⚡ Incident & DR Operations — Points 1001–1100
Format: Point & Concept → Interview Answer → Example / Tool
Each row gives you a clean definition you can say in an interview, plus a real-world example or tool.
🚨 Incident Response Core Phases (1001–1040)
| Point & Concept | Interview Answer | Example / Tool |
|---|---|---|
| 1001. Incident Response (IR) | The structured approach to addressing and managing the aftermath of a security breach or attack. | Activating the ransomware playbook |
| 1002. Preparation (IR Phase) | The most critical phase: establishing policies, building playbooks, ensuring proper logging is turned on, and training the team before an attack happens. | Holding a tabletop exercise on zero-day exploitation |
| 1003. Identification (IR Phase) | Detecting a potential security incident, determining if it is a true positive, and defining the scope of the compromise. | SIEM alerts on a suspicious PowerShell command; SOC verifies it is malicious |
| 1004. Containment (IR Phase) | The immediate, short-term actions taken to stop the bleeding and prevent the threat from spreading further into the network. | Isolating an infected laptop via EDR while keeping it powered on for forensics |
| 1005. Eradication (IR Phase) | Finding the root cause of the incident and permanently removing the threat, malware, or attacker persistence mechanisms from the environment. | Forced password resets, deleting malicious scheduled tasks, and patching the initial vulnerability |
| 1006. Recovery (IR Phase) | Carefully and systematically restoring affected systems and data to full production capability while monitoring for reinfection. | Restoring a clean database snapshot and verifying no new anomalous connections occur |
| 1007. Lessons Learned (IR Phase) | The post-incident review (post-mortem) where the team discusses what went wrong and updates playbooks, policies, or tools to guarantee it won't happen again. | Updating IPS rules because the initial payload bypassed the firewall undetected |
| 1008. CSIRT (Computer Security Incident Response Team) | A dedicated, cross-functional team (Security, Legal, PR, IT) activated during a major incident to coordinate the response. | The CSIRT convenes physically in a war room during a major data breach |
| 1009. Tabletop Exercise | A discussion-based simulation where executives, IT, and security roleplay an incident to find gaps in the IR plan. | Spending 4 hours walking through a simulated supply-chain attack scenario |
| 1010. Playbook / Runbook | A documented, step-by-step procedure detailing exactly how to respond to a specific type of incident (e.g., Malware, Phishing, Insider Threat). | Splunk SOAR playbook automatically executing the 'Phishing Response' steps |
| 1011. Incident Severity (P1-P4) | Categorising an incident based on business impact, data sensitivity, and urgency to dictate the required response SLAs. | P1 (Critical): Active ransomware. P3 (Medium): Malware caught and blocked by AV |
| 1012. True Positive | A security alert that correctly fired on actual malicious activity. | A WAF alerting on and blocking a valid SQL injection attempt |
| 1013. False Positive | A security alert that fired on benign or normal administrative activity, creating noise for the SOC. | An alert for "Impossible Travel" firing because a user logged into a VPN |
| 1014. True Negative | Normal, legitimate traffic that passes through security controls without triggering an alert. | Standard HTTP web browsing happening silently in the background |
| 1015. False Negative | A critical failure where malicious activity occurred but security controls completely failed to detect or block it. | A new zero-day malware executing without triggering EDR or SIEM alerts |
| 1016. Triage | The initial assessment of incoming alerts to filter out noise, prioritise critical threats, and assign them for deep investigation. | An L1 SOC analyst closing 5 false positives and escalating 1 true positive to L2 |
| 1017. Root Cause Analysis (RCA) | The process of tracing an incident back to the exact vulnerability or failure that allowed the attacker in. | Determining that an employee clicked a phishing link, bypassing the lack of MFA |
| 1018. Indicator of Compromise (IOC) | Reactive evidence that an attack has already occurred, such as a known bad IP, fixed file hash, or specific malicious URL. | Finding the MD5 hash of WannaCry on a file server |
| 1019. Indicator of Attack (IOA) | Proactive evidence of the intent or behaviour of an attack in progress, focusing on how it works regardless of the specific malware used. | Alerting on any process attempting to dump LSASS memory |
| 1020. Threat Intelligence Platform (TIP) | A system that aggregates, scores, and integrates threat feeds (IOCs) into security controls like firewalls or SIEMs. | MISP or ThreatConnect automatically pushing malicious IPs to the Palo Alto blocklist |
