Incident response describes the immediate actions required of the Security Operations Centre (SOC). This is principally directed toward stopping an incident from getting worse.

Incident handling is different because it includes non-technical work carried out around the incident. Whereas, in the incident response section, we spoke about how there were other organizations that needed to know things, this section provides details about what the rest of the organization is considering and doing while the SOC is investigating, fighting, and defeating the threat.

In this section, we also look at the classification of intrusion events in the Cyber Kill Chain model and appropriately apply the NIST guidelines to guide the organization's response using standardized (VERIS) terminology.

The following chapters are included in this section:

• Chapter 12, The Cyber Kill Chain Model
• Chapter 13, Incident Handling Activities