What are the 7 phases of the Cyber Kill Chain?

The Lockheed Martin Cyber Kill Chain has 7 phases: (1) Reconnaissance — passive/active information gathering; (2) Weaponization — creating the exploit/payload; (3) Delivery — delivering the weapon (email, USB, web); (4) Exploitation — executing the exploit on the target; (5) Installation — establishing persistence (backdoor, scheduled task); (6) Command and Control (C2) — establishing communication channel back to attacker; (7) Actions on Objectives — achieving the goal (exfiltration, encryption, destruction).

What is the Diamond Model of intrusion analysis?

The Diamond Model has 4 vertices: Adversary (who is attacking), Capability (what tool/technique they used), Infrastructure (IP/domain they used), and Victim (who was targeted). Each intrusion event is represented as a 'diamond' connecting these four elements. It's used for intelligence analysis and attribution. On CySA+: the model helps analysts understand not just what happened but who did it and how their infrastructure is connected across multiple events.

What is chain of custody in digital forensics?

Chain of custody is the documented, chronological record of who collected, handled, transferred, analyzed, and stored digital evidence. It proves the evidence was not tampered with between collection and court presentation. For CySA+: create a bit-for-bit forensic copy (using write blockers), document the hash of the original, collect the copy for analysis (never work on the original), log every person who handled the evidence, and maintain secure storage. A broken chain of custody can render evidence inadmissible.

CompTIA CySA+ CS0-004: Incident Response & Management Study Guide (Page 4 of 5)

Domain Overview

Incident Response & Management is 24% of the CS0-004 exam — approximately 20 questions.

This domain covers understanding and applying IR frameworks, executing the full incident lifecycle from preparation through post-incident review, applying forensic best practices, and building IR readiness through exercises and planning.

IR Frameworks Cyber Kill Chain MITRE ATT&CK IR Lifecycle Digital Forensics IR Readiness

🗺️ Frameworks

NIST SP 800-61r2 — 4 phases
SANS PICERL — 6 phases
Cyber Kill Chain — 7 phases
Diamond Model — 4 vertices

🔄 IR Lifecycle

Preparation, Detection, Analysis
Containment strategies
Eradication and recovery
Post-incident activities and RCA

🔬 Digital Forensics

Evidence collection and chain of custody
Write blockers and forensic images
Memory forensics (Volatility)
Order of volatility

🛡️ IR Readiness

IR plans and playbooks/runbooks
Tabletop exercises
BCP/DRP alignment
IR team roles and responsibilities

Key Concepts

Seven expandable sections covering every exam-tested topic.

HOTNIST SP 800-61r2 & SANS PICERL▼

NIST SP 800-61r2 defines the authoritative IR lifecycle used most commonly on the CS0-004 exam:

Phase 1 — Preparation: Building IR capability before incidents occur. Includes: IR policy and plan, IR team (CSIRT), communication plan, tools (forensic workstations, write blockers, IR toolkit), playbooks for known incident types, training, and tabletop exercises.
Phase 2 — Detection and Analysis: Identifying that an incident has occurred and understanding its scope. Includes: alert triage, log analysis, indicator correlation, incident declaration criteria, severity classification, and scope determination.
Phase 3 — Containment, Eradication, and Recovery:
- Containment: Stop the bleeding — network isolation, account disablement, blocking C2 domains. Short-term (immediate isolation) vs. long-term (hardening, patching).
- Eradication: Remove the threat — delete malware, close attacker access (backdoors, rogue accounts), identify root cause.
- Recovery: Restore to normal operations — restore from clean backups, verify integrity, monitor closely for reinfection.
Phase 4 — Post-Incident Activity: Lessons learned meeting, root cause analysis (RCA), evidence retention, process improvements, and reporting.

SANS PICERL: Preparation → Identification → Containment → Eradication → Recovery → Lessons Learned. Functionally similar to NIST — same lifecycle, different naming convention.

📌 NIST uses 4 phases; SANS uses 6. For the exam, know both but focus on NIST's language. "Post-Incident Activity" is NIST's term; "Lessons Learned" is SANS's.

