6.5 Practice Drills and Readiness Markers
Key Takeaways
- Incident response follows a defined lifecycle: preparation, detection/analysis, containment, eradication, recovery, lessons learned.
- Containment is the immediate priority once an incident is confirmed, before eradication and recovery.
- Chain of custody documents who handled evidence, when, and how, to keep it admissible.
- A vulnerability scan identifies weaknesses; a penetration test actively exploits them to prove impact.
- Cloud (shared responsibility), mobile (MDM), and IoT introduce new attack surfaces the auditor must evaluate.
Incident Response and Forensics Drills
Domain 5 Part B is heavily tested, so drill the incident-response (IR) lifecycle until the order is automatic:
- Preparation — policy, IR team, tools, and training in place before anything happens.
- Detection and analysis — identify and validate that an event is a genuine incident; classify severity.
- Containment — limit the spread (isolate hosts, disable accounts). This is the immediate priority once an incident is confirmed.
- Eradication — remove the root cause (malware, compromised credentials, the exploited vulnerability).
- Recovery — restore systems to normal operation and monitor for recurrence.
- Lessons learned (post-incident) — document what happened and improve controls.
A common trap puts recovery or eradication before containment. If a breach is spreading, contain first — you cannot clean or restore while the attacker still has reach.
Digital forensics and chain of custody
When evidence may support legal action, forensic handling matters more than speed. The auditor confirms a documented chain of custody: a record of who collected each item, what it is (serial numbers, hostnames, hashes), when and where it was collected, and every transfer of possession. Investigators acquire a forensic image (bit-for-bit copy), compute a hash to prove the image is unaltered, work only on the copy, and store originals securely. Any gap in custody or an unverifiable hash can render evidence inadmissible. NIST frames the process as collection, examination, analysis, and reporting.
| IR/forensics term | What it means | Why it is tested |
|---|---|---|
| Containment | Stop the incident from spreading | First action after confirmation |
| Eradication | Remove the root cause | Must follow, not precede, containment |
| Chain of custody | Documented evidence handling | Preserves admissibility |
| Forensic image + hash | Verified bit-for-bit copy | Proves evidence integrity |
Security Testing, Cloud, Mobile, and IoT
Know the testing distinction cold. A vulnerability scan is automated and broad; it identifies known weaknesses (missing patches, misconfigurations) but does not exploit them, so it is lower risk and run frequently. A penetration test goes further: it actively exploits weaknesses to demonstrate real-world impact and chain attacks together, and is performed periodically under a defined scope and rules of engagement. If a stem asks which test proves a vulnerability is exploitable, the answer is the penetration test; if it asks which gives broad, frequent coverage, it is the scan.
Related tools include SIEM for centralized log correlation and alerting, and patch and configuration management to close findings.
Emerging environments
- Cloud — the shared responsibility model governs accountability: the provider secures the infrastructure ("of" the cloud) while the customer secures data, identities, and configuration ("in" the cloud). The split shifts across IaaS, PaaS, and SaaS. Auditors review the contract/SLA, the customer's IAM and encryption, and the right to audit.
- Mobile — mobile device management (MDM) enforces encryption, passcodes, remote wipe, and app control; BYOD raises data-separation and privacy concerns addressed by containerization.
- IoT — large numbers of low-power devices with weak default credentials and irregular patching expand the attack surface; controls include segmentation, changing default passwords, and inventory.
Readiness markers
| Marker | What good performance looks like |
|---|---|
| Recall | Sequence the IR lifecycle and IAAA without notes |
| Recognition | Spot the threatened CIA objective from a scenario stem |
| Application | Pick the right control and name the rule behind it |
| Distractor control | Explain why a tempting answer fixes the wrong objective or skips containment |
| Retention | Hold a mixed set steady after a one-day break |
Monitoring, Metrics, and Attack Methods
Detection depends on monitoring you can audit. The exam expects familiarity with logging and log management (centralized, time-synchronized, tamper-evident), SIEM correlation across sources, file integrity monitoring for unauthorized change, and alerting thresholds tuned to reduce noise. The auditor verifies that logs are protected from the very administrators they monitor, retained per policy, and actually reviewed — an unreviewed log provides detection only in theory.
Know the headline attack methods by name so a scenario stem is recognizable: malware (virus, worm, ransomware, trojan), phishing/spear-phishing, denial-of-service and DDoS (availability), man-in-the-middle, SQL injection and cross-site scripting (web), privilege escalation, zero-day exploits, and advanced persistent threats (APT). Pair each with the control that counters it — DDoS protection and redundancy for availability attacks, input validation for injection, MFA and awareness for credential phishing.
Practice-drill structure
Build each drill from four prompts: define the concept, name the triggering cue, choose the next action, and explain why two alternatives are weaker. A two-column sheet works well — high-yield cue on the left (breach spreading, evidence for court, prove a vuln is exploitable), and the exact action on the right (contain first, chain of custody, penetration test).
| Cue in the stem | Correct action | Why distractors fail |
|---|---|---|
| Incident still spreading | Contain before eradicate/recover | Cleaning during spread reinfects |
| Evidence may go to court | Preserve chain of custody and hash the image | Speed without integrity = inadmissible |
| Need broad, frequent checks | Vulnerability scan | A pen test is periodic and scoped |
| Need to prove real exploitability | Penetration test | A scan identifies but does not exploit |
A domain is ready when you can return after a day, answer mixed items without the domain label visible, and still explain why the distractors fail. If your score drops sharply after a break, the knowledge is recognition-based and needs more active recall.
An organization has just confirmed that malware is actively spreading across its network. What should the incident-response team do FIRST?
What is the PRIMARY purpose of maintaining a documented chain of custody during a forensic investigation?
Which statement BEST distinguishes a vulnerability scan from a penetration test?
Under the cloud shared responsibility model, which party is typically responsible for securing customer data and configuring identity and access management?