CCNA CyberOps SECOPS – Objective 5.3

Define these activities as they relate to incident handling

Implementing Cisco Cybersecurity Operations (210-255)


Continuous monitoring of the environment by the SOC allows for identification of true positive incidents. This monitoring can come from multiple sources including IPS/IDS, Firewalls, Endpoint Agents and the SIEM. Once detected and confirmed the incident is sent to the Incident Response Team.


The IRT takes all identified incidents and analyzes them to determine their scope. Scoping the incident involves answering several questions:

  • What systems are affected?
  • Where did the incident originate from?
  • What tools or attacks are being used?
  • What vulnerabilities are being exploited?

The answers will help the team to prioritize the incident.


The IRT must decide how to contain the incident. This containment strategy depends on the scope of the attack, the type of attack and the severity of the threat. Other factors for containment include the cost of the containment and the resources needed.


Once the incident is contained, the team can focus on eradication and recovery. The systems affected and their data will need to be restored from backups. The systems themselves may need to be retained as digital evidence for any further criminal investigation.

Lesson-Based Hardening

Also known as the lessons learned phase. During this phase lessons learned during the response are evaluated. These can be lessons learned about the attack itself or about how the response was handled. Attack lessons can be turned into new patches and hardening of systems. Response lessons should be integrated into the incident response plan for future incidents.


Reporting is done within the incident response as well as at the end. Depending on the plan, pre-defined communications to stakeholders like C-Level, HR, and PR happen during the incident. After the incident reporting may include regulatory reporting as well as the internal stakeholders.