Steps/Phases of Incident Response Confusion

Reviewing my study notes and comparing them to answers from practice questions I've noticed some confusion. My notes from Conrad's book list the following steps:

Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post Incident Activity

A practice question asks for the six phases of incident handling which according the the answers are:

Triage
Notification and identification
Action/reaction
Containment, analysis, tracing
Follow-up
Repair, recovery, prevention

Can anyone tell me which ones are correct?

Thanks!

Find more posts tagged with

Comments

cyberguypr

Check out NIST 800-61. It lists the 4 steps Conrad mentions. Where is that practice question from?

gespenstern

ISC2 version should be PICERL, which is Prepare, Identify, Contain, Eradicate, Recover, Lessons Learned, at least that's how I remember it.

But really, I always hated these stupid frameworks because they are non-technical and somewhat far from reality, allowing everybody and their grandma to have their own opinion, replace some steps with something different, etc.

hylaab

I would follow ISC2 way:

triage
notification and identification
action/reaction
containment, analysis, tracing
follow-up
repair, recovery, prevention

g33k3r

Thanks for everyone's feedback! The question was from Transenders. Looks like I'll have to make a mental note of both NIST and ISC2.