1. Home
Feeling StupidKeyboard Layout

CySA+ (v3)

Incident Response Management

Explaining attack methodology frameworks, incident response activities, and the incident management life cycle.

20% Exam Weight

Exam focus areas

  • Objective summary: Explaining attack methodology frameworks, incident response activities, and the incident management life cycle.
  • Attack methodology frameworks: Explaining cyber kill chains, diamond model of intrusion analysis, MITRE ATT&CK, OSSTMM, and OWASP testing guide.
  • Incident response activities: Performing detection, analysis, containment, eradication, and recovery.
  • Incident management life cycle: Explaining plans, tools, playbooks, tabletop exercises, training, business continuity, disaster recovery, forensic analysis, and root cause analysis.

Domain deep dive

Expanded domain guidance for framework usage, incident handling execution, and lifecycle maturity.

CS0-003 Coverage Checklist (3.1-3.3)

Direct objective coverage from the CompTIA CS0-003 incident response and management domain.

  • 3.1 Attack methodology frameworks: cyber kill chains, Diamond Model of Intrusion Analysis, MITRE ATT&CK, OSSTMM, and OWASP Testing Guide.
  • 3.2 Incident response activities: detection and analysis (IoC handling, evidence acquisition, chain of custody, data integrity validation, preservation, legal hold, and data/log analysis) plus containment/eradication/recovery (scope, impact, isolation, remediation, re-imaging, and compensating controls).
  • 3.3 Lifecycle readiness: preparation (incident response plan, tools, playbooks, tabletop exercises, training, BC/DR) and post-incident activity (forensic analysis, root cause analysis, lessons learned).

3.1 Attack Methodology Frameworks

Use structured frameworks to model and disrupt adversary activity.

Cyber Kill Chain

  • Reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.
  • Use phase mapping to identify breakpoints for prevention and detection.

MITRE ATT&CK

  • Map tactics, techniques, and sub-techniques to observed behavior.
  • Correlate procedures and telemetry coverage for detection engineering.

Diamond Model

  • Correlate adversary, capability, infrastructure, and victim relationships.
  • Use meta-features such as time, direction, and phase for analytic context.

3.2 Incident Response Activities

Execute detection, containment, eradication, and recovery with evidence integrity.

Detection and Analysis

  • Validate alerts, classify severity, and establish scope.
  • Collect volatile evidence first, then persistent artifacts.
  • Maintain chain of custody and reconstruct timeline.
  • Extract and operationalize indicators for blocking and hunting.

Containment

  • Apply short-term isolation and credential controls rapidly.
  • Implement long-term containment with patching and hardening.
  • Preserve evidence before destructive changes.
  • Coordinate communications with legal and business stakeholders.

Eradication and Recovery

  • Remove root cause, reset credentials, and rebuild as needed.
  • Harden restored systems based on lessons learned.
  • Validate eradication through follow-up monitoring and scans.
  • Restore services in phased order with enhanced visibility.

3.3 Incident Management Lifecycle

Build repeatable readiness and improvement capabilities around incident handling.

Preparation

  • Define policy, scope, authority, and escalation in the response plan.
  • Establish IR roles, RACI ownership, and on-call operations.
  • Prepare tooling, forensic workflows, and approved containment scripts.
  • Run tabletop and adversary simulation exercises regularly.

Lessons Learned

  • Conduct blameless post-incident review with clear action items.
  • Track detection and response gaps to closure.
  • Update metrics including MTTD, MTTR, and incident cost indicators.
  • Capture updated TTP and IoC knowledge for future operations.

Key concepts

  • Kill Chain phase mapping
  • MITRE ATT&CK tactics and techniques
  • Diamond Model relationships
  • Evidence volatility order
  • Chain of custody controls
  • NIST 800-61 aligned lifecycle

Study tips

  • Walk through complete incident scenarios using multiple frameworks.
  • Practice volatile data collection order and evidence logging.
  • Run structured tabletop exercises with role assignment and comms.
  • Draft incident reports with timeline, indicators, and corrective actions.