📘 Topic: First Response to Security Incidents

Domain: D7 – Security Operations
Tags: #cissp

---

🧾 Definition

First responders act quickly to contain impact, preserve evidence, and support incident handling during a security event. Their actions can strongly affect the quality of the investigation and the severity of operational damage.

---

🔑 Key Points

• Initial steps include triage, containment, and communication.
• Preserve evidence and avoid making changes that destroy forensic value unless containment requires it.
• Follow established incident response procedures and escalate appropriately.
• Document actions, timelines, and affected systems.

---

⚠️ CISSP Insight

• The first minutes of an incident are critical; rushed actions can worsen the situation or create legal issues.
• Response must balance containment, evidence preservation, and business continuity.

---

⚔️ Key Difference / Trap

• Containment vs eradication
  • Containment limits spread and impact
  • Eradication removes the root cause
• Shutting down a host immediately is not always the right first step
  • Evidence preservation may be more important in some cases

---

🏗️ Example

A suspicious endpoint is isolated from the network, screenshots and logs are captured, and the incident handler is notified for deeper analysis.

---

📚 References

• NIST SP 800-61, Computer Security Incident Handling Guide
• ISO/IEC 27035
• NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response

---

🔁 Quick Recall

• First response = contain + preserve + escalate