Practise vocabulary for incident classification, containment, eradication, notifications, and post-incident reviews.
0 / 6 completed
1 / 6
Containment in incident response means:
Containment happens before eradication: stop the bleeding first. Short-term containment (isolate affected host) then long-term containment (patch or rebuild systems). Some evidence may need to be preserved before containment for forensic purposes.
2 / 6
Eradication in the incident response lifecycle means:
Eradication follows containment: identify and remove all attacker footholds. This includes removing malware, rotating credentials, patching the initial access vulnerability, and auditing for persistence mechanisms the attacker may have installed.
3 / 6
Under GDPR, a personal data breach that 'is unlikely to result in a risk to the rights and freedoms of natural persons':
GDPR Article 33(1): notification to supervisory authority is required 'unless the personal data breach is unlikely to result in a risk'. However, all breaches — even low-risk ones — must be documented internally per Article 33(5).
4 / 6
Lateral movement in a security incident means:
Lateral movement techniques (MITRE ATT&CK Tactic: TA0008): pass-the-hash, pass-the-ticket, remote services exploitation, use of legitimate tools (PsExec, WMI). Detecting lateral movement early limits blast radius.
5 / 6
When writing an incident notification to affected customers, the correct approach is:
Customer-facing breach notifications should be empathetic, clear, and actionable. Avoid jargon like 'unauthorised actor gained access to production systems' — say 'an attacker accessed our systems'. Tell customers what to do (change your password, watch for phishing).
6 / 6
A 'lessons learned' session after a security incident should primarily focus on:
Post-incident reviews (PIRs) should be blameless and systems-focused: 'Our detection rules didn't catch this technique' not 'the analyst missed the alert'. The goal is improving processes, tools, and playbooks — not assigning blame.