HOTCyber Kill Chain (7 Phases)▼

Lockheed Martin's Intrusion Kill Chain describes the phases of a targeted cyberattack. Defenders can disrupt the attack at any phase.

1

Reconnaissance — Passive (OSINT, social media, WHOIS) or active (scanning) information gathering about the target. Defenders: monitor for scanning, limit public information exposure.

2

Weaponization — Attacker pairs exploit with payload (e.g., PDF exploit with RAT). Happens offline — defenders cannot directly disrupt this phase.

3

Delivery — Transmitting the weapon to the target (phishing email, malicious USB, compromised website). Defenders: email security, web filtering, user awareness training.

4

Exploitation — Exploit triggers on target, executing code. Defenders: patch management, application allowlisting, sandboxing, user training (don't click).

5

Installation — Malware installs persistence mechanism (scheduled task, registry run key, service, backdoor). Defenders: EDR behavioral detection, application control.

6

Command & Control (C2) — Malware establishes outbound channel to attacker infrastructure. Defenders: outbound traffic monitoring, DNS filtering, web proxy, SIEM beaconing detection.

7

Actions on Objectives — Attacker achieves goal: data exfiltration, lateral movement, ransomware deployment, destruction. Defenders: DLP, micro-segmentation, enhanced monitoring, honeypots.

🚨 Key exam point: defenders can disrupt the kill chain at ANY phase. Earlier disruption (Reconnaissance, Delivery) is preferable because later phases (Actions on Objectives) mean the attacker has already achieved significant access.

KEYDiamond Model of Intrusion Analysis▼

Four vertices: Adversary (who), Capability (what tool/technique), Infrastructure (IP/domain/service used), Victim (who was targeted).
Purpose: Every intrusion event is represented as a diamond connecting these four vertices. The model is used for intelligence-driven analysis — understanding not just what happened technically but who did it and how their operations are connected.
Meta-features: Timestamp, phase (kill chain phase), result (success/failure/unknown), direction (adversary-to-victim vs. victim-to-infrastructure), methodology, resources.
Activity threading: Linking multiple diamond events over time to track campaign progression. If the same infrastructure appears in multiple events, they may be the same actor.
Difference from Kill Chain: Kill Chain describes the phases of attack. Diamond Model describes the relationships between attacker, tools, infrastructure, and targets — used for attribution and tracking campaigns across multiple victims.

KEYContainment Strategies & IR Execution▼

Short-term containment: Immediate actions to stop the bleeding without major operational disruption — isolate the affected network segment, disable compromised account, block C2 domain at DNS/firewall, take a forensic image before proceeding.
Long-term containment: More permanent measures while maintaining operations — patch the exploited vulnerability, rebuild compromised systems from known-good images, change all credentials that could be compromised.
Network isolation vs. shutdown: Isolate (segment off) is usually preferred over shutdown — preserves evidence (memory, active connections) and avoids triggering additional malware behavior on shutdown. Full shutdown only if the system is causing active harm.
Eradication: After containment — remove malware, close all attacker access points (delete backdoor accounts, remove persistence mechanisms, revoke attacker-controlled certificates), validate no other systems are compromised.
Recovery: Restore systems from clean backups, verify integrity of restored systems, monitor closely for re-compromise in the days following recovery.
Incident categories: Know how to classify — ransomware (encryption + extortion), BEC (financial fraud via compromised account), insider threat (authorized user abusing access), APT (sophisticated persistent adversary), supply chain compromise (attack via trusted vendor).

