Cisco
350-201 · Question #59
350-201 Question #59: Real Exam Question with Answer & Explanation
The correct answer is C: Identify systems or services at risk. After validating an active intrusion, the incident response team must determine the scope and potential impact before taking targeted remediation actions.
Question
A SIEM tool fires an alert about a VPN connection attempt from an unusual location. The incident response team validates that an attacker has installed a remote access tool on a user's laptop while traveling. The attacker has the user's credentials and is attempting to connect to the network. What is the next step in handling the incident?
Options
- ABlock the source IP from the firewall
- BPerform an antivirus scan on the laptop
- CIdentify systems or services at risk
- DIdentify lateral movement
Explanation
After validating an active intrusion, the incident response team must determine the scope and potential impact before taking targeted remediation actions.
Common mistakes.
- A. Blocking the source IP is a reactive containment measure that does not address the full threat, since the attacker holds valid credentials and can reconnect from any IP address.
- B. Running an antivirus scan is a containment or eradication step focused on a single device, skipping the essential scoping phase needed to understand the full incident impact.
- D. Identifying lateral movement is an investigative activity that follows scoping - responders must first know which systems are at risk before tracing attacker movement between them.
Concept tested. Incident response scoping and impact assessment
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Community Discussion
No community discussion yet for this question.