The NIST incident handling process looks at the other (non-technical) activities that must be taken during an incident. You will notice that these are aligned, though not perfectly, with the NIST Incident Response Life Cycle. In this section, we will apply the NIST incident handling process to an event, defining activities as they relate to each phase in the incident handling process. This will cover topics 5.2 and 5.3a-f of the 210-255 specification:
Implementing Cisco Cybersecurity Operations (210-255) Topic List:
5.2 Apply the NIST.SP800-61 r2 incident handling process to an event
5.3 Define these activities as they relate to incident handling
5.3.a Identification
5.3.b Scoping
5.3.c Containment
5.3.d Remediation
5.3.e Lesson-based hardening
5.3.f Reporting
5.2 Apply the NIST.SP800-61 r2 incident handling process to an event
5.3 Define these activities as they relate to incident handling
5.3.a Identification
5.3.b Scoping
5.3.c Containment
5.3.d Remediation
5.3.e Lesson-based hardening
5.3.f Reporting
We will look at the phases separately, using examples where possible that will best differentiate between one phase and another. In reality, this is less clear cut, but the exam questions will be written in such a way that you will be able to clearly identify the phase from the event activity.