CSIRM Assignment - 1

Q.1 Multiple Choice Questions

1. What does CSIRM stand for?

A. Cyber Safety and Internet Risk Management
B. Cybersecurity Incident Response Management
C. Computer Security Information Risk Management
D. Cyber Service Investigation and Recovery Mechanism

2. Which of the following is NOT a phase in the CSIRM incident response lifecycle?***
A. Preparation
B. Monitoring
C. Eradication
D. Recovery

3. What is the primary goal of incident management in cybersecurity?

A. System development
B. Creating new software
C. Minimizing damage and restoring operations
D. Data analysis

4. What distinguishes an incident from an event?***

A. Incidents are always successful logins
B. Incidents require immediate response
C. Events are always harmful
D. Events occur after incidents

5. Which of the following attacks tricks a user into disclosing sensitive info?***
A. DoS
B. Malware
C. Privilege escalation
D. Phishing

6. Which phase includes restoring systems and returning to normal?

A. Containment
B. Preparation
C. Recovery
D. Identification

7. Who is responsible for preserving digital evidence in an investigation?

A. PR Team
B. Security Analysts
C. Forensic Experts
D. Management

8. When should media communication be initiated during an incident?

A. Before confirming the incident
B. After recovery is complete
C. After threat containment and message approval
D. Only if users complain

9. What is the first step in the incident response lifecycle?

A. Preparation
B. Recovery
C. Containment
D. Lessons Learned

10. What is one key reason for having a communication protocol in CSIRM?
A. Improve printer speed
B. Prevent panic and misinformation
C. Reduce internet usage
D. Block all social media

11. What is one of the primary roles of law enforcement in CSIRM?

A. Designing antivirus software
B. Managing PR strategies
C. Investigating cybercrimes
D. Creating firewalls

12. What is the role of forensic experts in CSIRM?

A. Creating marketing strategies
B. Collecting and preserving digital evidence
C. Writing incident reports for the public
D. Auditing financial statements

13. Who should communicate with the media during a cybersecurity incident?
A. Any employee
B. Trained PR personnel or appointed spokespersons
C. Security analysts
D. IT support staff

14. What should a media message include during an incident?

A. Blame and technical terms
B. Clarity, truthfulness, and corrective actions
C. Jargon and speculation
D. Humor to ease the tension

15. What is the first phase of the Incident Response Lifecycle according to NIST?
A. Detection and Analysis
B. Preparation
C. Recovery
D. Containment

16. What is the main goal of the Preparation phase?

A. To restore normal operations
B. To ensure readiness for handling incidents effectively
C. To analyze system behavior
D. To remove malicious files

17. Which of these tools is used in the Detection and Analysis phase?
A. Photoshop
B. Intrusion Detection Systems (IDS)
C. Excel
D. Remote desktop software

18. Which action belongs to the Recovery phase?***

A. Suspending employee emails
B. Restoring data from backups
C. Informing shareholders
D. Updating antivirus signatures

19. Which of these is a secure communication tool for incident response?

A. Open Wi-Fi network
B. Encrypted email
C. Social media
D. Regular phone line

20. What is essential in access-controlled facilities?

A. Open access to all employees
B. Role-based access control (RBAC)
C. Weekly social events
D. Manual password entry only

21. Which of these is used for forensic data capture?

A. Web browser
B. Disk cloning tools
C. Video editing software
D. PDF converter
Q.2 Very Short Answer Type Questions

1. What is Cybersecurity Incident Response Management (CSIRM)

Answer:
Cybersecurity Incident Response Management (CSIRM) is a structured approach to
identifying, responding to, and recovering from cybersecurity incidents to minimize damage
and support business continuity.

• Structured Framework – Involves defined policies, plans, procedures, and roles.

• Quick Detection & Containment – Ensures threats are identified and stopped early.
• Reduces Business Impact – Minimizes downtime, data loss, and financial damage.
• Supports Legal Compliance – Helps meet standards like GDPR, HIPAA.
• Post-Incident Learning – Encourages review and improvement after resolution.

