200-201 Question #172: Real Exam Question with Answer & Explanation

Question

The SOC team has confirmed a potential indicator of compromise on an endpoint. The team has narrowed the executable file's type to a new trojan family. According to the NIST Computer Security Incident Handling Guide, what is the next step in handling this event?

Options

• AIsolate the infected endpoint from the network.
• BPerform forensics analysis on the infected endpoint.
• CCollect public information on the malware behavior.
• DPrioritize incident handling based on the impact.

Explanation

After detecting and analyzing a potential incident like a new trojan family, the immediate next step according to NIST is to prioritize the incident based on its potential impact.

Common mistakes.

• A. Isolating the endpoint (containment) is a subsequent step, which should be guided by the incident's prioritization and impact assessment.
• B. Performing forensics analysis is an in-depth analytical activity that might happen during or after containment and eradication, often for root cause analysis or evidence collection, but prioritization comes first to guide such efforts.
• C. Collecting public information on malware behavior is part of the analysis phase, which has already begun, but prioritizing the incident's response based on its impact is a more immediate and overarching next decision point.

Concept tested. NIST incident response lifecycle - prioritization

Reference. https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

No community discussion yet for this question.