The exam presents a specific activity and asks which NIST IR lifecycle phase it belongs to. The trap is that NIST IR and NIST CSF use different terminology, and many candidates confuse phases from the two frameworks. Use only the NIST SP 800-61 four-phase model for incident handling questions.
Phase 1 — Preparation (everything done BEFORE an incident):
- Assembling the go bag (forensic laptops, removable media, forensic software, digital cameras)
- Creating and updating the contact list
- Documenting network diagrams
- Computing critical file hash values
- Obtaining clean OS and application images
- Writing and testing incident response policies and procedures
- Training (tabletop exercises, simulations)
Phase 2 — Detection and Analysis (identifying the incident):
- IPS alert fires; AV detects malware; FIM alerts on configuration change; traffic analysis shows anomaly
- Sandbox analysis of suspected malware
- Characterizing the scope and severity of the incident
Phase 3 — Containment, Eradication, and Recovery (stopping and fixing):
- Containment: isolate affected systems; stop lateral movement
- Eradication: remove malware; disable compromised accounts; patch the exploited vulnerability; close backdoors
- Recovery: restore from backups; reimage; replace compromised files; tighten perimeter
Phase 4 — Post-Incident Activity (learning and improving):
- Post-incident meeting (ASAP after resolution)
- Timeline reconstruction
- Answering the four retrospective questions
- Updating monitoring, procedures, and training based on findings
The exam frequently presents a preparation activity and offers phases 2, 3, or 4 as distractors. Candidates who think logically about when items are “used” (not when they are “created”) answer incorrectly. The phase assignment is based on when the item is CREATED, not when it is APPLIED.
The classification error candidates make:
- “Critical file hash values are compared to detect malware during an incident → therefore they belong to Detection and Analysis” — WRONG
- “Clean OS images are used during recovery → therefore they belong to Recovery” — WRONG
- “Network diagrams are consulted during analysis → therefore they belong to Detection and Analysis” — WRONG
The correct reasoning: all of these items are created, assembled, and verified BEFORE an incident occurs. They belong to the Preparation phase. The fact that they are used in other phases does not change their phase classification. The Preparation phase creates the conditions for all other phases to succeed.
What actually belongs to other phases:
- Detection and Analysis: the ACT of comparing current file hashes to the baseline (using the hashes created in Preparation)
- Recovery: the ACT of restoring from a clean image (using the image created in Preparation)
The exam presents a scenario where a responder isolates a system and the malware triggers a destructive action in response. The question asks why this happened or what should have been done differently. The answer involves the isolation-before-imaging problem.
What a sandbox is: an isolated OS environment for safely analyzing malware behavior without affecting production systems. The sandbox is reset after analysis.
Why isolation is not always safe: sophisticated malware checks for signs of isolation (absence of real user activity, missing network connectivity, VM detection artifacts). When it detects isolation, it may:
- Delete itself (destroy evidence)
- Encrypt its payload (prevent analysis)
- Execute a destructive action (ransomware encryption, data wipe)
The correct isolation sequence when self-destruct risk is high:
- Capture live memory image FIRST (RAM contains running processes, encryption keys, network connections — volatile data lost on shutdown or disconnect)
- Take disk snapshot
- THEN isolate the system
- Analyze captured images offline, not the live system
The exam trap: “isolate immediately” is always presented as the correct containment action — and it generally is. The exception is when memory evidence must be captured first. If the question describes self-destruct behavior after isolation, the answer is “memory should have been captured before isolating.”
The exam tests two facts about post-incident meetings: when they should be held, and what questions they must answer. Both are frequently included in scenario questions where the wrong answer is plausible.
Timing — the most tested fact: post-incident meetings should be held as soon as possible after the incident is resolved. Candidates who answer “within 30 days” or “at the next scheduled review cycle” are wrong. The reason is memory degradation: specific timelines, decision points, and observations fade quickly. Accurate retrospective analysis requires prompt review.
The four required questions (NIST SP 800-61 framework for post-incident analysis):
- What happened exactly? (timeline reconstruction using logs, alerts, forensic evidence)
- How did the incident response plan perform? (were procedures followed? did communication work?)
- What would be done differently? (retrospective analysis of procedural gaps, tool deficiencies, training needs)
- Which indicators should be monitored in the future? (were early warning signals missed? update monitoring to detect similar events earlier)
Common wrong answer: “The first question at a post-incident meeting should be who was responsible for the breach.” Wrong — post-incident meetings are improvement-focused, not blame-focused. The goal is process improvement, not accountability assignment.