Incident Response and Recovery

Intermediate

Incident response and recovery is the structured approach organizations use to detect, contain, eradicate, and recover from cybersecurity incidents while preserving evidence for investigation and preventing recurrence. The NIST Incident Response Lifecycle provides the foundational framework, organized into four phases: Preparation (building capabilities before an incident occurs), Detection and Analysis (identifying and validating potential incidents), Containment, Eradication, and Recovery (stopping the threat, removing it, and restoring normal operations), and Post-Incident Activity (learning from the incident to improve future response). Each phase requires specific tools, processes, and trained personnel working in coordination.

Digital forensics is the scientific discipline of collecting, preserving, analyzing, and presenting digital evidence in a legally defensible manner. Forensic investigators follow strict chain-of-custody procedures to ensure evidence integrity, using write blockers to create forensic images of storage media without altering the original evidence. Key forensic activities include memory forensics (analyzing RAM for running processes, network connections, and malware artifacts), disk forensics (recovering deleted files, examining file system metadata, and analyzing artifacts), network forensics (capturing and analyzing network traffic), and log analysis. Threat intelligence complements forensic analysis by providing context about attackers' tactics, techniques, and procedures (TTPs), enabling defenders to anticipate and prepare for likely attack methods.

Disaster recovery and business continuity planning ensure that an organization can maintain or quickly resume critical operations after a major incident or catastrophic event. Disaster recovery focuses specifically on restoring IT infrastructure and data, guided by metrics like Recovery Time Objective (RTO) — the maximum acceptable downtime — and Recovery Point Objective (RPO) — the maximum acceptable data loss. Business continuity planning takes a broader view, encompassing people, processes, and facilities needed to sustain essential business functions. Security operations centers (SOCs) serve as the organizational hub for continuous monitoring, incident detection, and coordinated response, staffing trained analysts who use SIEM systems, threat intelligence feeds, and automated playbooks to protect the organization around the clock.

Practice a little. See where you stand.

Part of:AP Cybersecurity

Ready to practice?5 minutes. No pressure.

Take the Quiz Learn First

Quiz

Reveal what you know — and what needs work

Adaptive Learn

Responds to how you reason, with real-time hints

Start here

Flashcards

Build recall through spaced, active review

Cheat Sheet

The essentials at a glance — exam-ready

Glossary

Master the vocabulary that unlocks understanding

Learning Roadmap

A structured path from foundations to mastery

Book

Deep-dive guide with worked examples

Role-play

Think like an expert — no grading

Key Concepts

The National Institute of Standards and Technology (NIST) defines a four-phase incident response lifecycle: (1) Preparation — establishing policies, plans, teams, and tools; (2) Detection and Analysis — identifying incidents through monitoring, alerts, and investigation; (3) Containment, Eradication, and Recovery — stopping the spread, removing the threat, and restoring systems; (4) Post-Incident Activity — conducting lessons learned, updating documentation, and improving processes. The lifecycle is iterative, with each incident informing improvements to preparation.

Example

After detecting ransomware on a server (Phase 2), the IR team isolates the infected system from the network (containment), removes the malware and restores from clean backups (eradication and recovery), then conducts a lessons-learned meeting to improve email filtering rules (post-incident activity).

Digital forensics is the application of scientific investigation techniques to digital evidence. It involves the identification, preservation, collection, examination, analysis, and reporting of digital artifacts from computers, networks, mobile devices, and cloud environments. Forensic procedures must maintain the chain of custody and evidence integrity to ensure findings are admissible in legal proceedings. Key principles include working from forensic images (never the original), documenting every action, and using validated tools.

Example

After a data breach, a forensic examiner creates a bit-for-bit image of the compromised server's hard drive using a write blocker, analyzes file system timestamps to determine when malicious files were created, examines browser history and logs to trace the attacker's actions, and produces a forensic report documenting the timeline and evidence.

Chain of custody is the documented, chronological record of who handled, accessed, or transferred a piece of evidence from the time of collection to its presentation in court or to decision-makers. Each transfer of evidence must be logged with the date, time, handler, purpose, and condition of the evidence. A broken chain of custody can render evidence inadmissible in legal proceedings because the integrity of the evidence cannot be guaranteed.

Example

A forensic analyst documents: 'At 14:32 on March 1, I received hard drive serial #XY123 from Officer Smith, sealed in tamper-evident bag #456. At 14:45, I verified the seal was intact, opened the bag, connected the drive via write blocker, and created forensic image hash SHA-256: abc123...'

Threat intelligence is evidence-based information about current and emerging cyber threats, including attacker motivations, capabilities, tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs). It is categorized into strategic (high-level trends for executives), tactical (TTPs for security teams), operational (details about specific campaigns), and technical (IOCs like malicious IP addresses, file hashes, and domain names). Frameworks like MITRE ATT&CK organize adversary techniques into a structured taxonomy.

