INCIDENCE RESPONSE PROCESS Scenario: A ransomware infection has locked multiple workstations. The IT team is unsure whether to shut down affected systems. Question: What should the team do first—shut down systems or isolate them?

Answer: Isolate them from the network to prevent further spread before taking further action.

INCIDENCE RESPONSE PROCESS Containment & Mitigation Scenario: The IT team detects unauthorized administrative access on a critical server. Question: Should they immediately remove the hacker’s access or collect forensic evidence first?

Answer: Collect forensic evidence first to understand the attack vector before removing access.

INCIDENCE RESPONSE PROCESS Eradication & Recovery Scenario: After a successful incident containment, IT is ready to remove malware. Question: What is the best approach to ensure complete malware remo

Answer: Reimage infected systems and update security patches to prevent reinfection.

INCIDENCE RESPONSE PROCESS Eradication & Recovery Scenario: A cyberattack exploited a known vulnerability. Question: Besides removing the threat, what long-term fixes should be implemented?

Answer: Patch the vulnerability, enhance monitoring, and update access controls.

INCIDENCE RESPONSE PROCESS Eradication & Recovery Scenario: A company recovers from a data breach but wants to prevent future incidents. Question: What post-incident measures should they take?

Answer: Conduct a post-mortem analysis, update policies, and improve employee training.

Identifying Escalation Needs Scenario: A user reports their account being locked out multiple times, but IT sees no signs of brute-force attempts. Question: Should this be escalated to the incident response team? Why or why not?

Answer: Yes, because repeated lockouts without a clear cause could indicate credential stuffing or an insider threat.

IDENTIFYING ESCALATION NEEDS Scenario: The security team detects a small number of failed logins from an overseas location. Question: What criteria should determine whether this is escalated?

Answer: Look for patterns—if multiple accounts are targeted, if login attempts increase, or if affected users are high-value targets.

Identifying Escalation Needs Scenario: A phishing email is reported, but only one employee received it. Question: Should this be escalated? Why or why not?

Answer: Not immediately—monitor for additional reports. If more employees are targeted, escalate as a phishing campaign.

Determining Escalation Paths Scenario: A department reports repeated malware infections on different machines. Question: Who should this be escalated to first—the IT team, cybersecurity team, or senior leadership?

Answer: The cybersecurity team should analyze patterns before escalating to senior leadership

Determining Escalation Paths Scenario: A suspected insider threat is exfiltrating sensitive documents. Question: Which departments must be involved in escalation

Answer: Cybersecurity, HR, Legal, and potentially Law Enforcement if company policy requires external reporting

Determining Escalation Paths Scenario: A third-party vendor informs the company of a possible data exposure but provides limited details. Question: Should this be escalated immediately, or should more information be gathered first?

Answer: Gather more details first, but do not delay escalation if the exposure is confirmed.

Handling Critical Escalations Scenario: IT discovers that an active attacker has gained administrator access to key servers. Question: Should the system be immediately shut down or should legal and executive teams be consulted first?

Answer: Consult legal and executive teams—shutting down could erase forensic evidence.

Handling Critical Escalations Scenario: A data breach affecting customer records is confirmed. Question: What are the immediate escalation steps

Answer: Notify legal, PR, and compliance teams, then determine disclosure obligations under data protection laws.

Handling Critical Escalations Scenario: Ransomware has locked critical systems, and the attacker demands immediate payment. Question: Who should be involved in the decision to pay or not pay the ransom?

Answer: Cybersecurity, legal, executive leadership, and law enforcement (if company policy supports reporting).

Real World Reporting NotPetya Cyber Attack (2017) 📌 Incident: The NotPetya malware spread worldwide, wiping data and causing billions in damages.

NIST Breakdown: Identify: Companies lacked resilience against destructive malware. Protect: No effective backup and disaster recovery plan. Detect: Rapid, widespread data destruction alerted security teams. Respond: Companies worked to isolate and contain the malware. Recover: Organizations rebuilt systems, leading to better global cyber resilience.

Real World Reporting Marriott Hotel Data Breach (2018) 📌 Incident: A long-running breach in Starwood’s system was inherited by Marriott after acquisition.

NIST Breakdown: Identify: Lack of cybersecurity due diligence before acquisition. Protect: No review of inherited security vulnerabilities. Detect: Marriott discovered breach years later . Respond: Customer notifications and regulatory fines. Recover: Improved security audits for acquisitions.

Real World Reporting The Yahoo Data Breach (2013-2016) 📌 Incident: 3 billion Yahoo accounts were breached over multiple years before Yahoo disclosed it.