| 1021. Kill Chain: Reconnaissance | The attacker gathering information about the target from public sources (OSINT) or active scanning. | Harvesting employee email addresses from LinkedIn |
| 1022. Kill Chain: Weaponisation | The attacker creating a malicious payload tailored specifically to the target's environment. | Embedding a malicious macro into a seemingly legitimate PDF invoice |
| 1023. Kill Chain: Delivery | The transmission of the weaponised payload to the target environment. | Sending the malicious PDF via a spear-phishing email |
| 1024. Kill Chain: Exploitation | The malicious code triggering and executing on the victim's system, taking advantage of a vulnerability. | The macro exploiting a flaw in Word to execute shellcode |
| 1025. Kill Chain: Installation | The attacker establishing persistence on the system so they survive reboots. | The malware creating a hidden Scheduled Task to run every startup |
| 1026. Kill Chain: Command & Control (C2) | The compromised system phoning home to the attacker's server to receive instructions or download secondary payloads. | The infected endpoint communicating over DNS tunnels to an external IP |
| 1027. Kill Chain: Actions on Objectives | The final stage where the attacker achieves their goal: data theft, ransomware encryption, or system destruction. | Encrypting the SQL database and dropping a ransom note |
| 1028. Lateral Movement | Moving from the initially compromised host to other, higher-value systems within the corporate network to find sensitive data. | Using stolen credentials to RDP from a workstation to the Domain Controller |
| 1029. Privilege Escalation | An attacker exploiting a bug or misconfiguration to gain higher-level administrative access than they originally had. | A standard user exploiting a local kernel flaw to become NT AUTHORITY\SYSTEM |
| 1030. Exfiltration | The unauthorised transfer of sensitive data out of the corporate network to attacker-controlled storage. | Copying 10GB of customer data to an external Mega.nz file-sharing account |
| 1031. Log Aggregation | Collecting log files from firewalls, endpoints, servers, and applications into one central, searchable repository. | Forwarding all Windows Event logs and Syslog to an ELK cluster |
| 1032. Time Synchronisation (NTP) | Ensuring all devices on a network use the exact same time source so logs can be correlated accurately during an investigation. | A firewall log showing 14:01 aligning perfectly with a server log at 14:01 |
| 1033. Chain of Custody | The chronological, strictly documented paper trail detailing the collection, control, transfer, and analysis of digital evidence. | Signing over a physical hard drive to law enforcement with timestamps and signatures |
| 1034. Legal Hold | A legal directive to preserve all data, emails, and logs relevant to an impending lawsuit or criminal investigation, overriding normal deletion policies. | Suspending the automatic 30-day email deletion policy for a user under investigation |
| 1035. E-Discovery | The process of identifying, collecting, and producing electronically stored information (ESI) in response to a legal request. | IT searching across Office 365 for all emails containing the keyword 'Project X' |
| 1036. Out-of-Band Communication | Using a completely separate, secure communication channel during an incident, assuming the primary network (like Slack or internal email) is compromised. | Using Signal on personal phones to discuss containment of an active APT intruder |
| 1037. Incident Declaration | The formal moment when management agrees a security event constitutes an 'incident', triggering legal, PR, and SLA clocks. | The CISO declaring a P1 incident, notifying the board and legal counsel |
| 1038. Containment Strategy: Isolation | Disconnecting a system from the network physically or logically to stop the spread, without turning it off. | The EDR disabling all network adapters on a laptop except the connection back to the EDR console |
| 1039. Containment Strategy: Segmentation | Putting affected systems into an isolated VLAN (quarantine network) where they can be analysed but cannot reach production. | Moving a compromised web server into a heavily monitored honeypot VLAN |
| 1040. Evidence Preservation Rule | Never perform forensic analysis on the original evidence. Always take a verifiable copy (image) and analyse the copy. | Creating a bit-by-bit physical clone of a suspect's hard drive before searching it |
🔎 Digital Forensics & Analysis (1041–1100)
| Point & Concept | Interview Answer | Example / Tool |
|---|---|---|
| 1041. Digital Forensics | The scientific process of preserving, identifying, extracting, and documenting digital evidence for use in court or IR root-cause analysis. | Using EnCase to pull deleted files from an embezzler's laptop |
