350-201(NEW-127Q) · Question #92
350-201(NEW-127Q) Question #92: Real Exam Question with Answer & Explanation
The correct answer is D. containment. D is correct because the analyst's key actions - requesting endpoint quarantine and blacklisting the malicious email domain - are textbook containment measures. Per NIST SP 800-61, containment is the phase where responders limit the scope of damage and prevent the incident from s
Question
Options
- Aeradication
- Brecovery
- Canalyze
- Dcontainment
Explanation
D is correct because the analyst's key actions - requesting endpoint quarantine and blacklisting the malicious email domain - are textbook containment measures. Per NIST SP 800-61, containment is the phase where responders limit the scope of damage and prevent the incident from spreading, which is exactly what isolating compromised executive endpoints and blocking the threat domain accomplishes.
A (Eradication) is wrong because eradication comes after containment and involves actually removing the threat (e.g., wiping malware from systems, closing exploited vulnerabilities) - the analyst hasn't done that yet.
B (Recovery) is wrong because recovery focuses on restoring systems to normal operation after the threat has been eliminated; the endpoints are still actively connecting to C&C servers.
C (Analyze) is wrong because while the analyst did analyze SIEM/proxy/EDR logs earlier in the process, the question anchors the current step on what the analyst is requesting - containment actions.
Memory tip: Think of the sequence as "Cap it → Clean it → Cure it" - Containment caps the spread, Eradication cleans the threat, Recovery cures the environment. Quarantine = cap = containment.
Topics
Community Discussion
No community discussion yet for this question.