Which of these is NOT a part of incident response?

A.  Preparation

B.  Eradication

C.  Containment

D.  Escalation

Correct Answer:  D

Explanation:

A. Preparation

Preparation is the foundational phase of incident response. It is a proactive stage where the organization builds the capability to respond to a breach before one actually occurs.

The Elements: This includes writing the Incident Response Plan (IRP), forming the CSIRT (Computer Security Incident Response Team), establishing communication channels, and procuring forensic software and hardware.

The Goal: Without this phase, the response to a crisis would be disorganized, leading to increased downtime and potential loss of evidence.

B. Eradication
Eradication is the phase where the "root cause" of the incident is eliminated from the environment.

The Process: After the threat has been contained, the security team must find and remove all traces of the attacker. This includes deleting malware, disabling compromised user accounts, and patching the vulnerabilities that were exploited.

The Distinction: While containment stops the immediate spread, eradication ensures the attacker cannot simply use a secondary backdoor to return.

C. Containment
Containment is often the most critical phase for a security professional. Its primary goal is to "stop the bleeding."

The Strategy: It involves isolating affected systems to prevent the incident from spreading to other parts of the network. This can be achieved through segmentation (moving a server to a quarantined VLAN) or physical isolation (disconnecting a machine from the network).

The Trade-off: Security teams must balance the need to stop the damage with the need to preserve evidence for the eventual investigation.

D. Escalation
Escalation is a procedural task rather than a distinct phase of the IR lifecycle.

Why it's the Answer: While you will certainly "escalate" an incident (notifying the C-Suite, Legal, or senior technical experts), it is a sub-activity that can happen during any of the other phases. For example, you might escalate during "Detection" because a threat is too complex, or during "Containment" because it requires a business-critical system to be taken offline.

The Standard Model: The official NIST phases are: Preparation → Detection & Analysis → Containment, Eradication & Recovery → Post-Incident Activity. Escalation is part of the "Detection & Analysis" and "Containment" workflows, but it is not a standalone phase.

Key Takeaway for the CISSP Exam

• Phase vs. Action: In the CISSP mindset, always look for the "NIST Six" or the "SANS Six." If a term describes a specific action (like Escalation, Logging, or Scripting), it is likely a task within a phase, not the phase itself.