CompTIA CySA+ Domain 3: Incident Response and Management

Chain of custody is the process that tracks evidence through its lifecycle by documenting each handler, the date/time of each transfer, and the purpose of the transfer.

• AA legal hold preserves data from deletion once litigation is anticipated; it does not, by itself, document each custodian and transfer of a physical item.
• COrder of volatility prioritizes which evidence to collect first based on how quickly it is lost; it concerns collection sequence, not custodial documentation.
• DWrite blocking prevents modification of source media during imaging; it protects integrity technically but does not record who handled the evidence and when.

RFC 3227 (BCP 55), 'Guidelines for Evidence Collection and Archiving,' provides evidence-handling guidance and defines the order of volatility for digital evidence.

• BRFC 5424 specifies the syslog protocol for event-notification messages; it concerns log transport, not evidence collection or the order of volatility.
• CRFC 1918 defines private IPv4 address ranges; it has nothing to do with digital-evidence collection or forensic order of volatility.
• DRFC 2196 is the Site Security Handbook on general security policy; it is not the document that defines evidence collection and the order of volatility.

ATT&CK's Impact tactic covers manipulating, interrupting, or destroying systems and data, including Data Encrypted for Impact (ransomware) and destroying backups, exactly the observed behavior.

• ACollection covers gathering data the adversary wants, not destroying or denying it; ransomware that encrypts and wipes data instead pursues the Impact tactic.
• BExfiltration is stealing data by moving it outside the network; here the adversary denies availability by encrypting and deleting it, which ATT&CK classifies as Impact.
• DPersistence is about keeping access across reboots and credential changes, not about denying data availability; destructive ransomware maps to the Impact tactic instead.

ATT&CK is a globally accessible knowledge base of adversary tactics and techniques drawn from real-world observations, letting analysts map behavior and find detection gaps.

• BA scored, ranked list of software flaws describes CVSS and the NVD, not ATT&CK, which catalogs adversary behaviors rather than rating individual vulnerabilities for patching.
• CA feed of blocklisted IPs and hashes describes atomic indicators of compromise, whereas ATT&CK instead documents the behavioral tactics and techniques adversaries use.
• DA certifying compliance framework audits controls; ATT&CK is a behavioral knowledge base for mapping adversary activity, not an attestation or certification standard for organizations.

SP 800-61r3 states Detect, Respond, and Recover help organizations discover, manage, prioritize, contain, eradicate, and recover from incidents, the core incident response activities.

• ASP 800-61r3 places Govern, Identify, and Protect at the preparation foundation; they help prevent and prepare for incidents rather than forming the core response activities.
• BThis mixes preparation functions with one response function; r3 groups the core incident response activities specifically as Detect, Respond, and Recover, not this combination.
• CProtect is a preparation function, not a core response activity; r3 names Detect, Respond, and Recover together as the functions that handle active incidents.

Preparation means getting ready before incidents occur with policies, playbooks, instrumentation, training, and exercises, mapping to the Govern, Identify, and Protect functions in current NIST guidance.

• AContainment happens during an active incident to limit its spread; documenting policies and deploying sensors beforehand is preparation, performed before any incident occurs.
• CDetection and analysis begins once suspicious activity appears and must be validated; building the capability ahead of time is the separate preparation phase instead.
• DPost-incident activity follows recovery to capture lessons learned; standing up tooling and training before an incident is preparation, which precedes the incident entirely.

Detection and analysis is where analysts examine indicators to confirm whether a cybersecurity incident has actually occurred and determine its scope, exactly this task.

• AEradication removes malware and attacker artifacts after an incident is confirmed; first determining whether an incident occurred and its scope is detection and analysis.
• BRecovery restores systems after the threat is removed; validating indicators to confirm an incident and assess its scope happens earlier, during detection and analysis.
• DContainment limits an already-confirmed incident's spread; the analyst here is still determining whether an incident occurred, which is the detection and analysis phase.

Isolating the host to stop the malware spreading and limit damage is containment; the Respond function supports the ability to contain the effects of incidents.

• BEradication removes the malware and attacker artifacts from systems; that follows containment, whereas disconnecting the host to halt spread is the containment step itself.
• CRecovery restores systems to normal operations after the threat is gone; cutting the host off to stop spread is containment, which comes before recovery.
• DDetection is determining that an incident has occurred; the incident is already confirmed here, and isolating the host to limit spread is containment instead.