HOTDigital Forensics & Evidence Handling▼

Order of volatility: Collect evidence in order from most volatile (disappears quickly) to least volatile: CPU registers/cache → RAM/memory → Network connections → Running processes → Disk (files, logs) → Archival media. Always collect memory before disk.
Forensic imaging: Create a bit-for-bit (bitstream) copy of the original media using tools like dd, FTK Imager, or Magnet ACQUIRE. Never work on the original — work only on the forensic copy.
Write blockers: Hardware or software device that prevents any writes to the original evidence media during imaging. Ensures evidence integrity — no metadata changes, no overwriting of deleted files.
Hashing: Hash the original (SHA-256) before and after imaging. Hash the forensic copy. If hashes match, the copy is verified as identical. Document all hashes in chain of custody records.
Chain of custody: Documented record of every person who handled the evidence, when, and why. Required for legal admissibility. A broken chain (undocumented handling) can render evidence inadmissible in court.
Memory forensics: Capture RAM with tools like Magnet RAM Capture, WinPmem, or LiME (Linux). Analyze with Volatility Framework — commands: imageinfo (profile detection), pslist/pstree (running processes), netscan (network connections), malfind (injected code), dumpfiles (extract files from memory).
Legal considerations: Maintain legal holds for relevant data (preservation notice), follow jurisdictional requirements for data retention and evidence collection, engage legal counsel before collection in sensitive situations.

🚨 Write blockers are non-negotiable in forensic investigations. Connecting a drive without a write blocker modifies metadata (access timestamps), potentially contaminating evidence and invalidating chain of custody.

IR Readiness: Plans, Playbooks & Exercises▼

Incident Response Plan (IRP): High-level document defining the organization's IR program — scope, team structure, escalation paths, legal/compliance requirements, communication procedures. Reviewed and updated annually or after significant incidents.
Playbooks/Runbooks: Tactical, step-by-step procedures for specific incident types (ransomware playbook, BEC playbook, data breach playbook). Standardize analyst responses, reduce decision time under pressure.
Tabletop exercises: Discussion-based simulation where IR team walks through a scenario (ransomware attack, insider threat) to test plan adequacy and team decision-making. No live systems involved. Identifies gaps in plans and communication without operational risk.
Functional exercises: Hands-on simulation using IR tools (SIEM, EDR) in a simulated environment. Tests technical capabilities, not just plan completeness.
Full-scale exercises: Full simulation involving all IR stakeholders (legal, PR, executive) responding to a realistic scenario in real-time.
BCP/DRP alignment: IR plans must integrate with Business Continuity Plans (BCP — how to keep operating during an incident) and Disaster Recovery Plans (DRP — how to restore IT systems after an incident). IR handles the security response; BCP/DRP handles operational continuity and system restoration.
Communication plan: Who notifies whom, when, and via what channel. Includes: internal escalation (SOC → management → legal → executives), external notification (law enforcement, regulators, affected customers), and media handling (designated spokesperson).

Post-Incident Activities & RCA▼

Lessons learned meeting: Held within 2 weeks of incident resolution. All responders attend. Covers: what happened, what worked, what didn't, what should change. Output: improvement actions assigned to owners with deadlines.
Root Cause Analysis (RCA): Systematic process to identify the fundamental cause(s) of the incident — not just the symptoms. Methods: 5 Whys (ask why 5 times to drill down), Fishbone/Ishikawa diagram (categorize contributing causes). Goal: prevent recurrence, not assign blame.
Evidence retention: Keep forensic evidence for a defined period based on legal requirements (typically 1–3 years for security incidents, longer for criminal matters or litigation holds).
IR metrics: MTTD (Mean Time to Detect — time from compromise to alert), MTTR (Mean Time to Respond — time from alert to containment), MTTI (Mean Time to Identify — time from detection to root cause), number of incidents by severity, recurrence rate.
Process improvement: Update IRP, playbooks, detection rules, and training based on lessons learned. Close the loop so the same incident type doesn't repeat.

Study Checklist

Click to mark items complete.

