312-50V10 · Question #848
Attacker Lauren has gained the credentials of an organization's internal server system, and she was often logging in during irregular times to monitor the network activities. The organization was skep
The correct answer is D. Incident triage. Incident triage is the IH&R phase where an analyst examines a security incident to determine its type, severity, target, impact, propagation method, and exploited vulnerabilities. Robert's detailed device analysis matches the triage phase, not incident recording and assignment as
Question
Attacker Lauren has gained the credentials of an organization's internal server system, and she was often logging in during irregular times to monitor the network activities. The organization was skeptical about the login times and appointed security professional Robert to determine the issue. Robert analyzed the compromised device to find incident details such as the type of attack, its severity, target, impact, method of propagation, and vulnerabilities exploited. What is the incident handling and response (IH&R) phase, in which Robert has determined these issues?
Options
- APreparation
- BEradication
- CIncident recording and assignment
- DIncident triage
How the community answered
(45 responses)- A2% (1)
- B11% (5)
- C7% (3)
- D80% (36)
Why each option
Incident triage is the IH&R phase where an analyst examines a security incident to determine its type, severity, target, impact, propagation method, and exploited vulnerabilities. Robert's detailed device analysis matches the triage phase, not incident recording and assignment as the answer key states.
Preparation is a proactive phase conducted before any incident occurs and involves building policies, response teams, communication plans, and tooling.
Eradication involves removing malware, revoking attacker access, and patching exploited vulnerabilities after the threat has already been contained.
Incident recording and assignment covers logging the initial incident report and routing it to the appropriate response team - not performing detailed technical analysis of attack characteristics and impact.
The incident triage phase involves systematically analyzing a confirmed incident to characterize it - determining the attack type, severity rating, affected targets, organizational impact, propagation method, and which vulnerabilities were exploited - exactly the activities Robert performed on the compromised device. Triage provides the technical understanding required before containment or eradication can begin. This phase follows initial recording and assignment and focuses on deep technical investigation of the incident.
Concept tested: Incident triage phase in IH&R lifecycle
Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
Community Discussion
No community discussion yet for this question.