Skip to main content

Wrap-up; Terms and definitions from Course 6, Module 3

That wraps up our discussion on incident investigation and response.
Nice work on finishing up another section!
We've covered a lot here, so let's take a moment to quickly recap.
First, we revisited the detection and analysis phase of the NIST incident response lifecycle and focused on how to investigate and verify an incident.
We discussed the purpose of detection, and how indicators of compromise can be used to identify malicious activity on a system.
Next, we examined plans and processes behind the incident response, such as documentation and triage.
We also explored strategies for containing and eradicating an incident and recovering from it.
Finally, we examined the last phase of the incident lifecycle, post-incident actions.
We talked about final reports, timelines, and the value of scheduling post-incident reviews through lessons learned meetings.
As a security analyst, you'll be responsible for completing some processes involved in each phase of the incident response lifecycle.
Coming up, you'll learn about logs and have the chance to explore them using a SIEM.


 Glossary terms from module 3

Analysis: The investigation and validation of alerts 

Broken chain of custody: Inconsistencies in the collection and logging of evidence in the chain of custody

Business continuity plan (BCP): A document that outlines the procedures to sustain business operations during and after a significant disruption

Chain of custody: The process of documenting evidence possession and control during an incident lifecycle

Containment: The act of limiting and preventing additional damage caused by an incident

Crowdsourcing: The practice of gathering information using public input and collaboration

Detection: The prompt discovery of security events

Documentation: Any form of recorded content that is used for a specific purpose

Eradication: The complete removal of the incident elements from all affected systems

Final report: Documentation that provides a comprehensive review of an incident

Honeypot: A system or resource created as a decoy vulnerable to attacks with the purpose of attracting potential intruders

Incident response plan: A document that outlines the procedures to take in each step of incident response

Indicators of attack (IoA): The series of observed events that indicate a real-time incident

Indicators of compromise (IoC): Observable evidence that suggests signs of a potential security incident

Intrusion detection system (IDS): An application that monitors system activity and alerts on possible intrusions

Lessons learned meeting: A meeting that includes all involved parties after a major incident

Open-source intelligence (OSINT): The collection and analysis of information from publicly available sources to generate usable intelligence

Playbook: A manual that provides details about any operational action

Post-incident activity: The process of reviewing an incident to identify areas for improvement during incident handling

Recovery: The process of returning affected systems back to normal operations

Resilience: The ability to prepare for, respond to, and recover from disruptions

Standards: References that inform how to set policies

Threat hunting: The proactive search for threats on a network

Threat intelligence: Evidence-based threat information that provides context about existing or emerging threats

Triage: The prioritizing of incidents according to their level of importance or urgency

VirusTotal: A service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content