Cisco
350-201 · Question #121
350-201 Question #121: Real Exam Question with Answer & Explanation
The correct answer is A: eradication and recovery. Once malware has been contained and the attacking host identified, the incident response workflow advances to eradication and recovery.
Processes
Question
The network operations center has identified malware, created a ticket within their ticketing system, and assigned the case to the SOC with high-level information. A SOC analyst was able to stop the malware from spreading and identified the attacking host. What is the next step in the incident response workflow?
Options
- Aeradication and recovery
- Bpost-incident activity
- Ccontainment
- Ddetection and analysis
Explanation
Once malware has been contained and the attacking host identified, the incident response workflow advances to eradication and recovery.
Common mistakes.
- B. Post-incident activity, including lessons-learned reviews and report generation, occurs only after eradication and recovery have fully concluded.
- C. Containment was already accomplished when the SOC stopped the malware from spreading; repeating it would be redundant and delay remediation.
- D. Detection and analysis was completed when the malware was identified and the attacking host was found; the incident has already moved past this phase.
Concept tested. NIST IR lifecycle phase sequencing after containment
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
#incident response#IR workflow#eradication#malware containment
Community Discussion
No community discussion yet for this question.