nerdexam
Cisco

350-201(NEW-127Q) · Question #60

350-201(NEW-127Q) Question #60: Real Exam Question with Answer & Explanation

The correct answer is A. Check the email header to identify the sender and analyze the link in an isolated environment.. Option A is correct because both actions it describes are the appropriate initial investigative steps: inspecting the email header reveals authentication failures (SPF/DKIM/DMARC mismatches) that expose spoofing, and opening the link inside a sandbox confirms malicious intent wit

Incident Response

Question

Employees receive an email from an executive within the organization that summarizes a recent security breach and requests that employees verify their credentials through a provided link. Several employees report the email as suspicious, and a security analyst is investigating the reports. Which two steps should the analyst take to begin this investigation? (Choose two).

Options

  • ACheck the email header to identify the sender and analyze the link in an isolated environment.
  • BEvaluate the intrusion detection system alerts to determine the threat source and attack surface.
  • CCommunicate with employees to determine who opened the link and isolate the affected assets.
  • DReview the email server and proxy logs to identify the impact of a potential breach.
  • EExamine the firewall and HIPS configuration to identify the exploited vulnerability and apply recommended mitigation.

Explanation

Option A is correct because both actions it describes are the appropriate initial investigative steps: inspecting the email header reveals authentication failures (SPF/DKIM/DMARC mismatches) that expose spoofing, and opening the link inside a sandbox confirms malicious intent without risk - together they establish whether a threat actually exists before taking broader action.

Why the distractors are wrong:

  • B assumes IDS alerts will be present; phishing emails typically don't trigger IDS at the delivery stage, and threat-source analysis is premature before the email itself is verified.
  • C describes containment/response actions that belong after confirming malicious activity - jumping to isolation before confirming the attack wastes resources and may cause unnecessary disruption.
  • D focuses on impact assessment (log review for breach damage), which is a later phase; you must first confirm whether a breach occurred at all.
  • E assumes a technical vulnerability was exploited on a host, but this incident is a social engineering attempt - no firewall or HIPS misconfiguration is implicated yet.

Memory tip: Use the phrase "Verify, then respond." The analyst's first job is always to verify the threat (header + sandbox), not to measure its damage or contain it - those steps only make sense once you know something malicious actually happened.

Topics

#phishing detection#email header analysis#incident response procedures#threat investigation

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 350-201(NEW-127Q) Practice