Incident response (IR) is the systematic approach an organization takes to manage the aftermath of a security breach or cyberattack. The process is fundamentally reactive. It involves handling systems that are victims of a malicious act (C) as well as systems that have been compromised and are being used to perpetrate a crime (A), as both scenarios constitute a security incident. A critical activity within the response process, particularly during the analysis and containment phases, is the forensic collection of data from affected computer media (B). This evidence is essential for understanding the incident's scope, impact, and origin.

D. Analyzing a system: This is too generic. While system analysis is a part of incident response, it is also a routine task for performance tuning, troubleshooting, or vulnerability management, not exclusively an IR example.

E. Threat Modeling: This is a proactive risk assessment activity performed during the preparation or system design phase to identify potential threats before an incident occurs, not a reactive response to an active incident.

1. National Institute of Standards and Technology (NIST). (2012). Computer Security Incident Handling Guide (NIST Special Publication 800-61 Rev. 2).

Page 5

Section 2.1

"What Is an Incident?": Defines an incident as a violation of security policies. Scenarios A and C clearly fall under this definition as they represent policy violations (e.g.

unauthorized use

compromise of integrity).

Page 14

Section 2.4.3

"Evidence Gathering and Handling": This section explicitly details the importance and process of collecting data from various sources

including system images and network traffic

which directly supports option B.

2. Alberts

C.

& Dorofee

A. (2009). A Framework for Categorizing Key Drivers of Risk (CMU/SEI-2009-TN-025). Carnegie Mellon University

Software Engineering Institute.

Page 11

"Threats": This document

in its discussion of risk management

implicitly separates proactive threat analysis from reactive incident response. Threat modeling (E) is part of understanding threats before they are realized

which is distinct from responding to an actualized incident.

3. Kent

K.

Chevalier

S.

Grance

T.

& Dang

H. (2006). Guide to Integrating Forensic Techniques into Incident Response (NIST Special Publication 800-86).

Page 11

Section 3.1

"Data Collection": This guide emphasizes that data collection is a foundational step in the forensic process during an incident response. It states

"The data collection process involves gathering and extracting data from the digital media under examination

" which validates option B as a core IR activity.