0 of 16 complete

FrameworkList the 4 NIST SP 800-61 phases in order from memory

FrameworkList the 6 SANS PICERL phases and map each to the equivalent NIST phase

Kill ChainWrite all 7 Kill Chain phases in order with a 1-sentence description of each

Kill ChainName 2 defensive controls that can disrupt each Kill Chain phase

ATT&CKExplain the Diamond Model's 4 vertices and their purpose in attribution

IR PlanDefine the difference between an IR Plan, a Playbook, and a Runbook

IR PlanExplain what a tabletop exercise tests and how it differs from a functional exercise

ContainDescribe short-term vs. long-term containment with examples

ContainExplain why isolation is usually preferred over shutdown during an incident

ForensicsList the order of volatility from most volatile to least volatile

ForensicsExplain why a write blocker is required during forensic evidence collection

ForensicsDescribe the chain of custody and what happens when it is broken

ForensicsList 4 Volatility framework commands and what each reveals

Post-IRDefine RCA and name 2 methods used (5 Whys, Fishbone/Ishikawa)

Post-IRDefine MTTD, MTTR, and MTTI and explain what each measures

BCPExplain how IR integrates with BCP and DRP — what each plan covers

Reference Tables

Quick-reference data for exam preparation.

IR Framework Comparison

NIST SP 800-61 (4 Phases)	SANS PICERL (6 Phases)	Key Activities
Preparation	Preparation	IRP, team, tools, training, playbooks, tabletops
Detection & Analysis	Identification	Alert triage, log analysis, scope determination, severity classification
Containment, Eradication & Recovery	Containment	Isolate systems, block C2, disable accounts
(same phase above)	Eradication	Remove malware, close access, patch root cause
(same phase above)	Recovery	Restore from backup, verify integrity, monitor
Post-Incident Activity	Lessons Learned	RCA, report, evidence retention, process improvement

Order of Volatility (Most → Least)

Priority	Data Source	Why Volatile	Collection Method
1 (Most)	CPU registers, cache	Lost the instant power changes	Memory dump tools
2	RAM / System memory	Lost on reboot or power cycle	Magnet RAM Capture, WinPmem, LiME
3	Active network connections	Connections change continuously	netstat, ss commands; pcap
4	Running processes	Processes close and start constantly	tasklist, ps, Volatility pslist
5	Disk (file system, logs)	Persists but can be overwritten	Forensic image (FTK Imager, dd)
6 (Least)	Archival media, backups	Stable, changes rarely	Copy/image with write blocker

IR Metrics Reference

Metric	Full Name	Measures	Reduced By
MTTD	Mean Time to Detect	Time from compromise to detection/alert	Better SIEM rules, threat hunting, EDR
MTTR	Mean Time to Respond	Time from detection to containment/resolution	SOAR automation, playbooks, trained team
MTTI	Mean Time to Identify	Time from detection to root cause identification	Forensic skills, better logging, threat intel

Practice Quiz

6 scenario-based questions aligned to CS0-004 exam style.

Question 1 of 6

A security analyst responds to an alert about a potentially compromised workstation. Before isolating the system from the network, the analyst wants to preserve evidence of active network connections and currently running processes. According to the order of volatility, what should the analyst collect FIRST?

1 / 6

Question 2 of 6

An organization experienced a ransomware incident. After recovery, the CISO wants to ensure the IR plan is updated before the next incident. The team schedules a meeting where senior analysts walk through a simulated ransomware scenario by discussing what each team member would do at each stage, without actually running any tools or systems. What type of exercise is this?

2 / 6

Question 3 of 6

During an incident investigation, a forensic analyst needs to create a forensic copy of a suspect hard drive. The analyst plugs the drive directly into their analysis workstation without any additional hardware and begins copying files using Windows Explorer. What critical mistake has the analyst made?

3 / 6

Question 4 of 6

Threat intelligence indicates that an APT group recently successfully delivered malware via spear-phishing emails to three peer organizations in the same industry. The security team wants to prevent the same attack. Mapping this to the Cyber Kill Chain, which phase does blocking the phishing email at the email gateway address?

4 / 6

Question 5 of 6

A compromised server has been identified during an active ransomware incident. The IR team must stop the spread immediately. The server hosts a critical database that cannot be shut down entirely, as it supports patient monitoring in a hospital. What is the MOST appropriate immediate containment action?

5 / 6

Question 6 of 6

After a data breach incident is fully resolved, the IR team is conducting their post-incident review. An analyst identifies that the root cause was an unpatched web application vulnerability that had been in the vulnerability scan results for 4 months without remediation. The analyst wants to formally analyze contributing factors to prevent recurrence. Which method is MOST appropriate for this?

