4.2 Core Workflows and Decision Points

4.2 Core Workflows and Decision Points

This section converts the lifecycle into the decision points CS0-003 actually tests. Every Domain 3 workflow starts with a trigger (an alert, IOC, or report), runs through a decision (contain how? collect what?), and ends with an output (clean system, preserved evidence, updated runbook).

Detection, triage, and classification

When an alert fires, you first validate (is it a true positive?), then scope (how many hosts/accounts?), then classify severity. NIST SP 800-61 categorizes incidents by attack vector (External/Removable Media, Attrition/brute force, Web, Email, Impersonation, Improper Usage, Loss/Theft of Equipment, Other) and prioritizes by functional impact, information impact, and recoverability effort. Severity drives notification timing and resource allocation.

Containment strategy and the order of volatility

Containment buys time without destroying evidence. The classic CySA+ decision: isolate by disconnecting the network while leaving the host powered on. A hard shutdown wipes volatile memory (RAM), which holds encryption keys, injected code, and live network state. The order of volatility (RFC 3227) dictates collection sequence -- most volatile first:

Chain of custody and forensic integrity

Chain of custody documents every transfer of evidence -- who collected it, what it is, when, where, and why -- so it remains admissible. You hash evidence (e.g., SHA-256) at collection and verify the hash matches before and after analysis to prove no tampering. Always analyze a forensic image (bit-for-bit copy), never the original. A write blocker prevents accidental modification of the source drive during imaging.

Eradication then recovery -- never reverse the order

Eradication removes all attacker artifacts: malware, web shells, rogue accounts, scheduled tasks, and registry/cron persistence. Recovery restores systems to a known-good state and validates that monitoring is back. The most common exam trap is restoring from backup before eradication is complete -- that re-deploys persistence and causes immediate reinfection.

• Trigger -> validate and scope the alert
• Contain -> isolate, preserve RAM, snapshot
• Collect -> image, hash, log chain of custody
• Eradicate -> remove malware, accounts, persistence
• Recover -> rebuild from clean images, patch, restore data, re-enable monitoring
• Document -> feed lessons learned back into Preparation

If an answer produces the wrong output (e.g., "reimage immediately" when memory forensics is needed), it fails even if it sounds decisive.

Containment options compared

CySA+ tests several containment approaches and when each fits. Segmentation moves the host into an isolated VLAN so you can still observe it; isolation fully cuts network access; removal powers it down or pulls it from production. Observe-and-monitor (a deliberate delay) is occasionally correct when you need to map the adversary's full footprint before acting -- but only when business and data risk allow it.

Recovery validation and timelines

Recovery is not done when a server boots. You validate that systems are patched, monitoring is restored, IOCs no longer appear, and accounts are reset. Track recovery metrics the exam names: MTTD (mean time to detect), MTTR (mean time to respond/recover), and dwell time (compromise-to-detection gap). Shrinking dwell time and MTTD is the point of feeding lessons learned back into Preparation. A scenario that says "the host is back online" but never re-enables logging is incomplete -- the correct answer reconfigures monitoring as part of recovery.

Eradication techniques you must name

Eradication is more than "delete the malware." Exam-relevant techniques include removing persistence mechanisms (scheduled tasks, services, registry Run keys, cron jobs, startup folders), deleting rogue accounts, sanitizing or re-imaging infected hosts, applying the patch that closed the exploited vulnerability, and rotating credentials and keys the attacker may have captured. Sanitization standards matter when reuse is involved: clearing, purging, or destroying media per the data's sensitivity. If the stem says logging was disabled, eradication also restores logging integrity so recovery can be validated.

Decision flow for the containment phase

When a stem drops you into an active incident, walk this fixed order and pick the answer that respects it:

1. Confirm and scope -- is this a true positive, and how far has it spread?
2. Contain -- isolate by network disconnect to stop spread while preserving RAM.
3. Collect -- image and hash evidence under chain of custody before changing anything.
4. Eradicate -- remove malware, accounts, and persistence; patch the entry point.
5. Recover -- rebuild or restore to known-good, re-enable monitoring, validate IOCs are gone.
6. Hand off -- feed timeline and lessons learned into Post-Incident Activity.

The most common point-losing answer jumps from step 2 straight to step 5 (restore) and skips evidence collection and eradication. Memorize this six-step flow and you can defeat the majority of Domain 3 scenario questions on sequence alone.