It builds resilience and helps organizations stay secure and prepared for evolving threats.

2. Name any two common types of security incidents.

Answer:
Security incidents are events that breach information security and harm the confidentiality,
integrity, or availability of data.

• Phishing Attacks – Deceptive messages designed to steal credentials or trick users into
downloading malware.
• Malware Infections – Harmful software like ransomware or trojans that damage systems
or steal information.

These incidents often require immediate detection, containment, and remediation to prevent
widespread damage.

3. What is the goal of incident management?

Answer:
The goal of incident management is to ensure timely identification, resolution, and learning
from unexpected disruptions.

• Maintain Service Availability – Restore affected systems as quickly as possible.

• Reduce Impact – Minimize financial loss, downtime, and data breaches.
• Support End Users – Provide quick fixes for user-reported issues.
• Enable Future Prevention – Improve response and detection through post-
incident analysis.

It helps protect organizational assets and maintain customer trust during crises.

4. What are the four phases of the Incident Response Lifecycle

Answer:
The Incident Response Lifecycle provides a stepwise method for addressing cybersecurity
incidents effectively.
 • Preparation – Develop policies, assign roles, and train teams before incidents
occur.
• Detection & Analysis – Identify suspicious activities, confirm incidents, and
assess impact.
• Containment, Eradication, Recovery – Isolate the threat, eliminate root causes,
and restore systems.
• Post-Incident Activity – Review the response, identify gaps, and update plans.

These stages ensure a complete and repeatable incident handling process.

5. Mention any three common attack vectors and explain them briefly.
Answer:
Attack vectors are techniques used by attackers to exploit systems and gain unauthorized
access.

• Phishing Emails – Trick users into clicking malicious links or attachments.

• Unpatched Software – Exploits outdated software vulnerabilities to gain access.
• Insider Threats – Malicious or negligent insiders misuse access to cause harm.
• Weak Passwords – Easily guessed credentials that lead to unauthorized logins.
• Social Engineering – Manipulates human behavior to gain sensitive
information.

Awareness of these vectors is critical to implementing strong defense mechanisms.

6. What is the primary objective of IT incident management?

Answer:
IT incident management aims to restore normal service operation with minimal business
disruption.

• Timely Detection & Resolution – Quickly identify and fix issues.

• Maintain System Uptime – Prevent prolonged downtimes or outages.
• Enhance User Experience – Reduce delays and improve response to user problems.
• Reduce Operational Risk – Contain potential threats before they escalate.
• Support Learning – Analyze root causes and update incident handling processes.

It ensures reliability, efficiency, and service quality across IT environments.

7. What makes an event different from an incident?

Answer:
While both are observable occurrences in IT systems, their impact and response differ
significantly.
• Event – Routine or minor activity, such as a login or file access, often harmless.
• Incident – Adverse event breaching security, like unauthorized access or malware.
• Severity & Urgency – Incidents require immediate action; events may not.
• Response Requirements – Incidents activate formal response procedures.
 • Examples – A login is an event; a DDoS attack is an incident.

This distinction helps prioritize response efforts effectively.

Q.3 Short Answer Type Questions

1. Explain the difference between an event, an incident, and a disaster

Answer:
In Cybersecurity Incident Response Management (CSIRM), distinguishing between an
event, an incident, and a disaster is essential for prioritizing actions and allocating
appropriate responses.

• Event – Any observable occurrence in a system or network, such as user login,

system reboot, or access to a file. Events are often harmless and recorded for auditing
or monitoring purposes.
• Incident – A security event that negatively impacts confidentiality, integrity, or
availability of information or systems. Examples include malware infections, data
breaches, or unauthorized access. Incidents require immediate attention and response.
• Disaster – A high-impact event causing major disruptions to business operations,
requiring full-scale recovery efforts. Examples include data center fires, ransomware
attacks on multiple systems, or natural disasters impacting IT infrastructure.

• Severity & Response – Events are logged; incidents require mitigation; disasters
require recovery and continuity plans.
• Impact Scope – Events are limited in scope, incidents affect security posture, while
disasters cause widespread operational and financial damage.

