🚨 Security Incident Communication
5 exercises — indicators of compromise, containment, remediation, and mandatory breach reporting vocabulary. Advanced
0 / 5 completed
1 / 5
A security monitoring alert fires: "Unusual outbound traffic detected — possible data exfiltration."
Which phase of the NIST incident response lifecycle is the team currently in?
The NIST SP 800-61 incident response lifecycle has four phases. An alert firing is the beginning of Detection and Analysis.
| Phase | Key activities |
|---|---|
| Preparation | Incident response plan, runbooks, tooling, team training — before any incident occurs |
| Detection & Analysis | Alert triggered → triage → confirm true/false positive → classify severity |
| Containment, Eradication & Recovery | Stop the spread → remove threat → restore systems to known-good state |
| Post-Incident Activity | Post-incident review, lessons learned, control improvements |
Key vocabulary for this phase:
- IoC (Indicator of Compromise) — artefact or behaviour that suggests a system has been compromised (e.g., unusual outbound traffic, known malicious IP)
- Triage — rapid initial assessment to determine severity and priority of response
- True positive — a genuine incident; false positive — an alert that turns out to be benign
- Severity classification — P1 Critical / P2 High / P3 Medium based on business impact and data sensitivity