| 1042. Order of Volatility | The standard sequence in which evidence must be collected, starting with the data that is most likely to be lost when power is removed. | Collecting RAM first, network state second, and physical hard drives last |
| 1043. Volatile Evidence | Data that is completely erased the moment a computer is powered down or restarted. | Running processes, active network connections, and the contents of RAM |
| 1044. Non-Volatile Evidence | Data that persists and remains stored even when the device is powered off. | The master boot record, the Windows Registry, and files on the hard drive |
| 1045. Memory Forensics (RAM) | Analysing a dump of a system's physical memory to find fileless malware, decrypted passwords in memory, and active C2 connections. | Using the Volatility framework to extract a malicious hidden process |
| 1046. Disk Imaging | Creating a bit-for-bit, exact clone of a physical storage drive, including unallocated space and deleted files, for safe analysis. | Using FTK Imager to clone a 500GB SSD to an external evidence drive |
| 1047. Write Blocker | A hardware device or software tool that intercepts and prevents any commands from modifying data on a hard drive being imaged. | Connecting a suspect's drive through a Forensic Bridge ensuring zero bytes are altered during the copy |
| 1048. File Hashing in Forensics | Generating an MD5 or SHA-256 hash of the original drive and the forensic image to prove mathematically that the copy is absolutely identical and untampered. | Comparing the source SHA-384 hash with the destination image hash in court |
| 1049. Slack Space | The empty, unused space between the end of a physical file and the end of the cluster it occupies on the disk; a common place to hide malware. | Data hidden in the 200 bytes of empty space at the end of a 4KB disk cluster |
| 1050. Unallocated Space | Portions of the hard drive that the OS currently views as empty and available for new data, often containing remnants of deleted files. | Running a file-carving tool over unallocated space to recover deleted Word docs |
| 1051. File Carving | The process of recovering deleted files from unallocated disk space by searching for identifying headers (magic numbers) and footers, ignoring the file system structure entirely. | Using Scalpel or PhotoRec to recover deleted JPEGs by searching for the FFD8 hex header |
| 1052. Network Forensics | Capturing, storing, and analysing live network traffic (often via PCAP) to determine the source of an attack or prove data exfiltration. | Using Wireshark to replay a recorded packet capture showing an FTP data exfiltration session |
| 1053. Timeline Analysis | Creating a chronological sequence of events by merging file timestamps, registry changes, and application logs to tell the story of the attack. | Proving the attacker dropped a payload at 14:02, ran it at 14:05, and created a new admin user at 14:10 |
| 1054. MAC Times | Timestamps tracked by the file system: Modified (when content changed), Accessed (when last opened), and Created (when the file was born). | An attacker altering MAC times to make a new malware file look like an old, legitimate Windows DLL (Timestomping) |
| 1055. Windows Registry Forensics | Analysing the central Windows configuration database to find evidence of execution, USB device insertions, or persistence mechanisms (Run keys). | Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run for malware set to start on boot |
| 1056. Prefetch Analysis | A Windows feature designed to speed up application load times; forensically, it proves that a specific executable actually ran on the system. | Proving the suspect executed ccleaner.exe on Tuesday at 9 AM to cover their tracks |
| 1057. AmCache / ShimCache | Windows compatibility databases that store metadata about applications; forensically used to prove an application was run, even if it is now deleted. | Finding evidence of mimikatz.exe having run despite the attacker deleting the file |
| 1058. Windows Event Logs (.evtx) | The primary source of truth for Windows activity; Security, System, and Application logs critical for tracking logins and changes. | Searching Event ID 4624 (Successful Logon) to track lateral movement |
| 1059. Sysmon (System Monitor) | A free Microsoft Sysinternals tool that drastically improves Windows logging, recording granular details like process creation, network connections, and file hashing. | Sysmon Event ID 1 (Process Creation) showing the exact command line used to launch a malicious script |
| 1060. Malware Analysis | The process of studying a malicious binary or script to understand its capabilities, origin, and impact without triggering a real attack. | Analysing a Ransomware payload to determine if its encryption flaw allows data recovery without paying |
| 1061. Static Malware Analysis | Examining the code, strings, headers, and structure of a malicious file without actually executing it. | Using strings or Ghidra to read hardcoded IP addresses directly from a malware binary |
