Incident Response for CompTIA A+ 220-1102

The NIST incident response lifecycle has four phases: Preparation: establish incident response policy, procedures, team (CSIRT), tools, and communication channels before incidents occur. Train staff on recognizing and reporting incidents. Detection and Analysis: identify that an incident is occurring. Sources: SIEM alerts, user reports, antivirus notifications, IDS/IPS alerts, anomalous network traffic. Analyze to determine scope, affected systems, type of incident (malware, data breach, unauthorized access). Containment, Eradication, and Recovery: Containment: stop the spread (isolate systems, block network paths). Short-term containment: immediate stop to prevent further damage. Long-term containment: maintain limited operations while evidence is preserved and eradication planned. Eradication: remove the threat (malware removal, account cleanup, patch vulnerabilities). Recovery: restore systems to normal operation and verify no threats remain. Post-Incident Activity: document the incident fully, analyze root cause, improve defenses, update procedures.

A+ technicians are often the first to discover or be notified of a security incident. Key responsibilities: Recognize incident indicators: unusual system behavior, malware alerts, user reports of account lockout or data access issues. First responder actions: do NOT power off the system (destroys volatile memory evidence unless forensic memory capture is in progress). Do NOT run antivirus scan immediately (may overwrite evidence). Isolate: disconnect from network (remove Ethernet cable, disable Wi-Fi). Preserve: do not delete any files. Report: immediately notify security team, supervisor, or incident response hotline per policy. Document: note what you observed, when, and what actions you took. Chain of custody: document who handled evidence, when, how — maintains legal admissibility. Limit access: only authorized personnel handle the incident system. Your role ends at containment and notification — deeper investigation is for security analysts and forensic specialists.

Chain of custody: legal concept ensuring that evidence is collected, stored, and handled in a way that preserves its integrity and admissibility in court. Each step must be documented: who collected evidence, when, where, how stored, who it was transferred to. Forensic imaging: bit-for-bit copy of a drive using specialized tools (dd, FTK Imager). Do NOT use the original drive for analysis — work from the forensic image. Write blocker: hardware device that prevents any writes to the original drive during imaging. File hashes: hash (MD5, SHA-256) the original drive and the forensic copy — if they match, the copy is identical. Volatile vs non-volatile evidence: volatile evidence (RAM contents, network connections, running processes) is lost when the system powers off — capture first if forensics are needed. Non-volatile evidence (disk, logs, configuration files) persists after power off. Evidence storage: locked physical storage or encrypted digital storage. Log access to evidence storage.

Data breach: unauthorized access to sensitive information. Response: contain, assess scope, notify affected parties and regulators per legal requirements (HIPAA 60 days, GDPR 72 hours). Ransomware: file encryption + ransom demand. Response: isolate immediately, do not pay, assess backup status, contact incident response team, report to law enforcement. Malware infection: any malware on systems. Response: isolate, preserve evidence, run forensics or proceed with malware removal per IR plan. Unauthorized access: someone accessing systems without authorization. Response: disable compromised accounts, preserve logs, review what was accessed, notify legal/HR if internal. DDoS: service unavailable due to traffic flood. Response: notify ISP, enable DDoS mitigation (scrubbing, rate limiting), document. Insider threat: current or former employee abusing access. Response: immediately revoke access, preserve evidence before alerting the subject, involve HR and legal.