Example

A threat intelligence feed alerts an organization that APT group 'FancyBear' is actively targeting healthcare companies using spearphishing emails with malicious Excel attachments. The SOC uses this intelligence to update email filtering rules, add known malicious file hashes to their EDR blocklists, and brief staff on the specific phishing tactics being used.

RTO is the maximum acceptable duration of time that a system, application, or business process can be down after an incident before the impact becomes unacceptable. It defines how quickly IT must restore operations after a disruption. RTO directly influences disaster recovery architecture decisions: a 4-hour RTO requires hot or warm standby systems, while a 72-hour RTO might be achievable with cold backups. The cost of achieving shorter RTOs increases significantly.

Example

An e-commerce platform sets an RTO of 2 hours for its order processing system because each hour of downtime costs $50,000 in lost revenue. This RTO drives the decision to maintain a hot standby database in a separate availability zone with automated failover.

RPO is the maximum acceptable amount of data loss measured in time. It defines how far back in time data recovery must reach — essentially, how much data the organization can afford to lose. An RPO of 1 hour means backups must occur at least every hour, so at most 1 hour of data could be lost. An RPO of zero requires synchronous replication, where every write is immediately replicated to a secondary location.

Example

A banking system with an RPO of zero uses synchronous database replication to ensure that every transaction is written to both the primary and secondary database simultaneously. Even if the primary fails, no transactions are lost.

BCP is the comprehensive process of creating plans and procedures that ensure critical business functions can continue during and after a major disruption. Unlike disaster recovery, which focuses on IT infrastructure, BCP encompasses people (alternate staffing, communication plans), processes (manual workarounds, alternate procedures), facilities (backup locations, remote work capabilities), and technology. BCP includes business impact analysis (BIA), which identifies critical functions and their dependencies.

Example

A hospital's BCP includes: a generator for power outages, paper-based charting procedures if the electronic health record system fails, agreements with nearby facilities for patient overflow, a communication tree for notifying staff, and quarterly drills to test the plan.

A SOC is a centralized facility and organizational function responsible for continuous monitoring, detection, analysis, and response to cybersecurity incidents. SOC analysts work in tiers: Tier 1 monitors alerts and performs initial triage, Tier 2 conducts deeper investigation and analysis, and Tier 3 performs advanced threat hunting and incident response. SOCs use SIEM systems, endpoint detection and response (EDR) tools, threat intelligence feeds, and documented playbooks to coordinate their work.

Example

A Tier 1 SOC analyst sees an alert from the SIEM indicating multiple failed login attempts followed by a successful login from an unusual geographic location. They escalate to Tier 2, who investigates the account's activity, discovers data exfiltration, and initiates the incident response playbook.

IOCs are observable artifacts or evidence that indicate a system has been compromised or is being attacked. They include technical indicators such as malicious IP addresses, domain names, file hashes, registry modifications, unusual network traffic patterns, and email addresses used in phishing campaigns. IOCs are shared through threat intelligence platforms and feeds to help organizations detect known threats. While valuable, IOCs are often reactive because they are identified after an attack has occurred.

Example

After analyzing a malware sample, a security team identifies IOCs: the malware's SHA-256 hash, three command-and-control (C2) IP addresses, and a unique user-agent string. They share these IOCs through their ISAC (Information Sharing and Analysis Center) so other organizations can check their logs and block these indicators.

One concept at a time.

Explore your way

Choose a different way to engage with this topic — no grading, just richer thinking.

Explore your way — choose one:

Explore with AI →

Curriculum alignment— Standards-aligned

Grade level

Grades 9-12College+

Learning objectives

•Describe the four phases of the NIST Incident Response Lifecycle and the activities performed in each phase
•Explain the principles of digital forensics including evidence preservation, chain of custody, and the order of volatility
•Distinguish between volatile and non-volatile evidence and explain why collection order matters
•Define RTO and RPO and explain how they drive disaster recovery planning decisions
•Apply the MITRE ATT&CK framework to map adversary tactics and techniques for threat detection
•Compare hot, warm, and cold disaster recovery sites and match them to appropriate RTO requirements
•Design a post-incident lessons learned process that produces actionable improvements without assigning blame
•Evaluate the role of SOC tiers, SIEM systems, and automated playbooks in security operations

Incident Response and Recovery

Quiz

Adaptive Learn

Flashcards

Cheat Sheet

Glossary

Learning Roadmap

Book

Role-play

Key Concepts

NIST Incident Response Lifecycle

Digital Forensics

Chain of Custody

Threat Intelligence

Recovery Time Objective (RTO)

Recovery Point Objective (RPO)

Business Continuity Planning (BCP)

Security Operations Center (SOC)

Indicators of Compromise (IOCs)

Explore your way

Grade level

Learning objectives