NIST r3 ties lessons learned and root cause analysis to improving risk management so future incidents are less likely, exactly this post-incident review's purpose.

• AContainment limits an active incident's spread and happens during response, not weeks later; the structured review for root cause is post-incident lessons learned.
• BDetection and triage occur at the start to confirm an incident; a retrospective review for root cause and improvement is the post-incident lessons-learned activity.
• CEradication removes the threat from hosts during response; analyzing root cause and updating playbooks afterward to prevent recurrence is the post-incident lessons-learned activity.

A forensic image is a bit-for-bit reproduction of the whole device, capturing allocated and unallocated areas, and its integrity is confirmed using an accepted hashing algorithm.

• ACopying selected folders through the operating system skips unallocated space, slack, and deleted artifacts and updates timestamps, so it fails to preserve every sector of the source media.
• BExporting documents and email gathers a small logical subset and omits deleted files, slack space, and system artifacts, leaving most potentially relevant evidence uncollected from the disk.
• DBooting the system writes to the disk, changes timestamps, and may delete artifacts, destroying evidence integrity instead of producing a faithful copy of the original media.

A write blocker is a tool that prevents the connected storage media from being written to or modified, letting the examiner read the evidence without altering the original.

• BA USB hub only multiplies available ports for connecting peripherals and provides no mechanism to block write commands from reaching and modifying the attached evidence drive.
• CA RAID controller distributes data across disks for performance or redundancy and does nothing to stop the workstation from issuing writes to the original evidence media.
• DA KVM switch shares one keyboard, video, and mouse among computers and has no role in preventing write operations to an attached evidence storage device.

Hash functions are used to determine whether data has changed, so matching digests of the source and image prove the evidence's integrity was preserved between acquisitions.

• AHashing does not encrypt or hide the data; it produces a digest, so it provides no confidentiality and anyone holding the image can still read its full contents.
• BA hash is a fixed-length digest computed from the data, not a compressed copy, and computing it does not shrink the image or reduce the storage it consumes.
• CCryptographic hashing of the whole image verifies that it has not changed and does not build a searchable index of file contents or accelerate later keyword queries.

Eradication eliminates artifacts of the incident such as malicious code, attacker accounts, and persistence, removing the threat from the environment before systems are recovered to normal operation.

• ARecovery restores cleaned systems to normal operations and validates functionality; it follows the removal work and is not the act of deleting malware and attacker artifacts described here.
• CDetection and analysis confirms and scopes the incident by examining indicators; it precedes mitigation and does not involve deleting malware or removing attacker footholds from hosts.
• DContainment limits the incident's spread, for example by isolating hosts, and the scenario states it was already done before the team began removing the malicious components.

Root cause analysis is a systems approach for identifying the underlying causes associated with a set of risks, here the unpatched service that ultimately enabled the breach.

• BBusiness impact analysis characterizes the consequences of a disruption and sets recovery priorities; it does not work backward to find the technical condition that allowed an incident to occur.
• CChain of custody documents the handling and control of evidence over time; it tracks who possessed evidence rather than identifying the underlying cause of the incident.
• DThreat hunting proactively searches the environment for undetected adversary activity; it is not the retrospective analysis that pinpoints the underlying weakness behind a confirmed incident.

Incident response is supported by individuals and teams holding defined roles and responsibilities; a CSIRT is that designated cross-functional team that coordinates and carries out incident handling.

• AVulnerability management identifies, prioritizes, and remediates weaknesses on an ongoing basis; it is a process area rather than the designated cross-functional team that handles declared incidents.
• BA change advisory board reviews and approves proposed changes to production systems; it governs change risk and is not the team assembled to respond to security incidents.
• CA budget committee allocates funding and resources for security; it has a financial governance role and does not perform the hands-on roles and responsibilities of incident handling.

A tabletop exercise is a discussion-based exercise where personnel with roles in a plan validate its content by discussing their responses to a facilitator-presented scenario.

• AA full-scale failover actually cuts over to recovery infrastructure and exercises real systems; the scenario describes only a facilitated discussion, with no production or recovery systems touched.
• BA penetration test actively attacks live systems to find exploitable weaknesses; it is hands-on technical testing, unlike the discussion-based walkthrough of the plan described in the scenario.
• DA vulnerability scan uses tooling to enumerate weaknesses on systems; it produces technical findings and is not a facilitated discussion that validates the incident response plan.

