3.2. Responding to Security Events

Preparation means nothing if execution fails. When a security event occurs, the response follows a well-defined sequence: capture evidence, search and correlate logs, validate and scope the finding, contain the threat, eradicate the root cause, recover services, and analyze what happened. Skip any step and the response is incomplete — miss evidence capture and your forensic investigation is compromised; skip root cause analysis and the same attack recurs next month. Think of this sequence like a surgeon's protocol: assess, stabilize, operate, recover, follow up. Each step depends on the one before it. What makes AWS IR execution different from traditional IR? Everything is API-driven. Evidence capture, network isolation, credential revocation — all are API calls that can be automated and audited through CloudTrail.

This section walks through the complete event response lifecycle, from initial evidence capture through root cause analysis.

Scenario: Security Hub generates a critical finding at 3 AM. Your automated workflow captures initial evidence, but the investigation reveals the attack spans 3 accounts and involves both credential compromise and data exfiltration. How do you manage a cross-account investigation?

Reflection Question: Why must the response sequence — capture, correlate, validate, contain, eradicate, recover, analyze — be followed in order, and what goes wrong if steps are skipped or reordered?