Cisco
350-201 · Question #19
350-201 Question #19: Real Exam Question with Answer & Explanation
The correct answer is C: Identify affected systems. When multiple systems show signs of the same infection, scoping the incident by identifying all affected systems is the critical next step before performing remediation or deeper forensic investigation.
Question
Employees report computer system crashes within the same week. An analyst is investigating one of the computers that crashed and discovers multiple shortcuts in the system's startup folder. It appears that the shortcuts redirect users to malicious URLs. What is the next step the engineer should take to investigate this case?
Options
- ARemove the shortcut files
- BCheck the audit logs
- CIdentify affected systems
- DInvestigate the malicious URLs
Explanation
When multiple systems show signs of the same infection, scoping the incident by identifying all affected systems is the critical next step before performing remediation or deeper forensic investigation.
Common mistakes.
- A. Removing shortcut files is a remediation action that should occur after the scope of the incident is fully understood, not before other affected systems are identified.
- B. Checking audit logs on a single machine is useful for deeper forensic work but does not address the broader concern that multiple systems may be compromised simultaneously.
- D. Investigating the malicious URLs is a threat intelligence step that should follow scope identification, as it does not help determine which or how many systems are currently affected.
Concept tested. Incident response scoping and containment prioritization
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Community Discussion
No community discussion yet for this question.