Cisco
350-201 · Question #55
350-201 Question #55: Real Exam Question with Answer & Explanation
The correct answer is B: Update the IDS/IPS signatures and reimage the affected hosts. The recovery phase focuses on restoring affected systems to normal operation. Reimaging hosts removes malware and updating IDS/IPS signatures helps prevent re-infection.
Processes
Question
An organization had a breach due to a phishing attack. An engineer leads a team through the recovery phase of the incident response process. Which action should be taken during this phase?
Options
- AHost a discovery meeting and define configuration and policy updates
- BUpdate the IDS/IPS signatures and reimage the affected hosts
- CIdentify the systems that have been affected and tools used to detect the attack
- DIdentify the traffic with data capture using Wireshark and review email filters
Explanation
The recovery phase focuses on restoring affected systems to normal operation. Reimaging hosts removes malware and updating IDS/IPS signatures helps prevent re-infection.
Common mistakes.
- A. Hosting a discovery meeting to define configuration and policy updates is characteristic of the post-incident lessons-learned phase, not the recovery phase.
- C. Identifying affected systems and tools used to detect the attack belongs to the identification phase, which occurs earlier in the incident response lifecycle.
- D. Capturing traffic with Wireshark and reviewing email filters are analysis and containment activities performed before recovery begins, not during the restoration phase.
Concept tested. Incident response recovery phase actions
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
#incident recovery#IDS/IPS signatures#phishing#host reimaging
Community Discussion
No community discussion yet for this question.