NIST Breakdown: Identify: Poor risk assessment and security monitoring. Protect: Lack of encryption and user authentication safeguards. Detect: Years before Yahoo discovered full scope of breach. Respond: Delayed public disclosure led to regulatory fines. Recover: Yahoo strengthened security after public backlash and lawsuits

Real World Reporting The Target POS Breach (2013) 📌 Incident: Attackers infiltrated Target’s payment system via a third-party HVAC vendor

NIST Breakdown: Identify: Lack of security review for third-party vendor access. Protect: No network segmentation between vendor systems and POS systems. Detect: Malware on POS terminals detected weeks later. Respond: Target shut down compromised systems and notified customers. Recover: Payment system security improved, leading to industry-wide changes.

Real World Reporting Uber Data Breach (2022) 📌 Incident: A hacker bypassed multi-factor authentication by pressuring an employee to approve login requests.

Identify: Weak employee awareness of phishing/social engineering. Protect: Poor enforcement of multi-factor authentication policies. Detect: Attack identified after internal systems were compromised. Respond: Access revoked, but data was already leaked. Recover: Security policy overhaul and employee security training.

Real World Reporting SolarWinds Supply Chain Attack (2020) 📌 Incident: Attackers injected malware into SolarWinds Orion updates, gaining access to government and corporate networks.

Identify: Lack of security checks in third-party software updates. Protect: No supply chain security measures in place. Detect: Attack remained undetected for months. Respond: Security teams worked to remove infected software versions. Recover: Software patches, forensic analysis, and new security protocols.

Real World Reporting The Colonial Pipeline Ransomware Attack (2021) 📌 Incident: Attackers used a compromised VPN password to deploy ransomware, halting fuel distribution.

Identify: Poor access control (no multi-factor authentication on VPN). Protect: No strong identity verification measures. Detect: Attack was only discovered when ransomware locked systems. Respond: Pipeline shutdown, law enforcement involvement, and ransom payment. Recover: Pipeline operations restored, but at significant financial and reputational cost.

Real World Reporting The Equifax Data Breach (2017) 📌 Incident: Attackers exploited an unpatched vulnerability in Apache Struts, leading to a massive data breach.

Identify: Equifax failed to assess and manage software vulnerabilities. Protect: The unpatched system lacked proper cybersecurity hygiene. Detect: Breach went undetected for months. Respond: Equifax took months to disclose the incident, delaying response actions. Recover: Equifax paid fines and implemented better security policies

Head to Head (HH)-1 What type of cyberattack floods a system with excessive traffic to make it unavailable?

Answer: Distributed Denial-of-Service (DDoS) Attack

(HH) Follow-up Challenge - 1 Categorization Challenge: (Match each response to the correct NIST category.) Identifying critical business services affected. Increasing firewall protections and traffic filtering. Detecting abnormal network traffic spikes. Blocking malicious IP addresses and rerouting traffic. Evaluating future DDoS mitigation strategies.

IDENTIFY-Identifying critical business services affected. PROTECT-Increasing firewall protections and traffic filtering. DETECT-Detecting abnormal network traffic spikes. RESPOND-Blocking malicious IP addresses and rerouting traffic. RECOVER-Evaluating future DDoS mitigation strategies.

HH -1 (Steal Opportunity): What is the most common way ransomware enters an organization?

Answer: Phishing emails with malicious attachments or links.

(HH) Follow-up Challenge - 2 Categorization Challenge: Cataloging all encrypted files and affected systems. Implementing backup systems to restore data. Detecting the source of the ransomware attack. Disabling infected accounts and isolating compromised devices. Conducting training to prevent future infections.

Categorization Challenge: IDENTIFY-Cataloging all encrypted files and affected systems. PROTECT-Implementing backup systems to restore data. DETECT-Detecting the source of the ransomware attack. RESPOND-Disabling infected accounts and isolating compromised devices. RECOVER-Conducting training to prevent future infections.

HH - 2 (Steal Opportunity): What is a common reason a company falls victim to a DDoS attack?

Answer: Lack of traffic filtering or unprotected network services.

Head to Head (HH) - 3 What security practice requires users to verify their identity using two or more methods?

Answer: Multi-Factor Authentication (MFA)

(HH) Follow-up Challenge - 3 Categorization Challenge: Documenting which accounts require MFA. Enforcing MFA requirements for all employees. Monitoring login attempts for unauthorized access. Requiring a password reset for a compromised account. Conducting annual security audits of authentication policie

Categorization Challenge: IDENTIFY-Documenting which accounts require MFA. PROTECT-Enforcing MFA requirements for all employees. DETECT-Monitoring login attempts for unauthorized access. RESPOND-Requiring a password reset for a compromised account. RECOVER-Conducting annual security audits of authentication policie

HH - 3 (Steal Opportunity): What is a weakness of only using passwords for authentication?

Answer: Passwords can be stolen, guessed, or reused across multiple accounts.

HH - 4 (Steal Opportunity): Why do social engineering attacks often succeed?