Understanding the distinction enables timely, proportionate, and effective responses to

maintain operational resilience.

2. What are the key steps involved in handling a cybersecurity incident?

Answer:
Handling a cybersecurity incident effectively requires following a structured, step-by-step
approach that ensures minimal disruption and rapid recovery.

The key steps are based on the NIST Incident Response Lifecycle.

• Identification – Detect the threat using tools like SIEMs, IDS, or user reports and
verify if it’s a legitimate incident.
• Classification & Prioritization – Determine the severity, affected assets, and urgency
to prioritize actions.
• Notification & Communication – Alert internal stakeholders (IT, management, legal)
and external bodies (regulators, CERT, law enforcement) if required.
• Containment – Stop the spread by isolating affected systems, blocking malicious
traffic, or revoking access.
• Eradication – Remove the root cause by deleting malware, patching vulnerabilities, or
disabling compromised accounts.
• Recovery – Restore systems and services using clean backups, validate their integrity,
and monitor for any recurring signs.
• Post-Incident Review – Document actions taken, identify what worked or failed, and
 update policies or training to avoid recurrence.

Each step is vital to reducing damage, restoring trust, and strengthening organizational
security posture.

3. How does incident management help reduce the impact of cybersecurity threats
in an organization?
Answer:
Incident management is a proactive and organized process to detect, assess, and respond to
cybersecurity threats, helping minimize their impact on an organization’s operations, data,
and reputation.

• Early Detection – By continuously monitoring networks and systems, potential

threats are identified before they escalate.
• Rapid Containment – Immediate action is taken to stop the spread of malware or data
breaches, limiting further damage.
• Minimized Downtime – Ensures critical services are restored quickly, reducing
business disruption and financial loss.
• Preservation of Data Integrity – Helps protect sensitive information from being
altered, lost, or stolen.
• Post-Incident Learning – Teams analyze the root cause and revise security measures
to prevent future incidents.
• Regulatory Compliance – Timely and documented response ensures compliance with
standards like GDPR or HIPAA.
• Stakeholder Confidence – A well-handled incident enhances customer and partner
trust in the organization's resilience.

Incident management transforms chaos into control, allowing organizations to defend

against threats while ensuring business continuity and compliance.

4. Why is a cybersecurity policy important, and what are its key features?
Answer:
A cybersecurity policy is a high-level document that outlines an organization’s strategy and
commitment toward managing and responding to cybersecurity threats. It acts as a
foundational guide for incident response, compliance, and employee behavior.

• Strategic Direction – Defines the organization's security objectives and its approach
to protecting systems and data.
• Roles & Responsibilities – Clearly assigns duties to individuals and teams during
incidents and routine security operations.
• Regulatory Compliance – Aligns the organization’s practices with legal frameworks
like GDPR, HIPAA, and ISO standards.
• Access Control & Acceptable Use – Sets rules for using systems, managing access
rights, and protecting sensitive information.
• Incident Reporting & Response – Provides guidelines on how and when incidents
 should be reported and managed.
• Approval by Leadership – Ensures policy enforcement through endorsement by top
management.

A well-crafted cybersecurity policy enhances organizational resilience, ensures

accountability, and builds a security-aware culture.

5. What is the goal of the Detection and Analysis phase in the IR lifecycle?
Answer:
The Detection and Analysis phase of the Incident Response (IR) lifecycle is focused on
identifying and understanding cybersecurity threats as early and accurately as possible.

It helps in verifying if an event is an actual incident and estimating its scope.

• Threat Identification – Detect unusual activity or known attack patterns using tools
like SIEM, IDS/IPS, and antivirus software.
• Incident Verification – Analyze logs, alerts, and system behavior to confirm the
legitimacy of the threat.
• Scope and Severity Assessment – Determine which systems are affected and how
critical the incident is.
• Timely Escalation – Notify relevant stakeholders and escalate the issue based on
classification and potential impact.
• Data Collection – Gather forensic data, traffic logs, and user activity to support
further investigation and correlation.

