Information Security Specialist Exam: Incident Response - Keywords

1. Incident Response Lifecycle

Main Keywords:

  • Preparation

    • Incident response plan development
    • Tool and resource readiness
    • Training and awareness programs

  • Detection & Analysis

    • Log monitoring and correlation
    • Alert validation and prioritization
    • Threat intelligence integration

  • Containment, Eradication, Recovery

    • Isolation strategies and network segmentation
    • Malware removal and vulnerability patching
    • System restoration and validation testing

  • Post-Incident Activity

    • Lessons learned documentation
    • Process improvement recommendations
    • Metrics and reporting analysis

2. Organizational Structure & Roles

Main Keywords:

  • CSIRT (Computer Security Incident Response Team)

    • Team composition and skill requirements
    • 24/7 on-call rotation schedules
    • Authority and decision-making scope

  • SOC (Security Operation Center)

    • Tier-based analyst structure
    • Tool stack and SIEM platforms
    • Shift handoff procedures

  • Incident Responder/Handler

    • Technical investigation capabilities
    • Communication and coordination skills
    • Documentation and reporting duties

  • Escalation Framework

    • Severity level criteria
    • Escalation paths and timelines
    • Executive notification thresholds

  • Chain of Command

    • Decision authority matrix
    • Cross-functional coordination protocols
    • External stakeholder communication

3. Incident Classification

Main Incident Types:

  • Malware Infection

    • Virus, worm, and trojan variants
    • Propagation methods and vectors
    • Behavioral indicators and signatures

  • Unauthorized Access

    • Credential compromise scenarios
    • Privilege escalation techniques
    • Lateral movement patterns

  • DDoS Attack

    • Volumetric, protocol, and application-layer attacks
    • Botnet and amplification methods
    • Traffic pattern analysis

  • Data Breach/Information Leakage

    • Exfiltration techniques and channels
    • PII/PHI exposure assessment
    • Regulatory notification requirements

  • Insider Threats

    • Malicious vs. negligent actors
    • Data access anomaly detection
    • User behavior analytics (UBA)

  • Phishing/Targeted Attacks

    • Spear phishing and whaling campaigns
    • Social engineering tactics
    • Payload delivery mechanisms

  • Ransomware

    • Encryption algorithms and variants
    • Payment and negotiation considerations
    • Decryption and recovery options

  • Website Defacement

    • Attack surface and entry points
    • Content integrity monitoring
    • Restoration and hardening procedures

  • Service Disruption

    • Availability impact assessment
    • Root cause identification
    • Service restoration priorities

4. Detection & Analysis

Main Keywords:

  • Log Analysis

    • Centralized log aggregation
    • Retention policies and compliance
    • Correlation rules and patterns

  • SIEM (Security Information and Event Management)

    • Real-time event correlation
    • Use case development
    • Dashboard and alerting configuration

  • IDS/IPS (Intrusion Detection/Prevention System)

    • Signature-based vs. anomaly-based detection
    • False positive tuning
    • Inline vs. passive deployment

  • Alert Triage

    • Priority scoring algorithms
    • Context enrichment processes
    • Queue management workflows

  • Anomaly Detection

    • Baseline establishment methods
    • Statistical deviation analysis
    • Machine learning models

  • Impact & Urgency Assessment

    • Business criticality mapping
    • Data classification levels
    • SLA/RTO considerations

  • IoC (Indicator of Compromise)

    • Hash values and file signatures
    • IP addresses and domains
    • Threat feed integration

  • Forensic Investigation

    • Evidence collection procedures
    • Timeline reconstruction techniques
    • Expert witness preparation

5. Initial Response

Main Keywords:

  • First Report

    • Incident ticket creation
    • Initial notification workflows
    • Situation assessment documentation

  • Initial Containment

    • Network isolation and segmentation
    • Account suspension procedures
    • Emergency change management

  • Evidence Preservation

    • Chain of custody documentation
    • Forensic imaging standards
    • Legal hold procedures

  • Scope Determination

    • Affected system inventory
    • Data impact assessment
    • Geographic and business unit mapping

  • Timeline Creation

    • Event chronology construction
    • Time synchronization verification
    • Gap analysis and reconstruction

  • Stakeholder Communication

    • Internal notification templates
    • Status update cadence
    • Confidentiality and need-to-know

6. Containment, Eradication & Recovery

Containment:

  • Short-term Containment

    • Emergency system isolation
    • Access control list (ACL) modifications
    • Traffic filtering and blocking

  • Long-term Containment

    • Temporary system rebuilding
    • Compensating control implementation
    • Monitoring enhancement deployment

Eradication:

  • Malware Removal

    • Anti-malware scanning and cleaning
    • Registry and file system cleanup
    • Persistence mechanism elimination

  • Vulnerability Remediation

    • Emergency patch deployment
    • Configuration hardening
    • Security baseline enforcement

  • Malicious Account Deletion

    • Privileged access review
    • Password reset campaigns
    • Authentication mechanism strengthening

  • Backdoor Removal

    • Hidden service identification
    • Network connection auditing
    • Code review and integrity checking

Recovery:

  • System Recovery Planning

    • Restoration priority matrix
    • Resource allocation strategy
    • Dependency mapping

  • Backup Restoration

    • Clean backup verification
    • Point-in-time recovery selection
    • Incremental vs. full restore