| 1062. Dynamic Malware Analysis | Executing malware in a heavily monitored, isolated environment to observe its true behaviour, network calls, and file system changes. | Running the malware in a Cuckoo Sandbox and observing it violently encrypting test files |
| 1063. Obfuscation / Packing | Techniques used by malware developers to compress or scramble the code to hide its true intent from static analysis and antivirus engines. | A packed executable where the true malicious payload is only decrypted in memory at runtime |
| 1064. Reverse Engineering | The highly skilled process of entirely deconstructing a compiled program back into assembly or source code to understand its core architecture. | Using IDA Pro or Ghidra to find a hardcoded decryption key buried deep in a banking trojan |
| 1065. C2 / Command and Control | The server or infrastructure an attacker uses to maintain communication with malware inside a compromised network. | A compromised server beaconing to a Russian IP address over HTTPS every 5 minutes |
| 1066. Beaconing | The regular, rhythmic 'pulse' of communication sent from a compromised host to its C2 server to see if there are any new instructions. | A 1KB packet sent exactly every 60 seconds (with 10% jitter) to external infrastructure |
| 1067. DGA (Domain Generation Algorithm) | Malware mathematically generating hundreds of random domain names a day, forcing the C2 communication to constantly shift, making blocking difficult. | Malware trying to contact xqyzwlpb.com, failing, then trying ajfbbmz.info to find its master server |
| 1068. DNS Sinkhole | A defensive mechanism that intercepts requests for known malicious domains (like C2s) and routes them to a safe, controlled internal IP address. | A compromised machine attempts to reach evil.com, but the internal DNS redirects it to an internal SOC server, logging the attempt and failing the connection |
| 1069. YARA Rules | A powerful tool used to identify and classify malware based on textual or binary patterns (essentially "grep for malware"). | Creating a YARA rule that triggers anytime the specific string #MalwareV2 is found in a file across the enterprise |
| 1070. Sigma Rules | A generic, vendor-agnostic signature format for SIEM systems; allows defenders to share detection logic regardless of whether they use Splunk, Elastic, or Sentinel. | A Sigma rule searching for "whoami" commands shared by the community and imported directly into Splunk |
| 1071. SIEM (Security Information and Event Management) | A platform that centralizes logs from across the enterprise, analyses them in real-time, correlates events, and generates alerts for the SOC. | Splunk Enterprise Security |
| 1072. SOAR (Security Orchestration, Automation, and Response) | A platform that takes alerts from the SIEM and executes automated playbooks to triage or contain the threat, drastically reducing manual analyst work. | Cortex XSOAR |
| 1073. EDR (Endpoint Detection and Response) | Advanced agent-based software on workstations and servers that records detailed activity (processes, network, registry) and can isolate the host. | CrowdStrike Falcon / SentinelOne |
| 1074. XDR (Extended Detection and Response) | The evolution of EDR, pulling telemetry not just from endpoints, but from identity, email, cloud, and network sources to create unified incidents. | Microsoft 365 Defender correlating an email click with an endpoint process |
| 1075. NDR (Network Detection and Response) | Passive network sensors that analyse east-west network traffic to spot anomalies, lateral movement, or exfiltration using machine learning. | Vectra AI or ExtraHop |
| 1076. OSINT (Open-Source Intelligence) | The collection and analysis of publicly available information to profile targets, find vulnerabilities, or attribute attacks. | Using Shodan to find publicly exposed unpatched RDP servers belonging to a target company |
| 1077. Honeypot | A decoy system deliberately made to look attractive to attackers; since no real user should touch it, any interaction is a high-fidelity alert. | A fake server named FINANCE-DB-01 that immediately pages the SOC if anyone tries to log in |
| 1078. Active Defense | Cyber strategies where an organisation actively disrupts or frustrates an attacker, going beyond just blocking traffic (though short of illegal hacking back). | Deploying honeytokens, fake credentials, or slowing down enemy connections infinitely (Tarpitting) |
| 1079. Honeytoken / Canary Token | A fake credential, file, or API key left on a system. If an attacker steals and attempts to use it, a silent alarm is immediately triggered. | A fake AWS access key left in a developer's .bash_history file |
| 1080. Data Loss Prevention (DLP) | Software designed to detect potential data breaches/exfiltration transmissions and prevent them by monitoring endpoint activity and network egress. | Blocking an employee from uploading a spreadsheet containing 500 credit card numbers to a personal Gmail account |