The phase aims to provide accurate situational awareness, enabling faster and more effective
response to minimize harm.

6. How does a procedure differ from a plan in CSIRM, and why is it necessary?
Answer:
In CSIRM, both plans and procedures are essential but serve different functions in incident
response. While a plan provides an overall strategy, a procedure offers step-by-step
instructions for executing that plan.

• Plan – A broad, strategic document outlining what to do when an incident occurs,

including the phases of preparation, detection, containment, and recovery.
• Procedure – A detailed, technical guide explaining exactly how to perform specific
actions like isolating a server or resetting credentials.
• Audience Difference – Plans are for management and coordination teams; procedures
are for IT and technical staff.
• Clarity and Repeatability – Procedures ensure repeatable, accurate, and fast execution
under pressure.
• Bridges Strategy to Action – Converts high-level planning into actionable tasks that
teams can immediately follow.

Having both is necessary for consistent, efficient incident response and for ensuring all team
members know exactly what to do in real-world situations.

7. Why is media communication important during a cybersecurity incident, and

how should it be handled?
Answer:
Media communication plays a crucial role during a cybersecurity incident as it shapes public
perception, preserves organizational reputation, and ensures transparency with stakeholders.

• Controls the Narrative – Helps prevent misinformation or panic by delivering

accurate updates through authorized spokespersons.
• Maintains Trust – Open, timely communication builds customer and partner
confidence during crises.
• Regulatory Compliance – Some incidents, like data breaches, require public
disclosure under laws like GDPR.
• Prevents Rumors – Proactive media updates reduce speculation and maintain
organizational credibility.
• Crisis Communication Strategy – Should include pre-approved templates, a trained
PR team, and coordination with legal advisors.
• Key Practices – Share only verified facts, avoid technical jargon, express empathy,
and commit to transparency.

Effective media communication ensures clarity, credibility, and control during incidents—
safeguarding not just systems, but reputation and stakeholder relationships.
Q. 4. Long Answer Type Questions

1. Explain the importance of Cybersecurity Incident Response Management

(CSIRM) in modern organizations.
Answer:

Cybersecurity Incident Response Management (CSIRM):

• In today’s interconnected digital landscape, modern organizations rely heavily on IT
infrastructure, cloud services, and sensitive data.
• With the rise in cyber threats such as ransomware, phishing, and insider attacks, the
ability to detect, respond to, and recover from cybersecurity incidents has become
crucial.
• Cybersecurity Incident Response Management (CSIRM) is a structured approach
that ensures such incidents are addressed quickly and efficiently, minimizing
disruption and ensuring business continuity.
• It is essential not only for operational resilience but also for regulatory compliance
and stakeholder trust.

Importance of Cybersecurity Incident Response Management (CSIRM):

• Minimizes Financial and Operational Impact – CSIRM helps reduce downtime, data
loss, and recovery costs by allowing timely containment and resolution of threats.
For example, rapid response to a ransomware attack can prevent full encryption of
corporate databases and reduce financial losses.
• Supports Legal and Regulatory Compliance – Regulations such as GDPR, HIPAA,
and PCI-DSS mandate timely breach reporting and data protection. CSIRM ensures
organizations can meet these requirements and avoid legal penalties.
• Preserves Brand Reputation and Customer Trust – Transparent and professional
handling of incidents, especially breaches involving customer data, can help retain
trust. Companies like Target and Equifax faced long-term reputational damage due
to delayed or poorly managed responses.
• Improves Incident Readiness – CSIRM involves ongoing preparation through
training, simulated attacks, and risk assessments. These actions ensure teams are not
caught off guard when real incidents occur.
• Enables Forensic Investigation and Continuous Improvement – Incident response
processes include log analysis, data collection, and evidence preservation which aid
digital forensics. This information helps in understanding attacker behavior and
updating defense strategies.

