Incident Response and Recovery Cheat Sheet

The core ideas of Incident Response and Recovery distilled into a single, scannable reference — perfect for review or quick lookup.

PiqCue — piqcue.com/incident-response-recovery/cheatsheet

Quick Reference

NIST Incident Response Lifecycle

The National Institute of Standards and Technology (NIST) defines a four-phase incident response lifecycle: (1) Preparation — establishing policies, plans, teams, and tools; (2) Detection and Analysis — identifying incidents through monitoring, alerts, and investigation; (3) Containment, Eradication, and Recovery — stopping the spread, removing the threat, and restoring systems; (4) Post-Incident Activity — conducting lessons learned, updating documentation, and improving processes. The lifecycle is iterative, with each incident informing improvements to preparation.

Digital Forensics

Digital forensics is the application of scientific investigation techniques to digital evidence. It involves the identification, preservation, collection, examination, analysis, and reporting of digital artifacts from computers, networks, mobile devices, and cloud environments. Forensic procedures must maintain the chain of custody and evidence integrity to ensure findings are admissible in legal proceedings. Key principles include working from forensic images (never the original), documenting every action, and using validated tools.

Chain of Custody

Chain of custody is the documented, chronological record of who handled, accessed, or transferred a piece of evidence from the time of collection to its presentation in court or to decision-makers. Each transfer of evidence must be logged with the date, time, handler, purpose, and condition of the evidence. A broken chain of custody can render evidence inadmissible in legal proceedings because the integrity of the evidence cannot be guaranteed.

Threat Intelligence

Threat intelligence is evidence-based information about current and emerging cyber threats, including attacker motivations, capabilities, tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs). It is categorized into strategic (high-level trends for executives), tactical (TTPs for security teams), operational (details about specific campaigns), and technical (IOCs like malicious IP addresses, file hashes, and domain names). Frameworks like MITRE ATT&CK organize adversary techniques into a structured taxonomy.

Recovery Time Objective (RTO)

RTO is the maximum acceptable duration of time that a system, application, or business process can be down after an incident before the impact becomes unacceptable. It defines how quickly IT must restore operations after a disruption. RTO directly influences disaster recovery architecture decisions: a 4-hour RTO requires hot or warm standby systems, while a 72-hour RTO might be achievable with cold backups. The cost of achieving shorter RTOs increases significantly.

Recovery Point Objective (RPO)

RPO is the maximum acceptable amount of data loss measured in time. It defines how far back in time data recovery must reach — essentially, how much data the organization can afford to lose. An RPO of 1 hour means backups must occur at least every hour, so at most 1 hour of data could be lost. An RPO of zero requires synchronous replication, where every write is immediately replicated to a secondary location.

Business Continuity Planning (BCP)

BCP is the comprehensive process of creating plans and procedures that ensure critical business functions can continue during and after a major disruption. Unlike disaster recovery, which focuses on IT infrastructure, BCP encompasses people (alternate staffing, communication plans), processes (manual workarounds, alternate procedures), facilities (backup locations, remote work capabilities), and technology. BCP includes business impact analysis (BIA), which identifies critical functions and their dependencies.

Security Operations Center (SOC)

A SOC is a centralized facility and organizational function responsible for continuous monitoring, detection, analysis, and response to cybersecurity incidents. SOC analysts work in tiers: Tier 1 monitors alerts and performs initial triage, Tier 2 conducts deeper investigation and analysis, and Tier 3 performs advanced threat hunting and incident response. SOCs use SIEM systems, endpoint detection and response (EDR) tools, threat intelligence feeds, and documented playbooks to coordinate their work.

Indicators of Compromise (IOCs)

IOCs are observable artifacts or evidence that indicate a system has been compromised or is being attacked. They include technical indicators such as malicious IP addresses, domain names, file hashes, registry modifications, unusual network traffic patterns, and email addresses used in phishing campaigns. IOCs are shared through threat intelligence platforms and feeds to help organizations detect known threats. While valuable, IOCs are often reactive because they are identified after an attack has occurred.

Key Terms at a Glance

Incident Response:The organized approach to addressing and managing the aftermath of a security breach or cyberattack, aiming to limit damage, reduce recovery time, and prevent recurrence.

NIST SP 800-61:The NIST Computer Security Incident Handling Guide, which defines the four-phase incident response lifecycle: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity.

Digital Forensics:The scientific process of collecting, preserving, analyzing, and presenting digital evidence in a legally defensible manner to support incident investigation and legal proceedings.

Chain of Custody:The documented chronological record tracking the handling, transfer, and storage of evidence from collection to presentation, ensuring its integrity and admissibility.

Write Blocker:A forensic tool that prevents write operations to a storage device, ensuring the original evidence is not modified during examination or imaging.

RTO (Recovery Time Objective):The maximum acceptable duration of downtime for a system or business process after a disruption, defining how quickly operations must be restored.

RPO (Recovery Point Objective):The maximum acceptable amount of data loss measured in time, defining how frequently backups or replication must occur to limit data loss.

MITRE ATT&CK:A knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations, used for threat detection, assessment, and defense planning.

IOC (Indicator of Compromise):An observable artifact (IP address, file hash, domain, registry key) that provides evidence of a potential or confirmed security breach.

SOC (Security Operations Center):A centralized facility staffed by security analysts who continuously monitor, detect, analyze, and respond to cybersecurity events using SIEM, EDR, and other tools.

BIA (Business Impact Analysis):A systematic process that identifies critical business functions, their dependencies, and the quantified impact of disruption to establish recovery priorities.

SOAR (Security Orchestration, Automation, and Response):A platform that automates incident response workflows, orchestrates security tools, and provides playbook-driven response to reduce human error and response time.

Dwell Time:The period between initial compromise by an attacker and detection by the organization. Shorter dwell time reduces the potential impact of a breach.

Tabletop Exercise:A discussion-based simulation where incident response team members walk through hypothetical scenarios to test plans, identify gaps, and practice decision-making.

Get study tips in your inbox

We'll send you evidence-based study strategies and new cheat sheets as they're published.

We'll notify you about updates. No spam, unsubscribe anytime.