6 / 6

Study Plan

3-week plan for Incident Response & Management.

Week 1 — Frameworks & Kill Chain (Days 1–7)

Draw the NIST IR lifecycle and SANS PICERL side-by-side — map equivalent phases
Write all 7 Kill Chain phases with examples from a real attack (e.g., WannaCry, SolarWinds, NotPetya)
Research the Diamond Model — find a threat intel report that uses it for attribution analysis
Read NIST SP 800-61r2 Sections 2 and 3 — understand the official framework language

Week 2 — Forensics & Evidence Handling (Days 8–14)

Set up a forensic lab with Autopsy (free) — image a USB drive using FTK Imager and analyze it
Install Volatility on Linux — download a sample memory image and run pslist, netscan, malfind
Write the order of volatility from memory 3 times — make sure it's automatic
Research one real case where chain of custody failure affected the legal outcome of a cyberattack investigation

Week 3 — Readiness, Exercises & Practice (Days 15–21)

Write a 1-page ransomware IR playbook — include all phases from detection through recovery
Design a tabletop exercise scenario for your team (or hypothetically) — what questions would you ask?
Take two full-length practice exams — track IR domain performance specifically
Complete the checklist on this page before the real exam

Common Exam Mistakes

5 high-frequency IR mistakes.

1

Collecting Disk Before Memory

Violating the order of volatility

What Goes WrongCandidates recommend creating a disk image first because it's more familiar. But RAM disappears on reboot and contains irreplaceable evidence: running processes, active connections, encryption keys, malware that never touched disk.

The FixOrder of volatility: RAM first, then active network connections, then running processes, then disk. Never let "I need to image the drive" be the first forensic action if the system is still running. Capture memory first.

Prevention habit: "Most volatile first." RAM → Network → Processes → Disk. Always.

2

Shutting Down Instead of Isolating

Destroying volatile evidence to stop an incident

What Goes WrongWhen a system is actively compromised, candidates recommend immediate shutdown to "stop the attacker." This destroys all RAM evidence and may trigger anti-forensic malware that activates on shutdown.

The FixNetwork isolation (remove from all segments) is preferred over shutdown. Isolation stops lateral movement and C2 communication while preserving volatile evidence for forensic analysis. Only shut down if the system is actively causing harm that cannot be stopped any other way.

Prevention habit: "Isolate, don't terminate." Shutdown = evidence destruction.

3

Forgetting Write Blockers for Forensic Evidence

Connecting drives without preventing accidental writes

What Goes WrongCandidates skip the write blocker step, assuming modern OS won't modify a drive you're "just reading." Windows automatically modifies metadata (last access timestamps, volume labels) when a drive is mounted — this contaminates evidence.

The FixWrite blockers are mandatory for all forensic evidence handling. Always use hardware (preferred) or software write blockers before connecting any evidence media. Then hash the original, create a forensic image, hash the copy, and compare hashes. Work only on the copy.

Prevention habit: "Connect drive → write blocker FIRST, always." No exceptions.

4

Confusing Containment and Eradication

Jumping to eradication before fully containing the incident

What Goes WrongCandidates mix up the sequence — recommending "remove the malware" (eradication) before "isolate the system" (containment). Eradicating without containment allows the attacker to reinfect through the still-active C2 channel.

The FixContain FIRST (stop the spread, cut off C2, isolate systems), THEN eradicate (remove malware, close access), THEN recover (restore from clean backups). Order matters. Eradication without containment is ineffective.

Prevention habit: "Stop → Remove → Restore." Containment always precedes eradication.

5

Identifying Kill Chain Phase by Wrong Criteria

Misplacing defensive actions in the wrong Kill Chain phase

What Goes WrongCandidates confuse Delivery (getting the weapon to the target) with Exploitation (executing the exploit on the target). Email gateway blocking addresses Delivery. Endpoint protection/patching addresses Exploitation.