Cybersecurity Incident Response Management is no longer optional—it's a strategic

necessity. It empowers organizations to detect and mitigate threats swiftly, fulfill legal
obligations, and preserve business integrity in the face of growing cyber risks.
 2. Differentiate between Events, Incidents, and Disasters with examples.
Answer:

In cybersecurity, distinguishing between events, incidents, and disasters is essential for

determining the appropriate level of response.

Each term describes a different type of occurrence in IT systems, with varying levels of
severity and impact.

Proper classification ensures resources are allocated effectively and appropriate recovery
plans are activated.

• Event – An event is any observable occurrence in a system or network, and not all
events are harmful. Examples include a user logging into a system, system reboot, or
a scheduled software update. These are logged for auditing but typically require no
action.
• Incident – An incident is a security event that compromises the confidentiality,
integrity, or availability of information. For example, malware infection,
unauthorized access, or a phishing attack leading to credential theft are considered
incidents. These require immediate response to prevent further damage.
• Disaster – A disaster is a large-scale event that causes widespread disruption and
requires the activation of a disaster recovery or business continuity plan. Examples
include a fire in a data center, a ransomware attack that encrypts entire systems, or a
major DDoS attack. Disasters affect core operations and demand coordinated efforts
across teams.

Severity and Response:

• Events may not need intervention, incidents trigger incident response teams, while
disasters activate full-scale crisis management and recovery processes.

Understanding the difference between events, incidents, and disasters helps organizations
manage security effectively. Events are routine and monitored, incidents are harmful and
demand containment, while disasters require strategic, organization-wide recovery efforts.

3. Explain in detail the roles of Policy, Plan, and Procedure in a CSIRM framework.
Answer:

A strong CSIRM framework is built on three key components: policy, plan, and procedure.
These elements form the foundation for how organizations manage cybersecurity incidents.
While often used interchangeably, each serves a distinct role—from defining governance, to
outlining strategy, to detailing technical execution. Together, they ensure incidents are
handled consistently and efficiently.

• Policy – The policy is a high-level document that outlines the organization’s

commitment to cybersecurity and defines the scope, objectives, roles, and
 responsibilities. It is approved by senior management and sets the strategic direction.
For example, a policy may mandate that all security incidents must be reported
within 30 minutes of detection.
• Plan – The incident response plan is a tactical document that provides step-by-step
guidance for responding to an incident. It aligns with the NIST lifecycle:
preparation, detection, containment, eradication, recovery, and lessons learned. It
also includes escalation paths, communication strategies, and stakeholder roles. The
plan ensures that everyone knows what to do during an actual incident.
• Procedure – A procedure is the most technical and detailed component, designed for
IT staff and responders. It explains exactly how to perform specific tasks such as
isolating a compromised server, collecting log files, or restoring systems from
backup. For example, a procedure might specify firewall rules to block malicious IPs
during containment.
• Importance of Integration – These three components work together: the policy
defines the ‘what’, the plan defines the ‘how’, and the procedure defines the ‘exactly
how’. Without alignment, the incident response effort may be inconsistent or
ineffective.

In CSIRM, policy, plan, and procedure form a hierarchical structure that transforms
strategic goals into operational actions. A clear policy sets direction, a well-crafted plan
organizes the response, and detailed procedures enable precise execution.

4. Discuss the Incident Response Lifecycle. Describe each phase with examples and
explain why following this structure helps manage incidents more effectively.
Answer:

The Incident Response Lifecycle is a structured approach to managing cybersecurity threats

and attacks. Defined by NIST, it helps organizations detect, respond to, and recover from
incidents systematically.
This model ensures consistency, improves efficiency, and reduces the impact of incidents
across people, processes, and technology.

Phases of Incident Response Lifecycle:

• Preparation – This phase involves building the foundation for incident response by
setting up tools, policies, response teams, and communication plans. For example,
training staff on how to recognize phishing emails and preparing a response toolkit
improves organizational readiness.
• Detection and Analysis – Incidents are identified through monitoring systems, log
analysis, or user reports. Tools like SIEM (e.g., Splunk) or IDS (e.g., Snort) help
detect suspicious behavior. For example, repeated failed logins from a foreign IP
might trigger an alert indicating a brute-force attack.
• Containment, Eradication, and Recovery – Once an incident is confirmed, immediate
action is taken to isolate the threat, remove it, and restore systems. Containment may
involve disconnecting infected systems; eradication includes deleting malware;
recovery uses clean backups to restore services.
• Post-Incident Activity – This phase focuses on learning from the incident. A detailed
 review is conducted to assess what went wrong, what worked, and how processes
can improve. For example, after a ransomware attack, the team might identify the
need for multi-factor authentication or better backup procedures.