| 1081. UEBA (User and Entity Behavior Analytics) | Using machine learning to baseline normal behaviour for users and machines, alerting loudly when they drastically deviate. | Alerting when an HR employee, who normally downloads 5MB a day, suddenly downloads 4GB of source code at 2 AM |
| 1082. Post-Mortem | A crucial, honest, and preferably 'blameless' review held after an incident to determine root causes and engineer permanent solutions. | Realising that a lack of MFA on the legacy VPN caused the breach, so the team retires the legacy VPN completely |
| 1083. Cyber Kill Chain Framework | A model showing the phases of a cyberattack, originally developed by Lockheed Martin, used to understand where defenses broke down. | Recon, Weaponise, Deliver, Exploit, Install, C2, Actions on Objectives |
| 1084. MITRE ATT&CK Framework | A comprehensive, globally accessible knowledge base of adversary tactics, techniques, and procedures based on real-world observations. | The industry standard for mapping what an attacker did, like T1003 (OS Credential Dumping) |
| 1085. Business Continuity Plan (BCP) | The broader, overarching plan designed to keep an organisation operating during and immediately after a disaster. | Rerouting customer service calls to a secondary call centre when the primary building loses power |
| 1086. Disaster Recovery Plan (DRP) | The technical subset of the BCP, focused strictly on recovering the IT infrastructure, databases, and digital operations. | Failing over the core banking application to an AWS backup region after the primary data centre floods |
| 1087. Cold Site (DR) | An empty facility with power and cooling, but no hardware or data. It takes weeks to set up during a disaster, but is very cheap. | Good for non-essential physical business operations |
| 1088. Warm Site (DR) | A facility with hardware currently present and connected, but data is out of date and must be restored from backups. Takes days to bring online. | A secondary office that can be spun up over a weekend |
| 1089. Hot Site (DR) | A fully duplicated, active facility with near real-time data replication. Capable of taking over production in minutes or hours. | Essential for massive e-commerce sites or banks |
| 1090. RTO (Recovery Time Objective) | The maximum acceptable amount of time that an IT service or application can be offline. Indicates how fast you must recover. | A critical database must be restored within 4 hours |
| 1091. RPO (Recovery Point Objective) | The maximum acceptable amount of data loss, measured in time. Dictates how frequently backups must occur. | If the RPO is 15 minutes, snapshots MUST happen every 15 minutes |
| 1092. Full Backup | A complete copy of all selected data. Time-consuming to create, but the fastest and easiest to restore from. | Usually run over the weekend when bandwidth is available |
| 1093. Incremental Backup | Copies only the data that has changed since the last backup of any kind. Very fast to create, but slow to restore (requires full + all incrementals). | Fast daily backups over weak network links |
| 1094. Differential Backup | Copies all data that has changed since the last Full backup. A middle ground: faster to restore than incrementals, faster to create than a full. | Requires the Full backup and only the single most recent Differential to restore |
| 1095. 3-2-1 Backup Rule | The standard best practice: Keep 3 total copies of your data, on 2 different physical media, with 1 copy placed offsite or offline. | To ensure protection against physical disasters and ransomware |
| 1096. Immutable Storage | Backup storage configured so that data cannot be modified, deleted, or encrypted for a specified retention period, even by the system administrator. | The ultimate defence against modern ransomware that seeks out and destroys normal backups |
| 1097. High Availability (HA) | Designing IT architecture with extreme redundancy to eliminate single points of failure, ensuring constant uptime (e.g., "Five Nines" / 99.999%). | Using dual load balancers across three separate power grids |
| 1098. Fault Tolerance | A system's capacity to continue operating without any interruption when one or more of its components fail. | A RAID 1 mirrored hard drive array surviving a physical disk crash without dropping a single packet |
| 1099. Failover | The automatic or manual seamless switching to a redundant or standby system upon the failure of the primary system. | The primary database crashes, and connections instantly route to the secondary node |
| 1100. Post-Incident Reporting | The formal document provided to stakeholders detailing the timeline, impact, and remediation steps taken during the incident. | Delivered to regulators or cyber-insurance providers within specific time limits |