simulation instead.

What is the BEST response?

A. The CTO is correct — a red team simulation provides more realistic testing
B. Start with a tabletop exercise to identify plan gaps and communication issues before investing in a full simulation
C. Neither is necessary if the plan has been reviewed by legal and management
D. Conduct both simultaneously to save time

Answer & reasoning

Correct: B

For a plan that has never been tested, a tabletop exercise is the appropriate starting point. It reveals gaps in the plan, unclear roles, and communication problems at low cost and low risk. Running a full red team simulation against an untested plan will produce chaotic results and make it difficult to distinguish between plan failures and execution failures. The progressive approach is tabletop first, functional exercise second, full simulation once the plan has been validated through simpler tests.

Key Takeaway

The incident management lifecycle is a closed loop: preparation enables detection, detection drives containment, containment leads to eradication and recovery, and lessons learned feed back into preparation. The exam tests this loop relentlessly. If a scenario describes an incident response failure, trace it to a phase that was skipped, underfunded, or untested. The answer is almost always to strengthen the preparation phase or to ensure lessons learned actually change something for next time.

Related Modules

CISM Domain 4 — Incident Management Incident Response Planning Security+ Domain 4 — Security Operations Incident Response Process
Next Module Module 49: Detection and Preventative Measures