Importance of Following the Lifecycle:

• By following these phases, organizations can act quickly and consistently.
• It also ensures that incidents are documented, lessons are learned, and future risks
are mitigated.
• This structure helps improve overall cybersecurity posture while supporting
compliance and forensic readiness.

The Incident Response Lifecycle provides a logical, step-by-step path to managing cyber
threats. From preparation to post-incident review, each phase adds value and ensures that
incidents are handled efficiently and professionally.

5. How can poor communication or lack of planning during an incident affect an

organization’s response and reputation?
Answer:
During a cybersecurity incident, clear communication and prior planning are essential to
contain damage, coordinate actions, and maintain public trust.
Without these elements, even a technically sound response can fail. Poor coordination may
lead to delays, data loss, legal issues, and reputational harm that can take years to rebuild.

• Lack of Coordination Among Teams – If roles and responsibilities are unclear,

response teams may duplicate efforts or overlook critical steps. For example, if IT
and legal teams aren't aligned, sensitive breach notifications may be delayed or
mishandled.
• Delayed Incident Containment – Without a defined plan, teams may waste valuable
time deciding on containment actions. For instance, a malware-infected server might
remain online longer than necessary, increasing the spread of the attack.
• Inconsistent External Messaging – Poor communication with the media or public can
result in panic, misinformation, or loss of trust. In past breaches (e.g., Equifax,
2017), delayed disclosures and vague messaging damaged public perception
severely.
• Regulatory Non-Compliance – Organizations may miss legal deadlines for breach
reporting if planning is weak. This can lead to heavy penalties under laws like GDPR
or HIPAA.
• Loss of Customer and Stakeholder Confidence – If customers learn about an incident
through third-party sources or social media instead of the organization itself, it may
erode trust and lead to churn.

Cybersecurity incidents are high-stakes situations where poor planning or weak

communication can amplify damage. A well-documented communication strategy and a
tested incident response plan ensure faster resolution, protect reputation, and demonstrate
the organization’s maturity and responsibility in handling crises.
 6. Describe the Incident Response Lifecycle in detail. Explain each phase with key
activities and its importance.
Answer:
The Incident Response Lifecycle, as outlined by NIST, is a structured process comprising
four core phases: Preparation; Detection and Analysis; Containment, Eradication, and
Recovery; and Post-Incident Activity.

This lifecycle enables organizations to manage threats efficiently while minimizing

operational, financial, and reputational damage.

It also supports continuous improvement and compliance with cybersecurity standards.

• Preparation – This phase focuses on setting up resources, policies, training, and

technologies. Key activities include defining roles, forming Incident Response
Teams (IRT), conducting tabletop exercises, and ensuring secure communication
channels. Preparation ensures that the organization is not caught off guard when an
incident occurs.
• Detection and Analysis – During this phase, incidents are identified through
monitoring tools, log analysis, and user alerts. Analysts investigate the nature, origin,
and scope of potential threats. Tools like SIEM (Splunk), IDS/IPS (Suricata), and
EDR solutions are used here. Accurate detection ensures timely response and
prevents escalation.
• Containment, Eradication, and Recovery – In this phase, the threat is isolated, the
root cause is removed, and systems are restored. Containment may involve
disconnecting affected networks; eradication might include removing malicious code
or disabling compromised accounts; recovery includes system restoration and
monitoring for reinfection.
• Post-Incident Activity – This phase focuses on documenting the incident, conducting
a post-mortem review, and improving future response plans. Activities include
updating policies, sharing lessons learned, and archiving forensic evidence for legal
purposes or internal audits.
• Continuous Improvement – Across all phases, incident handling must evolve with
new threats. Feedback loops, updated training, and refinement of detection tools help
organizations stay resilient.