RPO is the point in time to which data must be recovered after an outage, so the tolerable fifteen minutes of lost recent transactions defines the RPO.

• ARTO is the length of time a system can be in the recovery phase before harming the mission; it bounds downtime duration, not the amount of recent data that may be lost.
• CMTTR is the average time taken to repair a failed component; it describes maintenance efficiency rather than the maximum acceptable amount of data lost during an outage.
• DMTD is the longest a process can be unavailable before unacceptable consequences; it caps total outage length and does not express the allowable quantity of lost data.

A weighted impact-based score yields a repeatable priority level that drives triage, allocation of limited response resources, and decisions about leadership escalation, exactly as scoring systems intend.

• AProcessing strictly by arrival time ignores functional and information impact, so a minor event could consume responders while a far more damaging incident waits in line.
• CPushing raw triage decisions onto executives bypasses the analyst severity assessment, overloads leadership with detail, and provides no consistent or documented basis for ranking incidents.
• DReporting order and originating business unit do not measure actual impact or recoverability, so this would rank incidents arbitrarily rather than by the risk they pose to the organization.

Predefined internal notification and escalation paths specify which stakeholders are told, in what sequence, and the severity threshold at which senior leadership must be engaged during response.

• AIssuing external public statements at detection is an outbound disclosure decision, not the internal notification and escalation structure the team is missing, and it risks releasing unconfirmed details.
• BRegulator filings address external compliance obligations and do not define who inside the organization is informed or when management is engaged during the active response.
• DWithholding notification until resolution prevents timely coordination, evidence handling, and management decisions, undermining the very reporting and communication the incident response life cycle requires.

NIST CSF 2.0 directs teams to verify restored asset integrity, check for indicators of compromise and root-cause remediation, and confirm normal operating status before production use.

• ARushing systems online without verification risks reintroducing a persistent threat or a misconfiguration, which is precisely what recovery validation before production is designed to prevent.
• BBackups can be corrupted or contain malicious artifacts, so assuming integrity without checks may carry the compromise forward into the freshly restored production environment.
• CLessons-learned documentation belongs after recovery is confirmed; closing first leaves restored systems unverified and could declare success while a foothold or defect remains.

Indicators of attack are behavioral signs that an attack is in progress, focusing on adversary actions and intent so teams can intervene before damage is completed.

• BIndicators of compromise are forensic artifacts such as hashes or malicious IPs showing a breach already occurred, whereas this scenario describes live attacker behavior unfolding now.
• CLateral movement using stolen credentials is hostile behavior, so dismissing it as a false positive would let an active intrusion proceed unchallenged across the environment.
• DA CVE catalogs a known vulnerability in software, not the live behavioral activity of an adversary moving through systems during an active attack sequence.

Mean time to detect tracks the average amount of time that a problem exists before it is found, directly measuring the detection speed the manager wants.

• AMean time to recovery measures how long restoration takes after a failure, which addresses the tail end of an incident rather than how quickly it was first noticed.
• CMean time to acknowledge measures responder pickup of an already-raised alert, not the latency between when an incident begins and when the organization first detects it.
• DMean time between failures is a reliability measure of hardware or service uptime, unrelated to how rapidly a security incident is discovered after it starts.

Forensic practice preserves the integrity of the information and maintains a strict, documented chain of custody, which together support the authenticity needed for evidence to be admissible.

• AAllowing normal deletion to continue under a legal hold destroys potentially relevant evidence, exposing the organization to spoliation claims and undermining any later courtroom use of that data.
• BEditing original collected images alters the evidence and destroys its integrity, making it unreliable and likely inadmissible because the data no longer reflects its original state.
• DUntracked storage breaks the chain of custody, so the organization cannot demonstrate the evidence was unaltered, weakening or defeating its admissibility when challenged in court.

SOAR integrates separate security tools, automates repetitive tasks, and runs playbooks that enrich and contain alerts, reducing analyst workload and shortening mean time to respond.

• BA SIEM aggregates and correlates logs for detection and review but does not, by itself, orchestrate tools or execute the automated containment playbooks the SOC is asking for.
• CSignature antivirus inspects files on endpoints and cannot coordinate multiple tools or run cross-platform response workflows, so it does not address the repetitive triage bottleneck described.
• DTime synchronization supports accurate log correlation but has nothing to do with orchestrating tools or automating the phishing triage and containment playbooks the team wants.