Steps/Phases of Incident Response Confusion

g33k3rg33k3r Member Posts: 249 ■■□□□□□□□□
in SSCP
Reviewing my study notes and comparing them to answers from practice questions I've noticed some confusion. My notes from Conrad's book list the following steps:
  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post Incident Activity
A practice question asks for the six phases of incident handling which according the the answers are:
  1. Triage
  2. Notification and identification
  3. Action/reaction
  4. Containment, analysis, tracing
  5. Follow-up
  6. Repair, recovery, prevention
Can anyone tell me which ones are correct?

Thanks!
· Share on FacebookShare on Twitter

Comments

  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    Check out NIST 800-61. It lists the 4 steps Conrad mentions. Where is that practice question from?
    · Share on FacebookShare on Twitter
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    ISC2 version should be PICERL, which is Prepare, Identify, Contain, Eradicate, Recover, Lessons Learned, at least that's how I remember it.

    But really, I always hated these stupid frameworks because they are non-technical and somewhat far from reality, allowing everybody and their grandma to have their own opinion, replace some steps with something different, etc.
    · Share on FacebookShare on Twitter
  • hylaabhylaab Member Posts: 35 ■■□□□□□□□□
    I would follow ISC2 way:

    triage
    notification and identification
    action/reaction
    containment, analysis, tracing
    follow-up
    repair, recovery, prevention
    · Share on FacebookShare on Twitter
  • g33k3rg33k3r Member Posts: 249 ■■□□□□□□□□
    Thanks for everyone's feedback! The question was from Transenders. Looks like I'll have to make a mental note of both NIST and ISC2.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.