210-255 · Question #66
What is accomplished in the identification phase of incident handling?
The correct answer is D. determining that a security event has occurred. The identification phase of incident handling is focused on confirming and determining that an actual security incident has occurred, distinguishing real events from false positives.
Question
What is accomplished in the identification phase of incident handling?
Options
- Adetermining the responsible user
- Bidentifying source and destination IP addresses
- Cdefining the limits of your authority related to a security event
- Ddetermining that a security event has occurred
How the community answered
(31 responses)- B6% (2)
- C3% (1)
- D90% (28)
Why each option
The identification phase of incident handling is focused on confirming and determining that an actual security incident has occurred, distinguishing real events from false positives.
Determining the responsible user is part of the investigation or forensics stage, which occurs after the incident has been identified and contained.
Identifying source and destination IP addresses is a technical analysis activity that occurs during the analysis or containment phase, not the initial identification phase.
Defining the limits of authority related to a security event is part of the preparation phase, where policies, roles, and rules of engagement are established before any incident occurs.
During the identification phase, the incident response team collects and analyzes indicators to confirm that a security event or breach has actually taken place. This involves reviewing alerts, logs, and anomalies to establish that an incident is real rather than a false positive. Only after identification is confirmed does the team move into containment and further investigation.
Concept tested: Incident response lifecycle - identification phase
Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
Community Discussion
No community discussion yet for this question.