  • Validation & Enhanced Monitoring

    • Functionality testing procedures
    • Performance baseline comparison
    • Heightened surveillance period

7. Reporting & Notification

Main Keywords:

  • Incident Report Documentation

    • Executive summary format
    • Technical details and evidence
    • Timeline and impact analysis

  • Management Reporting

    • Business impact quantification
    • Risk assessment communication
    • Remediation status updates

  • Regulatory Notifications

    • Mandatory disclosure requirements
    • Timeframe compliance (72-hour rules)
    • Regulatory body submission formats

  • IPA (Information-technology Promotion Agency)

    • Vulnerability reporting portal
    • Incident statistics contribution
    • Advisory subscription services

  • JPCERT/CC (Japan Computer Emergency Response Team)

    • Incident coordination services
    • Threat intelligence sharing
    • International liaison functions

  • Law Enforcement

    • Cybercrime reporting procedures
    • Evidence handover protocols
    • Investigation cooperation requirements

  • Data Protection Authority

    • GDPR/PIPL breach notification
    • Personal data impact assessment
    • Documentation requirements

  • Customer/Victim Notification

    • Transparent communication strategy
    • Credit monitoring offerings
    • FAQ and support resources

8. Post-Incident Activities

Main Keywords:

  • Post-Mortem Analysis

    • Blameless retrospective approach
    • What went well/wrong framework
    • Action item tracking

  • Root Cause Analysis (RCA)

    • 5 Whys methodology
    • Fishbone diagram analysis
    • Contributing factor identification

  • Prevention Strategy Development

    • Technical control improvements
    • Process enhancement recommendations
    • People and training initiatives

  • Lessons Learned Documentation

    • Knowledge base updates
    • Playbook refinement
    • Best practice sharing

  • Procedure Improvement

    • Gap analysis findings
    • Workflow optimization
    • Tool enhancement requests

  • Training & Exercises

    • Scenario-based drill planning
    • Skills gap assessment
    • Tabletop exercise scheduling

9. Important Related Concepts

Technical Aspects:

  • Digital Forensics

    • Disk, memory, network forensics
    • Mobile and cloud forensics
    • Forensic tool validation

  • Hash Values

    • MD5, SHA-1, SHA-256 algorithms
    • File integrity verification
    • Rainbow table considerations

  • Chain of Custody

    • Evidence handling documentation
    • Transfer and storage records
    • Audit trail maintenance

  • Timestamp

    • NTP synchronization importance
    • Time zone considerations
    • Clock skew analysis

  • Log Integrity Protection

    • Write-once storage solutions
    • Digital signature implementation
    • Tamper-evident mechanisms

  • Baseline

    • Normal behavior profiling
    • Configuration management database
    • Performance metrics benchmarking

  • Attack Methodologies

    • Cyber Kill Chain model
    • MITRE ATT&CK framework
    • Diamond Model of intrusion

Management Aspects:

  • Incident Response Plan (IRP)

    • Roles and responsibilities matrix
    • Contact list maintenance
    • Playbook development

  • BCP/DRP (Business Continuity/Disaster Recovery Plan)

    • RTO/RPO objectives
    • Failover procedures
    • Crisis management integration

  • Escalation Rules

    • Severity classification criteria
    • Time-based escalation triggers
    • Authority delegation model

  • SLA (Service Level Agreement)

    • Response time commitments
    • Resolution targets
    • Penalty clauses

  • Information Sharing Framework

    • ISAC participation
    • TLP (Traffic Light Protocol)
    • NDAs and trusted communities

10. Legal & Regulatory Requirements

Main Keywords:

  • Computer Fraud and Abuse Act / Unauthorized Access Laws

    • Criminal penalties and liabilities
    • Authorized access definitions
    • Cross-border jurisdiction issues

  • Data Protection Laws (GDPR, CCPA, PIPL, etc.)

    • Breach notification timelines
    • Individual rights and obligations
    • Fines and enforcement actions

  • Criminal Procedure Law

    • Search and seizure procedures
    • Evidence admissibility standards
    • Expert testimony requirements

  • Cybersecurity Legislation

    • Critical infrastructure protection
    • Security baseline mandates
    • Incident reporting obligations

  • Electronic Signature Laws

    • Digital evidence authentication
    • Non-repudiation requirements
    • Certificate authority roles

11. Exercises & Training

Main Keywords:

  • Tabletop Exercise (TTX)

    • Scenario-based discussion format
    • Decision-making practice
    • Process validation objectives

  • Cyber Range Exercises

    • Realistic attack simulation
    • Hands-on technical training
    • Performance metrics collection

  • Red Team / Blue Team Exercises

    • Adversarial simulation approach
    • Detection capability testing
    • Purple team integration benefits

  • Playbook Development

    • Step-by-step response procedures
    • Decision trees and flowcharts
    • Regular review and updates

Exam Preparation Tips:

  1. Understand phase-specific actions - Know what to do in each incident response phase
  2. Master CSIRT structure - Understand roles, responsibilities, and coordination
  3. Know legal obligations - Be clear on mandatory reporting requirements and timelines
  4. Evidence preservation techniques - Understand forensic best practices and chain of custody
  5. Practice scenario analysis - Work through incident response scenarios end-to-end