8.4.1. Incident Response Lifecycle
💡 First Principle: The NIST SP 800-61 incident response lifecycle provides the authoritative process model tested on the CISSP. Its four phases are sequential in concept but overlapping in practice — detection continues during containment, and recovery may begin before eradication is fully complete for large-scale incidents.
NIST 800-61 IR Lifecycle:
Phase 1: Preparation
- IR policy and plan documented, approved by management, and distributed
- IR team identified with clear roles: IR lead, triage analyst, forensic analyst, communications lead, legal liaison
- Tools pre-deployed: forensic imaging kits, network isolation capabilities, pre-authorized jump kits, out-of-band communication channels
- Playbooks created for common scenarios: ransomware, data breach, insider threat, DDoS, business email compromise
- Regular training and tabletop exercises to test readiness
Phase 2: Detection and Analysis
- Sources: SIEM alerts, IDS/IPS, endpoint detection, user reports, threat intelligence, external notification (FBI, vendor, customer)
- Initial triage: Is this a true positive? What is the scope? Which systems are affected?
- Evidence preservation begins immediately — volatile evidence (RAM, network connections, running processes) degrades quickly
- Incident classification: severity level determines response urgency and escalation requirements
Phase 3: Containment, Eradication, and Recovery
| Stage | Goal | Actions |
|---|---|---|
| Short-term containment | Stop immediate damage | Isolate affected systems; block malicious IPs/domains; disable compromised accounts |
| Long-term containment | Stabilize while investigation continues | Move to clean network segment; apply temporary patches; enhanced monitoring |
| Eradication | Remove the threat entirely | Remove malware; close exploited vulnerability; reset all compromised credentials |
| Recovery | Restore normal operations | Restore from clean backups; rebuild compromised systems; gradually reintroduce to production with enhanced monitoring |
Phase 4: Post-Incident Activity
- Lessons learned meeting within 1–2 weeks (while details are fresh)
- Root cause analysis: not just "what happened" but "why did our defenses fail to prevent or detect it earlier?"
- Documentation: timeline, actions taken, what worked, what didn't, recommendations
- Process improvements: update playbooks, detection rules, and training based on findings
- Metrics: dwell time, time to detect, time to contain, time to recover
Dwell time — the interval between initial compromise and detection — is the single most impactful IR metric. Industry median dwell time has decreased but remains measured in days for many organizations. Every additional day of dwell time gives the attacker more opportunities to escalate privileges, move laterally, and exfiltrate data.
⚠️ Exam Trap: The exam may present a scenario where the IR team wants to immediately restore a compromised system from backup to minimize downtime. This is incorrect — restoration before evidence collection destroys forensic evidence needed to understand the attack, identify all compromised systems, and prevent recurrence. The correct sequence: preserve evidence (forensic image) → contain → eradicate → then restore.
Reflection Question: A ransomware infection is discovered at 2 AM on a Saturday affecting 30 servers including the organization's ERP system. The IT director wants to immediately restore from backups. The CISO wants to preserve evidence first. The CEO wants to know if customer data was exfiltrated. Describe the first 4 hours of response: who is contacted, what actions are taken in what order, and how you balance the competing priorities of evidence preservation, business restoration, and regulatory notification.