Answer: Attackers exploit human trust and urgency to manipulate victims.

(HH) Follow-up Challenge - 4 Categorization Challenge: Listing job roles most likely to be targeted. Creating security policies to prevent social engineering scams. Monitoring for unusual requests for sensitive data. Implementing call-back verification procedures. Reviewing security awareness training effectiveness.

Categorization Challenge: IDENTIFY-Listing job roles most likely to be targeted. PROTECT-Creating security policies to prevent social engineering scams. DETECT-Monitoring for unusual requests for sensitive data. RESPOND-Implementing call-back verification procedures. RECOVER-Reviewing security awareness training effectiveness.

CyberSecurity Training

Flashcard

•

Information Technology (IT)

•

Professional Development

•

Hard

Christopher Lynch

FREE Resource

Student preview

40 questions

Show all answers

FLASHCARD QUESTION

Front

INCIDENCE RESPONSE PROCESS

What is the first step in the incident response process?

Back

Identify and confirm the incident by analyzing logs and alerts.

FLASHCARD QUESTION

Front

INCIDENCE RESPONSE PROCESS

- Scenario: A company detects unusual outbound network traffic that could indicate data exfiltration.

Question: What is the first step in the incident response proce

Back

Answer: Identify and confirm the incident by analyzing logs and alerts

FLASHCARD QUESTION

Front

INCIDENCE RESPONSE PROCESS

Scenario: Employees report receiving emails from a compromised internal account requesting sensitive data.

Question: Should this be escalated immediately? Why or why not?

Back

Answer: Yes, because it indicates a potential account takeover and requires immediate containment.

FLASHCARD QUESTION

Front

INCIDENCE RESPONSE PROCESS
Scenario: A ransomware infection has locked multiple workstations. The IT team is unsure whether to shut down affected systems.
Question: What should the team do first—shut down systems or isolate them?

Back

Answer: Isolate them from the network to prevent further spread before taking further action.

FLASHCARD QUESTION

Front

Real World Reporting

The Twitter Bitcoin Scam (2020)

📌 Incident: Attackers gained access to Twitter’s internal tools via a phishing attack on employees, leading to a large-scale scam.

Back

Identify: Weak internal security protocols for employee access.
Protect: Lack of multi-factor authentication on internal admin tools.
Detect: Attack detected only after fraudulent tweets went viral.
Respond: Twitter locked down affected accounts and restricted employee access.

Recover: Twitter improved security policies and employee training.

FLASHCARD QUESTION

Front

INCIDENCE RESPONSE PROCESS

Containment & Mitigation

- Scenario: A malware outbreak spreads across an organization’s network. IT blocks external traffic from affected machines.

Question: What additional containment steps should be taken?

Back

Answer: Disable compromised accounts, segment the network, and block malicious IP addresses.

FLASHCARD QUESTION

Front

INCIDENCE RESPONSE PROCESS
Containment and Mitigation
Scenario: A phishing attack compromised employee credentials. The attacker is attempting unauthorized access.

Question: What immediate actions should be taken?

Back

Answer: Force password resets, revoke unauthorized sessions, and monitor for further suspicious activity.

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Similar Resources on Wayground

39 questions

Spelling Errors

Flashcard

•

KG - University

30 questions

Lesson 2 Vocabulary

Flashcard

•

12th Grade

28 questions

literary terms

Flashcard

•

KG - University

27 questions

AI in Education: Benefits, Challenges, and Best Practices

Flashcard

•

Professional Development

32 questions

Flashcard on Production and Marketing

Flashcard

•

12th Grade

40 questions

Mid-shift by Athena Sanchez

Flashcard

•

University

25 questions

Unit 1 Review

Flashcard

•

Professional Development

30 questions

OS 2 SURGICAL MANAGEMENT OF IMPACTED TEETH

Flashcard

•

Popular Resources on Wayground

15 questions

Fractions on a Number Line

Quiz

•

3rd Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

25 questions

Multiplication Facts

Quiz

•

5th Grade

$fractions$

22 questions

fractions

Quiz

•

3rd Grade

20 questions

Main Idea and Details

Quiz

•

5th Grade

20 questions

Context Clues

Quiz

•

6th Grade

15 questions

Equivalent Fractions

Quiz

•

4th Grade

20 questions

Figurative Language Review

Quiz

•

6th Grade

Discover more resources for Information Technology (IT)

10 questions

How to Email your Teacher

Quiz

•

Professional Development

6 questions

3RD GRADE DECLARATION OF INDEPENDENCE EXIT TICKET

Quiz

•

Professional Development

19 questions

Black History Month Trivia

Quiz

•

6th Grade - Professio...

22 questions

Multiplying Exponents with the Same Base

Quiz

•

9th Grade - Professio...

40 questions

Flags of the World

Quiz

•

KG - Professional Dev...