200-201 Question #167: Real Exam Question with Answer & Explanation

Question

An engineer discovered a breach, identified the threat's entry point, and removed access. The engineer was able to identify the host, the IP address of the threat actor, and the application the threat actor targeted. What is the next step the engineer should take according to the NIST SP 800-61 Incident handling guide?

Options

• ARecover from the threat.
• BAnalyze the threat.
• CIdentify lessons learned from the threat.
• DReduce the probability of similar threats.

Explanation

After a threat actor's access is removed and key details are identified, the next step in incident handling according to NIST SP 800-61 focuses on preventing future similar incidents.

Common mistakes.

• A. Recovery involves restoring systems to normal operation, which typically occurs immediately after eradication, but the NIST guide also emphasizes post-incident prevention and improvement as critical steps for the overall handling process.
• B. Significant analysis of the threat has already been performed by identifying the entry point, actor IP, and targeted application; while more in-depth analysis might occur, it's not the primary 'next' phase after active threat eradication when considering prevention.
• C. Identifying lessons learned is a post-incident activity that informs how to reduce future threats, but reducing the probability of similar threats (D) is the actionable outcome and a broader goal of post-incident review.

Concept tested. NIST incident response lifecycle - post-incident activities

Reference. https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

No community discussion yet for this question.