nerdexam
Cisco

350-201(NEW-127Q) · Question #35

350-201(NEW-127Q) Question #35: Real Exam Question with Answer & Explanation

The correct answer is C. Assess the scope of the incident, including the number of affected systems and the extent of the data breach impact.. After containment has been achieved, the next logical step in any standard incident response framework (NIST SP 800-61 or SANS PICERL) is scoping the full impact - you cannot effectively eradicate a threat or recover systems you haven't fully inventoried. Option C is correct beca

Incident Response and Threat Investigation

Question

The incident response team of an organization identifies an ongoing cyber attack that involves a highly sophisticated threat actor, multiple compromised endpoints, and a custom-built encryption scheme for exfiltrating sensitive data. The team has taken measures to isolate the affected systems and halt further unauthorized access. Which set of steps should be taken next in the investigation?

Options

  • ANotify the law enforcement, contact threat actor, release traceable funds from cyber insurance to pay for data decryption.
  • BEradicate the threat, recover the compromised systems, and restore data from secure backups, whilst documenting findings.
  • CAssess the scope of the incident, including the number of affected systems and the extent of the data breach impact.
  • DPerform a post-incident analysis, identify lessons learned, and update the organization's security policies and procedures.

Explanation

After containment has been achieved, the next logical step in any standard incident response framework (NIST SP 800-61 or SANS PICERL) is scoping the full impact - you cannot effectively eradicate a threat or recover systems you haven't fully inventoried. Option C is correct because understanding which systems are compromised and how much data was exfiltrated directly informs every subsequent decision, including what to eradicate, what to restore, and what to report.

Why the distractors are wrong:

  • A is incorrect because contacting the threat actor and releasing ransom funds is not a standard IR step - it's generally discouraged by law enforcement (FBI, CISA) and introduces legal and operational risk.
  • B describes the right future steps (eradication and recovery), but skipping scope assessment risks incomplete remediation - you'd be cleaning up systems you don't fully know are compromised.
  • D describes the final phase (post-incident review/lessons learned), which only happens after the threat is eradicated and systems are restored - it's premature here.

Memory tip: Think of IR phases in order - Prepare → Identify → Contain → Eradicate → Recover → Lessons learned (PICERL). The team just finished Contain, so Eradicate feels tempting, but you can't eradicate what you haven't fully Identified in scope - making C the bridge back to complete identification before moving forward.

Topics

#incident response#threat assessment#containment and eradication#impact analysis

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 350-201(NEW-127Q) Practice
The incident response team of an organization identifies an... | 350-201(NEW-127Q) Q#35 Answer | NerdExam