Cisco
350-201 · Question #118
350-201 Question #118: Real Exam Question with Answer & Explanation
The correct answer is D: Collect evidence and maintain a chain-of-custody during further analysis.. The NIST SP 800-61 incident response process requires evidence collection and chain-of-custody preservation during containment, before eradication begins.
Processes
Question
A SOC analyst detected a ransomware outbreak in the organization coming from a malicious email attachment. Affected parties are notified, and the incident response team is assigned to the case. According to the NIST incident response handbook, what is the next step in handling the incident?
Options
- ACreate a follow-up report based on the incident documentation.
- BPerform a vulnerability assessment to find existing vulnerabilities.
- CEradicate malicious software from the infected machines.
- DCollect evidence and maintain a chain-of-custody during further analysis.
Explanation
The NIST SP 800-61 incident response process requires evidence collection and chain-of-custody preservation during containment, before eradication begins.
Common mistakes.
- A. Creating a follow-up report is a Post-Incident Activity step, which is the final phase of the NIST lifecycle, not the next step after detection.
- B. A vulnerability assessment is not a defined step within the NIST IR lifecycle phases; it belongs to pre-incident preparation or post-incident remediation planning.
- C. Eradication comes after containment and evidence collection in the NIST IR process; jumping straight to removing malware would destroy forensic evidence before it is preserved.
Concept tested. NIST SP 800-61 incident response phase ordering
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
#NIST incident response#ransomware#evidence collection#chain of custody
Community Discussion
No community discussion yet for this question.