SecurityNetwork+

Incident Response for CompTIA Network+ N10-009

Incident response is the structured process for detecting, containing, and recovering from security incidents. CompTIA Network+ N10-009 tests the incident response lifecycle, first responder actions, and the role of network infrastructure in incident containment. Network administrators are often the first responders to security incidents — knowing the proper process prevents mistakes that destroy forensic evidence or worsen the breach.

7 min

2 sections · 7 exam key points

1 practice questions

Incident Response Lifecycle

NIST SP 800-61 defines the incident response lifecycle: (1) Preparation — policies, procedures, tools, and team training before incidents occur. IRP (Incident Response Plan), runbooks, and contact lists. (2) Detection and Analysis — identifying that an incident has occurred and understanding its scope. Log analysis, IDS/IPS alerts, user reports, SIEM correlation. (3) Containment — limiting the spread of the incident. Short-term containment (isolate affected systems) and long-term containment (clean systems while maintaining operations). (4) Eradication — removing the threat (malware, backdoors, compromised accounts). (5) Recovery — restoring systems to normal operations. Verify systems are clean before reconnecting. (6) Post-Incident Activity (Lessons Learned) — document what happened, update procedures, improve defenses.

Order of volatility: when collecting forensic evidence, capture most volatile data first. Order: CPU registers/cache → RAM (running processes, network connections) → Network traffic (currently flowing) → Disk (persistent) → Remote logs (offsite). RAM is lost when the system is powered off — capture it before pulling the plug.

Network Administrator Role in IR

Containment actions available to network admins: VLAN isolation (move compromised device to quarantine VLAN), ACL blocking (block traffic to/from compromised IP), port shutdown (disable switch port of compromised device), null routing (blackhole route to block traffic to C2 server), DNS sinkholing (redirect malicious domain to a sinkhole IP), firewall rule changes.

Evidence preservation: do not power off systems without capturing volatile evidence first. Do not run AV scans immediately — they modify timestamps and may destroy evidence. Capture network traffic (SPAN port), preserve log files (copy to write-protected media), photograph screen and capture running processes. Follow chain of custody procedures.

Key exam facts — Network+

IR lifecycle: Preparation → Detection → Containment → Eradication → Recovery → Lessons Learned
Order of volatility: RAM first, then disk — capture most volatile evidence first
Containment: VLAN isolation, ACL block, port shutdown, null route
Do not power off before capturing volatile evidence (RAM, running processes)
Chain of custody: document every person who handles evidence
IRP (Incident Response Plan) must exist before incidents occur
Lessons learned: post-incident review improves future detection and response

Common exam traps

The first action in incident response is always to power off the affected system

Powering off destroys volatile evidence (RAM, running processes, network connections). The first action is containment while preserving evidence — isolate the system from the network (VLAN isolation, port shutdown) without powering off, then capture RAM and running state

Practice questions — Incident Response

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A network administrator discovers a compromised server actively spreading malware to other systems. What is the first response action?

A.Power off the server immediately to stop the spread

B.Run antivirus software to identify and remove the malware

C.Isolate the server by moving it to a quarantine VLAN or disabling its switch port

D.Restore the server from backup

Explanation: Isolation (containment) stops the spread while preserving the system for forensic analysis. Moving the server to a quarantine VLAN or disabling its switch port disconnects it from other systems without destroying volatile evidence. Powering off destroys RAM evidence and may complicate analysis. Running AV may modify evidence and miss sophisticated malware. Restoring from backup skips containment and investigation.

Frequently asked questions — Incident Response

What is a computer incident response team (CIRT)?

A CIRT (also called CSIRT — Computer Security Incident Response Team) is the dedicated group responsible for managing security incidents. It typically includes security analysts, network engineers, system administrators, legal counsel, and communications/PR staff. The CIRT follows the incident response plan, coordinates investigation and containment, communicates with stakeholders, and conducts post-incident analysis.

Practice this topic

Network+practice questions

Test yourself on Incident Response

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime