350-201(NEW-127Q) · Question #79
350-201(NEW-127Q) Question #79: Real Exam Question with Answer & Explanation
The correct answer is D. detection and analysis. Option D is correct because the engineer is actively investigating and analyzing the compromised host - identifying attack techniques (bullet SMTP engines, domain generation algorithms), understanding C2 communication methods, and characterizing the threat. These activities are t
Question
Options
- Apost-incident activity
- Beradication and recovery
- Ccontainment
- Ddetection and analysis
Explanation
Option D is correct because the engineer is actively investigating and analyzing the compromised host - identifying attack techniques (bullet SMTP engines, domain generation algorithms), understanding C2 communication methods, and characterizing the threat. These activities are the core work of the Detection and Analysis phase of the NIST incident response lifecycle.
Why the distractors are wrong:
- A (Post-Incident Activity): This phase happens after the incident is fully resolved and involves lessons learned, reporting, and process improvements - the engineer hasn't even contained the threat yet.
- B (Eradication and Recovery): This phase involves removing the malware, patching systems, and restoring operations - actions that come after the threat is fully understood and contained.
- C (Containment): Containment means limiting the spread of the threat (e.g., isolating the host). While containment may begin soon, the engineer is still in the investigation/analysis stage, not yet executing containment strategies.
Memory tip: Think of the phases in order - Detect → Contain → Eradicate → Recover → Review. Whenever a question describes an engineer figuring out what happened and how malware behaves, that's always Detection and Analysis. If they're doing something to stop it, that's Containment or later.
Topics
Community Discussion
No community discussion yet for this question.