The Incident Response Lifecycle ensures a consistent, proactive approach to managing

security breaches. Each phase contributes to reducing risk, accelerating recovery, and
enhancing security posture.

7. What are the common attack vectors used in cyberattacks? Describe at least five
with examples.
Answer:
An attack vector refers to the method or pathway used by cybercriminals to gain
unauthorized access to systems, networks, or data.

Understanding these vectors is essential for identifying vulnerabilities, strengthening

defenses, and developing proactive response strategies in Cybersecurity Incident Response
Management (CSIRM).

Attack vectors exploit human behavior, software weaknesses, or misconfigurations to

initiate a security breach.

• Phishing Emails – Attackers send deceptive emails impersonating trusted sources to

trick users into clicking malicious links or sharing sensitive data. For example, a fake
"bank account verification" email may lead to credential theft or malware
installation.
• Unpatched Software – Cybercriminals exploit known vulnerabilities in outdated
software to gain access or execute code remotely. A famous example is the
WannaCry ransomware attack, which targeted unpatched Windows systems using
the EternalBlue exploit.
• Malicious Insider Threats – Employees or contractors with access to systems
intentionally or accidentally cause harm. For example, a disgruntled employee might
leak confidential data to a competitor, bypassing external security measures.
• Social Engineering – Attackers manipulate individuals into performing actions that
compromise security. A common example is pretexting, where a person pretends to
be IT support and convinces an employee to share login credentials.
• Removable Media (USB Drives) – Attackers use infected USB drives to spread
malware when inserted into systems. The “Stuxnet” worm is a real-world example
that spread via USB drives and targeted Iran’s nuclear program.
• Drive-by Downloads – Malicious websites automatically download and install
malware on a user's device when they visit the site. Users don’t need to click
anything; the infection begins silently.

Recognizing common attack vectors enables organizations to implement targeted controls

like employee training, patch management, and endpoint protection. In CSIRM, this
knowledge supports better detection, response, and forensic investigation, ultimately
reducing the success rate of cyberattacks.

8. Explain the tools and techniques used in the Detection and Analysis phase. How
do they help in identifying incidents?
Answer:

The Detection and Analysis phase is crucial in the Incident Response Lifecycle as it helps
identify potential cybersecurity incidents quickly and accurately.

This phase relies on a combination of automated tools and manual investigation to monitor
system behavior, correlate events, and validate threats.

Accurate detection reduces response time, limits damage, and enables effective
containment.

• Intrusion Detection Systems (IDS) – IDS tools such as Snort or Suricata monitor
 network traffic for suspicious patterns. They alert administrators when they detect
anomalies, such as unauthorized access attempts or known attack signatures.
• Security Information and Event Management (SIEM) – SIEM platforms like Splunk
or IBM QRadar aggregate log data from multiple sources and apply correlation rules
to detect complex attack patterns. For example, multiple failed login attempts
followed by a successful login from an unusual IP could trigger an alert.
• Endpoint Detection and Response (EDR) – Tools like CrowdStrike or SentinelOne
monitor endpoints for malicious activity and provide deep forensic capabilities. They
can track attacker behavior, file access, and lateral movement across systems.
• Network Monitoring Tools – Tools like Wireshark or NetFlow analyzers capture and
examine network traffic. This helps identify data exfiltration, port scanning, or
unauthorized external communication.
• Log Analyzers – These tools help parse system, application, and firewall logs to
detect unauthorized actions or system anomalies. For instance, analyzing access logs
may reveal repeated login attempts from blacklisted regions.
• Threat Intelligence Feeds – Integrating external data sources allows teams to
compare internal alerts with known threat indicators such as malicious IPs, domains,
or hashes.

The tools and techniques used in the Detection and Analysis phase provide real-time
visibility, threat intelligence, and context, allowing teams to identify incidents accurately
and respond efficiently.