The FixMap controls to phases precisely: Recon → OSINT monitoring, attack surface reduction. Delivery → email security, web filtering, USB controls. Exploitation → patching, sandboxing, application control. Installation → EDR behavioral detection. C2 → outbound filtering, DNS sinkholes. Actions → DLP, monitoring.

Prevention habit: For each Kill Chain question, identify what phase the described activity occurs in before choosing a defensive control.

Frequently Asked Questions

Top questions on the Incident Response domain.

What are the phases of the NIST SP 800-61 incident response lifecycle? ▼

NIST SP 800-61r2 defines four phases: (1) Preparation — building IR capability before incidents occur; (2) Detection and Analysis — identifying, confirming, and characterizing the incident; (3) Containment, Eradication, and Recovery — stopping the incident, removing the threat, and restoring operations; (4) Post-Incident Activity — lessons learned, RCA, evidence retention, and improvement. SANS PICERL covers the same lifecycle in 6 phases, splitting Containment/Eradication/Recovery into separate phases.

What are the 7 Cyber Kill Chain phases and how do they map to defenses? ▼

Kill Chain: Reconnaissance (OSINT limits, scan detection), Weaponization (can't directly defend), Delivery (email security, web filter, USB control), Exploitation (patching, sandboxing, user training), Installation (EDR, application control), Command & Control (outbound monitoring, DNS filtering, web proxy), Actions on Objectives (DLP, micro-segmentation, monitoring). Earlier disruption is more effective because the attacker has less foothold in the environment.

What is chain of custody and why does it matter? ▼

Chain of custody is the chronological documented record of everyone who handled evidence — who collected it, who transported it, who analyzed it, and how it was stored. It proves the evidence wasn't tampered with between collection and courtroom. A broken chain (undocumented handling, accessing without logging) can render evidence inadmissible in legal proceedings. For CySA+: document the hash before and after imaging, log all handlers, store in tamper-evident packaging, and never work on the original evidence.

What is Root Cause Analysis (RCA) and how is it different from lessons learned? ▼

RCA is a structured analytical process to identify the fundamental underlying cause(s) of an incident — not just the symptoms. Methods: 5 Whys (ask "why" five times until you reach the root cause), Fishbone/Ishikawa diagram (categorize contributing factors into categories like People, Process, Technology). Lessons learned is broader — it covers what happened, what worked, what didn't, and what should change (which may be informed by RCA findings). RCA is a tool used within the post-incident activity phase.

What Volatility commands should I know for CySA+ CS0-004? ▼

Key Volatility commands: imageinfo/windows.info (identify OS profile), pslist/pstree (list running processes, show parent-child relationships), netscan (active network connections at time of capture), malfind (identify memory regions with injected code — high-probability malware), dumpfiles (extract files from memory), cmdline (command-line arguments for each process), handles (open file/registry handles per process). The most commonly tested are pslist (process analysis), netscan (connection analysis), and malfind (malware detection).

How does the Diamond Model differ from the Cyber Kill Chain? ▼

The Kill Chain describes the sequential phases of an attack from attacker's perspective — it's a temporal model of how an attack unfolds. The Diamond Model describes the relationships between four elements of any intrusion event: Adversary, Capability, Infrastructure, and Victim. It's used for attribution and intelligence analysis, linking events across multiple incidents to identify campaigns and threat actor groups. Kill Chain = "what happened in what order." Diamond Model = "who did this using what tools through what infrastructure to which target."

What is the difference between BCP and DRP in relation to IR? ▼

Incident Response (IR) handles the security response — containing the attack, eradicating the threat, preserving evidence. Business Continuity Planning (BCP) addresses how the organization keeps operating during a disruption — failover systems, manual processes, communication to stakeholders. Disaster Recovery Planning (DRP) addresses how IT systems are restored after a catastrophic event — recovery time objectives (RTO), recovery point objectives (RPO), backup restoration. All three must be aligned: IR hands off to BCP/DRP once containment is established, and recovery follows the DRP playbook.

CompTIA CySA+ CS0-004 — Incident Response & Management